Malware, can't defrag

Computing.Net > Forums > Security and Virus > Malware, can't defrag

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Malware, can't defrag

Name: Overman
Date: December 7, 2008 at 13:32:01 Pacific
OS: Windows XP
CPU/Ram: 512mb
Product: Dell / INSPIRION 2200

Comment:

Hello from Overman
Running Windows XP w/ SP2... Inspiron 2200 laptop from Dell
I've got something (virus/trojan/malware I don't know) that's been messing around with me
I can't defrag, do system restore, run chkdsk, run disk cleanup, or any of that. It's blocking all my malware software from updating, so perhaps that's why nothing's finding it (see below). Also when I click on a search result, I get taken to a completely random page. I found out that my tcp/ip nameservers have been changed to 85.255.113.125 and whenever I change it to "Obtain DNS server address automatically" it gets changed back!! I mean, WHAT??!
I've done EVERYTHING. I've ran every program I could find - malware scanners, registry cleaners, anti-virus, and more. Some of it found trojans and got rid of em, but nothing's helping the actual situation. I've looked through all my processes and tried disabling each one and either I'm completely stupid or this thing was programmed by some kind of destructive evil genius For pete's sake, my friend was in safe mode for three hours and couldn't fix the darn thing.
Any help? Yes I am crying. Oh and if it helps, I disabled windows update a long time ago because I don't trust it

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: December 7, 2008 at 15:12:00 Pacific

Reply:

Its a trojan dns changer once named wareout.
If you can't download the following programs try these work arounds.
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer and try to download the programs.
If you got them downloaded but can't get them to install rename the setup file then try installing them again.
Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes' AntiMalware
Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.
For Hijack This rename the Hijack This.exe file to something else and try installing it again.
If renaming did not help you can download malwarebytes and Hijack This to a cd or usb jump drive from an uninfected computer then run them on the infected computer or boot into safe mode with networking and see if you can downlod them..
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: Overman
Date: December 7, 2008 at 15:34:23 Pacific

Reply:

I already tried MalwareBytes, but it crashed midway through a scan and wouldn't start up again. I reinstalled it and here are the scan results:
===
Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 2
12/7/2008 6:32:26 PM
mbam-log-2008-12-07 (18-32-26).txt
Scan type: Quick Scan
Objects scanned: 50714
Time elapsed: 3 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 16
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\msqpdxosvdbrsr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msqpdxriqpxfum.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxpqltoiqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
===
Results of HJT:
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:19:41, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\***\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\hjt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O17 - HKLM\System\CCS\Services\Tcpip\..\{63B1BAD1-38B4-4712-8962-007AB8A71FA2}: NameServer = 85.255.113.125;85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}: NameServer = 85.255.113.125;85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.125;85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{63B1BAD1-38B4-4712-8962-007AB8A71FA2}: NameServer = 85.255.113.125;85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.125;85.255.112.92
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe (file missing)
--
End of file - 5734 bytes
===
I replaced all instances of my name with asterisks..

Response Number 3

Name: jabuck
Date: December 7, 2008 at 15:39:17 Pacific

Reply:

Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 4

Name: Overman
Date: December 7, 2008 at 17:14:02 Pacific

Reply:

Thanks for the help. I restarted my computer after using MalwareBytes, and all my problems seem to be gone... I can defragment, browse search results without getting redirected, etc. I ran chkdsk, which is why it took so long to reply.
So for now it seems that my problem is resolved... thanks, and I'll make sure to come here when I have further issues! :D

Response Number 5

Name: jabuck
Date: December 7, 2008 at 17:27:44 Pacific

Reply:

I doubt if it is fixed yet, you should run SDFix and post its log.

cygwin1.dll pythonw.exe DNSChanger.t	iamfamous.dll AnVir Task Manager PRO 560 can't defrag chkdsk f
See More

Response Number 6

Name: Overman
Date: December 7, 2008 at 17:52:56 Pacific

Reply:

I ran SDFix in safe mode, here is the log:
[b]SDFix: Version 1.240 [/b]
Run by *** on Sun 12/07/2008 at 20:40
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
No Trojan Files Found

Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 20:46:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
"msqpdxl"="\systemroot\system32\msqpdxosvdbrsr.dll"
"msqpdxdfswfh35g2"="\systemroot\system32\msqpdxriqpxfum.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules]
"msqpdxserv"="\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
"msqpdxl"="\systemroot\system32\msqpdxosvdbrsr.dll"
"msqpdxdfswfh35g2"="\systemroot\system32\msqpdxriqpxfum.dll"
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Miranda IM\\miranda32.exe"="C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"="C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe:*:Enabled:Age of Mythology"
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"="C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:a"
"C:\\Program Files\\PsyCollider\\Psycollider.exe"="C:\\Program Files\\PsyCollider\\Psycollider.exe:*:Enabled:Psycollider, the SuperCollider3 implementation on Windows"
"C:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"="C:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe:*:Enabled:tor"
"C:\\Program Files\\PsyCollider\\scsynth.exe"="C:\\Program Files\\PsyCollider\\scsynth.exe:*:Enabled:scsynth"
"C:\\Python25\\pythonw.exe"="C:\\Python25\\pythonw.exe:*:Enabled:pythonw"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:
[b]Files with Hidden Attributes [/b]:
Thu 12 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 1 Oct 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\is-MVBUL.tmp"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 ..SH. --- "C:\WINDOWS\system32\Smab0.dll"
Mon 4 Feb 2008 151,040 ..SH. --- "C:\WINDOWS\system32\VistaUltm.dll"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Sat 15 Mar 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Wed 23 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Guest\Application Data\U3\temp\Launchpad Removal.exe"
Thu 3 Jan 2008 26,624 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL0002.tmp"
Wed 31 Oct 2007 22,528 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL0003.tmp"
Thu 26 Apr 2007 31,232 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL0005.tmp"
Tue 15 Jan 2008 23,552 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL0006.tmp"
Tue 30 Oct 2007 22,528 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL1105.tmp"
Thu 25 Oct 2007 30,208 A..H. --- "C:\Documents and Settings\***\Desktop\Stuff\School\~WRL1823.tmp"
[b]Finished![/b]

Response Number 7

Name: jabuck
Date: December 7, 2008 at 18:08:21 Pacific

Reply:

You are still infected.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spyware Doctor and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 8

Name: Overman
Date: December 7, 2008 at 18:51:14 Pacific

Reply:

ComboFix 08-12-06.06 - *** 2008-12-07 21:30:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.111 [GMT -5:00]
Running from: c:\documents and settings\***\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2008-12-07 20:37 . 2008-12-07 20:37 <DIR> d-------- c:\windows\ERUNT
2008-12-07 20:30 . 2008-12-07 20:48 <DIR> d-------- C:\SDFix
2008-12-07 18:22 . 2008-12-07 18:24 <DIR> d-------- c:\documents and settings\***\Application Data\MalwareRemovalBot
2008-12-07 15:09 . 2008-12-07 15:55 <DIR> d-------- C:\fixwareout
2008-12-07 14:53 . 2008-12-07 15:49 1,418 --a------ c:\windows\system32\tmp.reg
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\documents and settings\***\Application Data\SUPERAntiSpyware.com
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 10:49 . 2008-12-07 10:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 09:16 . 2008-12-07 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 09:16 . 2008-12-07 18:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 09:16 . 2008-12-07 09:16 <DIR> d-------- c:\documents and settings\***\Application Data\Malwarebytes
2008-12-07 09:16 . 2008-12-07 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 09:16 . 2008-12-07 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 09:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 09:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-07 09:08 . 2008-12-07 09:08 <DIR> d-------- c:\program files\Free Windows Registry Cleaner
2008-12-07 08:57 . 2008-12-07 08:57 <DIR> d-------- c:\program files\AnVir Task Manager Pro
2008-12-07 08:57 . 2008-12-07 08:57 <DIR> d-------- c:\documents and settings\***\Application Data\Uniblue
2008-12-07 08:51 . 2008-12-07 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-07 08:50 . 2008-12-07 08:56 <DIR> d-------- c:\program files\Security Task Manager
2008-12-06 23:13 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2008-12-06 23:13 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2008-12-06 23:13 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2008-12-06 23:13 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2008-12-06 23:13 . 2000-07-15 05:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-12-06 23:13 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2008-12-06 23:13 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2008-12-06 23:04 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-06 23:02 . 2008-12-06 23:02 <DIR> d-------- c:\program files\Panda Security
2008-12-06 22:46 . 2008-12-06 22:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 21:26 . 2008-12-06 21:26 <DIR> d-------- c:\documents and settings\***\Application Data\Auslogics
2008-12-06 21:25 . 2008-12-06 21:25 <DIR> d-------- c:\program files\Auslogics
2008-12-06 20:03 . 2008-12-06 21:53 <DIR> d-------- c:\program files\RocketDock
2008-12-06 12:16 . 2008-12-07 15:23 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 12:16 . 2008-12-06 12:16 1,409 --a------ c:\windows\QTFont.for
2008-12-04 16:52 . 2008-12-06 21:48 27,904 --a------ c:\windows\system32\drivers\Ndisprot.sys
2008-12-04 16:01 . 2008-12-04 16:07 <DIR> d-------- c:\documents and settings\***\freemind
2008-11-26 17:32 . 2008-12-06 21:59 <DIR> d-------- c:\program files\VSTPlugIns
2008-11-25 21:56 . 2008-11-27 18:59 <DIR> d-------- c:\program files\Jeskola Buzz
2008-11-23 21:14 . 2008-11-23 21:14 <DIR> d-------- c:\program files\Visualization Software
2008-11-22 21:58 . 2008-11-22 21:59 <DIR> d-------- c:\program files\Pure Data
2008-11-18 18:25 . 2008-11-18 18:25 <DIR> d-------- c:\program files\Renoise 1.9.1x
2008-11-18 15:52 . 2008-11-18 15:52 <DIR> d-------- c:\documents and settings\***\Application Data\Renoise
2008-11-18 15:50 . 2008-11-18 15:50 <DIR> d-------- c:\program files\Renoise 1.9.1
2008-11-14 22:09 . 2008-11-15 19:34 <DIR> d-------- c:\documents and settings\***\SuperCollider
2008-11-14 22:06 . 2008-11-14 22:09 <DIR> d-------- c:\program files\PsyCollider
2008-11-14 21:23 . 2008-11-14 21:26 <DIR> d-------- c:\program files\MXP4Creator
2008-11-14 21:23 . 2008-11-14 21:23 <DIR> d-------- c:\documents and settings\****\Application Data\MXP4
2008-11-14 21:22 . 2008-11-14 21:23 <DIR> d-------- c:\documents and settings\***\Application Data\.csound
2008-11-14 14:42 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\***\Application Data\Cycling '74
2008-11-13 21:19 . 2008-11-13 21:19 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy
2008-11-13 21:19 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\***\Application Data\PACE Anti-Piracy
2008-11-13 21:19 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2008-11-13 17:22 . 2008-11-13 17:22 <DIR> d-------- c:\program files\Csound
2008-11-13 17:21 . 2008-11-13 17:21 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-08 21:39 . 2008-12-04 16:29 <DIR> d-------- c:\program files\IDoser v4
2008-11-08 16:30 . 2008-11-08 16:30 1,805 --a------ c:\windows\TSearch.INI
2008-11-08 16:30 . 2008-11-08 16:30 19 --a------ c:\windows\HexEditor_FindList.hed
2008-11-08 15:30 . 2008-11-08 15:30 <DIR> d-------- c:\program files\Nsauditor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 01:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-07 15:57 --------- d-----w c:\documents and settings\***\Application Data\AVG7
2008-12-07 14:13 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-12-07 04:29 --------- d-----w c:\program files\Spyware Doctor
2008-12-07 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 01:37 --------- d-----w c:\program files\TiLP
2008-12-05 03:52 --------- d-----w c:\documents and settings\***\Application Data\uTorrent
2008-11-06 23:20 --------- d-----w c:\documents and settings\***\Application Data\gtk-2.0
2008-11-06 23:17 --------- d-----w c:\program files\Inkscape
2008-11-04 01:16 --------- d-----w c:\documents and settings\***\Application Data\Inkscape
2008-11-02 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-02 19:45 --------- d-----w c:\program files\MSECache
2008-11-02 17:59 --------- d-----w c:\documents and settings\***\Application Data\GetRightToGo
2008-11-02 15:24 --------- d-----w c:\program files\Microsoft Works
2008-10-26 00:44 --------- d-----w c:\program files\Google
2008-10-20 20:25 --------- d-----w c:\program files\Common Files\xing shared
2008-10-20 20:24 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-20 20:24 --------- d-----w c:\program files\Common Files\Real
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-12 16:16 --------- d-----w c:\program files\Ghostgum
2008-10-12 16:14 --------- d-----w c:\program files\gs
2008-10-12 16:12 --------- d-----w c:\program files\TeXnicCenter
2008-10-12 15:26 --------- d-----w c:\documents and settings\All Users\Application Data\MiKTeX
2008-10-12 15:25 --------- d-----w c:\program files\MiKTeX 2.7
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sh--w c:\windows\system32\VistaUltm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-12-07 590848]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-12 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-13 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-20 136768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virus
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-11-01 20:48 1392640 c:\windows\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 08:18 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 01:05 122939 c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 19:35 133104 c:\documents and settings\***\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-06-06 17:06 77824 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-06-06 17:10 118784 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-06-06 17:09 94208 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 12:36 1168264 c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-17 15:11 1805552 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-20 15:24 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\PsyCollider\\Psycollider.exe"=
"c:\\Program Files\\PsyCollider\\scsynth.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:80
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-06 28544]
R1 DhaHelper;DhaHelper;\??\c:\windows\system32\drivers\dhahelper.sys [2008-10-13 7168]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S0 gavsfu;gavsfu;c:\windows\system32\drivers\qmwyfykb.sys []
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2008-10-13 24576]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-02 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\***\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:35]
2008-12-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []
2008-12-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
MSConfigStartUp-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
MSConfigStartUp-Omniscient - c:\c:\WINDOWS\Omniscient.exe
MSConfigStartUp-RocketDock - c:\program files\RocketDock\RocketDock.exe
MSConfigStartUp-SysMetrix - c:\program files\SysMetrix\SysMetrix.exe

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\***\Application Data\Mozilla\Firefox\Profiles\ciyyy7d8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com
FF -: plugin - c:\documents and settings\***\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Opera\program\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 21:41:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld-nt\" --defaults-file=\"c:\mysql\my.ini\" MySQL"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
r Running Proce
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-12-07 21:44:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 02:44:14
Pre-Run: 100,274,429,952 bytes free
Post-Run: 100,199,452,672 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
267 --- E O F --- 2008-04-11 10:57:41

Response Number 9

Name: jabuck
Date: December 7, 2008 at 19:27:41 Pacific

Reply:

Yurn off Spybot.
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\drivers\qmwyfykb.sys

Driver::
gavsfu

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Restart the computer.
Post a new Combofix log following the previous directions.

Response Number 10

Name: Overman
Date: December 7, 2008 at 19:48:26 Pacific

Reply:

Thanks for all your help, I'm going to turn in for the night right now. First I'll post the latest ComboFIX log.
=====
ComboFix 08-12-06.06 - **** 2008-12-07 22:33:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00]
Running from: c:\documents and settings\**** \Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\****\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\drivers\qmwyfykb.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gavsfu

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2008-12-07 20:37 . 2008-12-07 20:37 <DIR> d-------- c:\windows\ERUNT
2008-12-07 20:30 . 2008-12-07 20:48 <DIR> d-------- C:\SDFix
2008-12-07 18:22 . 2008-12-07 18:24 <DIR> d-------- c:\documents and settings\****\Application Data\MalwareRemovalBot
2008-12-07 15:09 . 2008-12-07 15:55 <DIR> d-------- C:\fixwareout
2008-12-07 14:53 . 2008-12-07 15:49 1,418 --a------ c:\windows\system32\tmp.reg
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\documents and settings\****\Application Data\SUPERAntiSpyware.com
2008-12-07 10:54 . 2008-12-07 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-07 10:49 . 2008-12-07 10:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 09:16 . 2008-12-07 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 09:16 . 2008-12-07 18:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 09:16 . 2008-12-07 09:16 <DIR> d-------- c:\documents and settings\****\Application Data\Malwarebytes
2008-12-07 09:16 . 2008-12-07 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 09:16 . 2008-12-07 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 09:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 09:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-07 09:08 . 2008-12-07 09:08 <DIR> d-------- c:\program files\Free Windows Registry Cleaner
2008-12-07 08:57 . 2008-12-07 08:57 <DIR> d-------- c:\program files\AnVir Task Manager Pro
2008-12-07 08:57 . 2008-12-07 08:57 <DIR> d-------- c:\documents and settings\****\Application Data\Uniblue
2008-12-07 08:51 . 2008-12-07 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-07 08:50 . 2008-12-07 08:56 <DIR> d-------- c:\program files\Security Task Manager
2008-12-06 23:13 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2008-12-06 23:13 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2008-12-06 23:13 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2008-12-06 23:13 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2008-12-06 23:13 . 2000-07-15 05:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-12-06 23:13 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2008-12-06 23:13 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2008-12-06 23:04 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-06 23:02 . 2008-12-06 23:02 <DIR> d-------- c:\program files\Panda Security
2008-12-06 22:46 . 2008-12-06 22:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 21:26 . 2008-12-06 21:26 <DIR> d-------- c:\documents and settings\****\Application Data\Auslogics
2008-12-06 21:25 . 2008-12-06 21:25 <DIR> d-------- c:\program files\Auslogics
2008-12-06 20:03 . 2008-12-06 21:53 <DIR> d-------- c:\program files\RocketDock
2008-12-06 12:16 . 2008-12-07 15:23 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 12:16 . 2008-12-06 12:16 1,409 --a------ c:\windows\QTFont.for
2008-12-04 16:52 . 2008-12-06 21:48 27,904 --a------ c:\windows\system32\drivers\Ndisprot.sys
2008-12-04 16:01 . 2008-12-04 16:07 <DIR> d-------- c:\documents and settings\****\freemind
2008-11-26 17:32 . 2008-12-06 21:59 <DIR> d-------- c:\program files\VSTPlugIns
2008-11-25 21:56 . 2008-11-27 18:59 <DIR> d-------- c:\program files\Jeskola Buzz
2008-11-23 21:14 . 2008-11-23 21:14 <DIR> d-------- c:\program files\Visualization Software
2008-11-22 21:58 . 2008-11-22 21:59 <DIR> d-------- c:\program files\Pure Data
2008-11-18 18:25 . 2008-11-18 18:25 <DIR> d-------- c:\program files\Renoise 1.9.1x
2008-11-18 15:52 . 2008-11-18 15:52 <DIR> d-------- c:\documents and settings\****\Application Data\Renoise
2008-11-18 15:50 . 2008-11-18 15:50 <DIR> d-------- c:\program files\Renoise 1.9.1
2008-11-14 22:09 . 2008-11-15 19:34 <DIR> d-------- c:\documents and settings\****\SuperCollider
2008-11-14 22:06 . 2008-11-14 22:09 <DIR> d-------- c:\program files\PsyCollider
2008-11-14 21:23 . 2008-11-14 21:26 <DIR> d-------- c:\program files\MXP4Creator
2008-11-14 21:23 . 2008-11-14 21:23 <DIR> d-------- c:\documents and settings\****\Application Data\MXP4
2008-11-14 21:22 . 2008-11-14 21:23 <DIR> d-------- c:\documents and settings\****\Application Data\.csound
2008-11-14 14:42 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\****\Application Data\Cycling '74
2008-11-13 21:19 . 2008-11-13 21:19 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy
2008-11-13 21:19 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\****\Application Data\PACE Anti-Piracy
2008-11-13 21:19 . 2008-11-14 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2008-11-13 17:22 . 2008-11-13 17:22 <DIR> d-------- c:\program files\Csound
2008-11-13 17:21 . 2008-11-13 17:21 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-08 21:39 . 2008-12-04 16:29 <DIR> d-------- c:\program files\IDoser v4
2008-11-08 16:30 . 2008-11-08 16:30 1,805 --a------ c:\windows\TSearch.INI
2008-11-08 16:30 . 2008-11-08 16:30 19 --a------ c:\windows\HexEditor_FindList.hed
2008-11-08 15:30 . 2008-11-08 15:30 <DIR> d-------- c:\program files\Nsauditor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 01:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-07 15:57 --------- d-----w c:\documents and settings\****\Application Data\AVG7
2008-12-07 14:13 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-12-07 04:29 --------- d-----w c:\program files\Spyware Doctor
2008-12-07 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 01:37 --------- d-----w c:\program files\TiLP
2008-12-05 03:52 --------- d-----w c:\documents and settings\****\Application Data\uTorrent
2008-11-06 23:20 --------- d-----w c:\documents and settings\****\Application Data\gtk-2.0
2008-11-06 23:17 --------- d-----w c:\program files\Inkscape
2008-11-04 01:16 --------- d-----w c:\documents and settings\****\Application Data\Inkscape
2008-11-02 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-02 19:45 --------- d-----w c:\program files\MSECache
2008-11-02 17:59 --------- d-----w c:\documents and settings\****\Application Data\GetRightToGo
2008-11-02 15:24 --------- d-----w c:\program files\Microsoft Works
2008-10-26 00:44 --------- d-----w c:\program files\Google
2008-10-20 20:25 --------- d-----w c:\program files\Common Files\xing shared
2008-10-20 20:24 --------- d-----w c:\program files\Common Files\Real
2008-10-12 16:16 --------- d-----w c:\program files\Ghostgum
2008-10-12 16:14 --------- d-----w c:\program files\gs
2008-10-12 16:12 --------- d-----w c:\program files\TeXnicCenter
2008-10-12 15:26 --------- d-----w c:\documents and settings\All Users\Application Data\MiKTeX
2008-10-12 15:25 --------- d-----w c:\program files\MiKTeX 2.7
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
2008-02-04 19:26 151,040 --sh--w c:\windows\system32\VistaUltm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-12-07 590848]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-12 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-13 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-20 136768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-11-01 20:48 1392640 c:\windows\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-12 08:18 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 01:05 122939 c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 19:35 133104 c:\documents and settings\****\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-06-06 17:06 77824 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-06-06 17:10 118784 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-06-06 17:09 94208 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 12:36 1168264 c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-17 15:11 1805552 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-20 15:24 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\PsyCollider\\Psycollider.exe"=
"c:\\Program Files\\PsyCollider\\scsynth.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:80
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-06 28544]
R1 DhaHelper;DhaHelper;\??\c:\windows\system32\drivers\dhahelper.sys [2008-10-13 7168]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2008-10-13 24576]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-02 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\****\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:35]
2008-12-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []
2008-12-07 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\****\Application Data\Mozilla\Firefox\Profiles\ciyyy7d8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com
FF -: plugin - c:\documents and settings\****\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Opera\program\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 22:38:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld-nt\" --defaults-file=\"c:\mysql\my.ini\" MySQL"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpqltoiqh.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
r Running Proce
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
.
**************************************************************************
.
Completion time: 2008-12-07 22:41:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 03:41:30
ComboFix2.txt 2008-12-08 02:44:22
Pre-Run: 100,446,441,472 bytes free
Post-Run: 100,440,403,968 bytes free
247 --- E O F --- 2008-04-11 10:57:41

Response Number 11

Name: jabuck
Date: December 7, 2008 at 20:18:34 Pacific

Reply:

Please download The Avenger2 by Swandog46 to your Desktop from this link.
Avenger2 by swandog46

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop
1. Copy all the text contained between the X's below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry Keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
[list]
Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.
Lets try to get your name back.
Go to start> control panel> system> computer name> change. If there are asterisks where your name should be type in your name> click ok> apply> ok. Restart the computer and see if the asterisks have been replaced with your name.

Response Number 12

Name: Overman
Date: December 8, 2008 at 14:26:39 Pacific

Reply:

The name is my doing, I don't want to fling around my identity too much.
Here is the Avenger log:
=======
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.

Response Number 13

Name: jabuck
Date: December 8, 2008 at 18:36:22 Pacific

Reply:

Please post a SDFIx log and a Combofix log following the previous directions.

Sponsored Link

Ads by Google

Fake Security Center Aler...

Redirecting Mozilla FireF...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Malware, can't defrag

Can't Update

Summary

www.computing.net/answers/security/cant-update-/24247.html

Can't run programs (malware likely)

Summary

www.computing.net/answers/security/cant-run-programs-malware-likely/23982.html

DNSChanger Trojan - Malware can't stop

Summary

www.computing.net/answers/security/dnschanger-trojan-malware-cant-stop/26322.html

From the Geek Dictionary
eleet - Chatspeak for elite....

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
hotmail log on

lower ping

Im Geting Crazy here!!

Conditional Copy

Acer Aspire 5101 Battery issue

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

Guy Quits Job With Error Message

News Corp Rivals Threaten to De-list from Google

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE