IE Windows keep opening; system slow as hell

May 2, 2009 at 16:27:58
Specs: Windows XP SP3
Hello, I am a first year medical student whose
computer is giving him hell during finals
week...this is a bad time for such.

I have a 3.2 Duo Core HP zd8000 laptop
running XP service pack 3, with 2 gig DDR2
667 RAM. I have AVG and
AdvancedSystemCare installed, and they both
keep finding trojans and spyware, remove
them, and after restart they find them again.

As I browse, in any browser (IE 8, FF 3.0.10,
Chrome 2.0.172.8), my browsing is
extraordinarily slow, and windows keep
popping up...when I open IE the home page
goes to flipdummie.com, no matter how many
times I change it.

I read some other posts on here and tried
installing malwarebytes, and it comes up with
2 error msgs during install and the same 2
when I try to run the program:
"vbAccelerator SGrid II Control - Run time error
'0' "

and

"Malwarebytes' Anti-Malware - Run-time error
'440'. Automation error."


I ran Hijack this and have a log available.

If anyone can please help me get my
computer back to normal I'd greatly appreciate
it.


See More: IE Windows keep opening; system slow as hell

Report •


#1
May 2, 2009 at 18:15:46

Try the following steps and post your Hijack This log.

This may temporaryily help with the redirects:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer, if it was not found just continue.

Boot into Safe Mode with Networking. Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select Safe Mode with Networking, then press "Enter".
Choose your usual account.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.


Report •

#2
May 2, 2009 at 21:51:18
Ok -

There wasn't a TDSS under the non-Plug and Play list, so I just continued like you said.

Booted in safe mode with networking, DLed Malwarebytes (name changed to tool before beginning). I had to DL the newest version of Visual Basic 6 in order for Malwarebytes to work, but it eventually did...here are 2 logs, as after completing one I rebooted (again in safe mode) and re-ran it with a deep scan:

Quick Scan:

Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 3

5/3/2009 6:02:16 AM
mbam-log-2009-05-03 (06-02-16).txt

Scan type: Quick Scan
Objects scanned: 77547
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Deep Scan:


Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 3

5/3/2009 6:24:58 AM
mbam-log-2009-05-03 (06-24-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 115924
Time elapsed: 14 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dopumoyanu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5012edcf (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5321de53 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is the HJT log (also ran in safe mode):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:57 AM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Malwarebytes' Anti-Malware 2\mbam.exe
D:\HiJkThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Button Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Magic-i.lnk = C:\Program Files\HP\ArcSoft\ArcSoft\Magic-i 3\Magic-i.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\HP\ArcSoft\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doc\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doc\pctsSvc.exe

--
End of file - 7011 bytes


I'm not sure if this fixed me up or not...it looks like MWB removed Vundo, or atleast part of it...but I'm scared to start in normal mode because I don't want to have to start over again...please let me know what I should do now - until then, I'll leave my comp running in safe mode.

Thanks for your help so far.


Report •

#3
May 2, 2009 at 22:31:32
When I run MWB now, it does not detect anything...still hanging out in safe mode.

Report •

Related Solutions

#4
May 3, 2009 at 06:35:36
In normal mode please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spybot, Spyware Doctor and any other antispyware that you may have. (to completely turn off AVG clcick the systray icon and then click exit. Next click the desktop AVG icon> resident shield>uncheck "resident shield active"> save changes.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again and recheck the "resident shield active" box, but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#5
May 3, 2009 at 14:21:25
OK, you're probably gonna be pissed at me, but here goes -

I did what you said, and ran combofix...I had disabled/closed all anti-spyware programs...but when I ran combofix ("toolb"), spybot S&D opened up...without me asking it to (tried to perform an autosearch as well)...didn't think too too much of it, just used task manager to kill it and proceeded with combofix (it was hung at the system restore dialog, thankfully...so it was actually doing the check while this was going on). So I ran it the first time, and here is the log:

ComboFix 09-05-03.1 - Judith 05/03/2009 15:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -6:00]
Running from: D:\Toolb.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 12:04 . 2009-05-03 12:04 -------- d-----w c:\documents and settings\Judith\Application Data\Malwarebytes
2009-05-03 11:55 . 2009-05-03 11:55 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 10:08 . 2009-05-03 10:17 -------- d-----w C:\ComboFix
2009-05-03 09:34 . 2009-05-03 21:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 09:34 . 2009-05-03 21:11 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-03 09:34 . 2009-05-03 21:11 -------- d-----w c:\program files\Spyware Doc
2009-05-03 09:08 . 2009-05-03 13:23 -------- d-----w c:\documents and settings\Administrator\Tracing
2009-05-03 06:58 . 2009-05-03 06:58 -------- d-----w C:\VundoFix Backups
2009-05-03 06:57 . 2009-05-03 11:36 -------- d-----w c:\program files\MA2
2009-05-03 06:51 . 2009-05-03 06:52 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-03 05:52 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 05:51 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 05:51 . 2009-05-03 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 05:32 . 2009-05-03 05:32 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 05:30 . 2009-05-03 05:31 -------- d-----w C:\MWBs anti mal
2009-05-03 05:26 . 2009-05-03 05:26 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 03:12 . 2009-05-03 03:12 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2009-05-03 03:11 . 2009-05-03 03:11 -------- d-sh--w c:\documents and settings\Administrator\IECompatCache
2009-05-03 03:00 . 2009-05-03 03:00 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Judith\IECompatCache
2009-05-03 00:46 . 2009-05-03 03:35 -------- d-----w c:\program files\CCleaner
2009-05-03 00:36 . 2009-05-03 00:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 00:36 . 2009-05-03 05:17 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 23:36 . 2009-05-02 23:36 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Deployment
2009-04-30 19:14 . 2009-04-30 19:14 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-29 21:57 . 2009-04-29 21:57 -------- d-sh--w c:\documents and settings\Judith\PrivacIE
2009-04-29 21:54 . 2009-04-29 21:54 -------- d-sh--w c:\documents and settings\Judith\IETldCache
2009-04-29 21:02 . 2009-04-29 21:03 -------- dc-h--w c:\windows\ie8
2009-04-29 21:02 . 2009-04-29 21:05 -------- d--h--w c:\windows\msdownld.tmp
2009-04-29 12:05 . 2009-04-29 12:05 -------- d-----w c:\program files\IrfanView
2009-04-28 07:50 . 2009-04-28 09:21 -------- d-----w c:\documents and settings\Judith\Application Data\IObit
2009-04-28 07:50 . 2009-04-28 08:27 -------- d-----w c:\program files\IObit
2009-04-27 11:36 . 2009-04-27 11:39 -------- d-----w c:\program files\DAEMON Tools Pro d
2009-04-27 11:34 . 2009-04-27 11:34 -------- d-----w c:\program files\DAEMON Tools Pro c
2009-04-27 11:31 . 2009-04-27 11:31 -------- d-----w c:\program files\DAEMON Tools Pro b
2009-04-27 09:48 . 2009-04-27 09:49 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\CutePDF Writer
2009-04-27 09:47 . 2009-04-27 09:47 -------- d-----w c:\program files\GPLGS
2009-04-27 09:43 . 2007-07-13 04:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-04-27 09:43 . 2009-04-27 09:43 -------- d-----w c:\program files\Acro Software
2009-04-25 18:25 . 2009-04-25 18:25 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-04-25 18:25 . 2009-04-27 11:33 -------- d-----w c:\program files\DAEMON Tools Pro
2009-04-23 20:21 . 2009-04-27 11:42 -------- d-----w c:\documents and settings\Judith\Application Data\DAEMON Tools Pro
2009-04-22 22:33 . 1998-10-29 22:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-22 04:17 . 2009-04-22 04:20 -------- d-----w c:\windows\system32\Adobe
2009-04-22 03:50 . 2009-04-22 04:05 -------- d-----w c:\documents and settings\Judith\Application Data\ImgBurn
2009-04-22 03:40 . 2009-04-22 03:40 -------- d-----w c:\program files\ImgBurn
2009-04-22 03:30 . 2009-04-23 20:22 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-22 02:48 . 2009-04-22 02:45 216064 ----a-w c:\windows\iun3405.exe
2009-04-21 21:56 . 2009-04-22 20:11 -------- d-----w c:\program files\uTorrent
2009-04-21 21:56 . 2009-04-23 22:42 -------- d-----w c:\documents and settings\Judith\Application Data\uTorrent
2009-04-21 05:28 . 1993-05-12 06:00 398416 ----a-w c:\windows\system\VBRUN300.DLL
2009-04-21 05:27 . 2009-04-21 05:28 -------- d-----w C:\VISMAN
2009-04-21 05:27 . 2009-04-21 05:27 -------- d-----w c:\documents and settings\Judith\WINDOWS
2009-04-19 02:30 . 2009-04-19 02:30 -------- d-----w c:\documents and settings\Judith\Application Data\Leadertech
2009-04-18 21:47 . 2009-05-03 01:09 -------- d-----w c:\program files\iCall
2009-04-18 21:40 . 2009-04-18 21:42 -------- d-----w c:\documents and settings\Judith\Application Data\Gizmo5
2009-04-12 22:26 . 2009-04-12 22:28 35382 ----a-w c:\windows\scunin.dat
2009-04-12 22:26 . 2009-04-12 22:28 967 ----a-w c:\windows\ScUnin.pif
2009-04-12 22:26 . 2009-04-12 22:28 94208 ----a-w c:\windows\ScUnin.exe
2009-04-12 22:24 . 2009-04-26 08:31 -------- d-----w c:\program files\Starcraft
2009-04-10 09:07 . 2009-04-10 09:13 -------- d-----w c:\documents and settings\Judith\Application Data\vlc
2009-04-10 09:01 . 2009-04-10 09:01 -------- d-----w c:\program files\VideoLAN
2009-04-06 09:26 . 2009-04-07 03:12 -------- d-----w c:\program files\MSECache
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\documents and settings\Judith\Tracing
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Microsoft
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-05 14:15 . 2009-04-05 14:16 -------- d-----w c:\program files\Windows Live
2009-04-05 14:09 . 2009-04-05 14:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\scripting
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\l2schemas
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\en
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\bits
2009-04-05 13:51 . 2009-04-05 13:51 -------- d-----w c:\windows\ServicePackFiles
2009-04-05 13:35 . 2004-08-04 04:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-05 13:21 . 2009-04-05 13:21 -------- d--h--w c:\windows\$hf_mig$
2009-04-05 13:14 . 2008-10-16 20:09 43544 ----a-w c:\windows\system32\wups2.dll
2009-04-05 11:42 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Yahoo
2009-04-05 11:36 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 11:36 . 2009-04-05 11:36 -------- d-----w c:\program files\Yahoo!
2009-04-05 10:03 . 2009-05-02 19:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-05 09:54 . 2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-05 09:54 . 2009-05-02 15:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-05 09:54 . 2009-05-02 15:13 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-05 09:54 . 2009-05-03 21:03 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-05 09:54 . 2009-04-05 09:54 -------- d-----w c:\program files\AVG
2009-04-05 09:54 . 2009-04-30 06:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-05 03:25 . 2009-04-05 08:45 -------- d-----w c:\documents and settings\Judith\Application Data\DMCache
2009-04-05 00:17 . 2009-04-05 00:17 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 21:24 . 2009-03-31 08:38 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 11:41 . 2009-04-21 03:14 930 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
2009-05-01 08:31 . 2009-02-01 08:31 47104 --sha-w c:\windows\system32\tiworita.exe
2009-04-30 20:30 . 2009-01-30 20:30 47104 --sha-w c:\windows\system32\welemige.exe
2009-04-30 08:33 . 2009-01-30 08:33 46592 --sha-w c:\windows\system32\vajilola.exe
2009-04-29 09:20 . 2009-03-31 09:21 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-29 04:01 . 2009-03-31 11:09 -------- d-----w c:\program files\PhotoScape
2009-04-28 08:27 . 2009-04-28 08:27 386 ----a-w c:\windows\Tasks\SmartDefrag.job
2009-04-06 11:21 . 2009-03-31 08:37 49304 ----a-w c:\documents and settings\Judith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 13:56 . 2009-03-31 08:34 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-05 10:58 . 2009-03-31 19:08 -------- d-----w c:\program files\Opera 10 Preview
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Symantec
2009-04-02 19:18 . 2009-03-31 08:31 -------- d-----w c:\program files\HP
2009-04-02 19:17 . 2009-03-31 08:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 19:11 . 2009-04-02 19:11 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-02 14:33 . 2009-04-02 14:33 -------- d-----w c:\program files\Free PDF to Word Doc Converter
2009-04-02 12:23 . 2009-03-31 09:31 -------- d-----w c:\program files\Camfrog
2009-03-31 20:18 . 2009-03-31 20:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 20:18 . 2009-03-31 09:10 -------- d-----w c:\program files\Java
2009-03-31 11:43 . 2009-03-31 11:43 0 ----a-w c:\windows\nsreg.dat
2009-03-31 10:48 . 2009-03-31 10:48 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-31 10:41 . 2009-03-31 10:41 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-31 09:30 . 2009-03-31 09:30 -------- d-----w c:\program files\GRETECH
2009-03-31 09:27 . 2009-03-31 08:28 165598 ----a-w c:\windows\hpoins29.dat
2009-03-31 09:20 . 2009-03-31 09:20 -------- d-----w c:\program files\Microsoft.NET
2009-03-31 09:11 . 2009-03-31 09:02 -------- d-----w c:\program files\HPQ
2009-03-31 09:10 . 2009-03-31 09:10 -------- d-----w c:\program files\Common Files\Java
2009-03-31 09:09 . 2009-03-31 09:09 1772 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Pavilion zd8000 (PD726AV#ABA)_YN_0Pavi_QCNF512081T_EU_46_I3082_SQuanta_V36.30_BF.22_T050223_WXP2_L409_M2047_J100_7Intel_8Pentium 4_93.19_#090331_N10EC8139_(PD726AV#ABA)_XMOBILE_CN10_Z8086266D_2F.22.MRK
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Sonic
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\InterVideo
2009-03-31 09:03 . 2009-03-31 08:48 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-31 09:02 . 2009-03-31 09:01 -------- d-----w c:\program files\ATI Technologies
2009-03-31 09:01 . 2009-03-31 09:01 -------- d-----w c:\program files\Synaptics
2009-03-31 08:57 . 2009-03-31 08:57 -------- d-----w c:\program files\CONEXANT
2009-03-31 08:50 . 2009-03-31 08:50 -------- d-----w c:\program files\Intel
2009-03-31 08:35 . 2009-03-31 08:34 -------- d-----w c:\program files\Common Files\Adobe
2009-03-31 08:35 . 2009-03-31 08:35 -------- d-----w c:\program files\microsoft frontpage
2009-03-31 08:34 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\HP
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Hewlett-Packard
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-31 08:31 . 2009-03-31 08:31 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-16 20:18 . 2009-03-31 10:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 20:18 . 2009-03-31 10:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 21:27 . 2009-03-31 10:48 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-08 10:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro d\DTProAgent.exe" [2009-01-26 228808]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"avgupdater"="c:\windows\avgupdater.exe" [2008-08-26 239299]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-09 184320]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"dopumoyanu"="c:\windows\system32\ledalesa.dll" [BU]
"5012edcf"="c:\windows\system32\yudivoyo.dll" [BU]
"CPM5321de53"="c:\windows\system32\vojiyiye.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-31 113664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-3-31 184320]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-4-2 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Magic-i.lnk - c:\program files\HP\ArcSoft\ArcSoft\Magic-i 3\Magic-i.exe [2009-4-2 530944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"BITS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Judith\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S4 PCTCore;PCTools KDS; [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
- c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 03:14]

2009-04-28 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-28 00:15]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.flipdummie.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Judith\Application Data\Mozilla\Firefox\Profiles\neuuduro.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 15:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?5?3?4??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1563985344-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,b7,a8,08,6e,ae,eb,41,82,08,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,b7,a8,08,6e,ae,eb,41,82,08,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3752)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-05-03 15:28
ComboFix-quarantined-files.txt 2009-05-03 21:28
ComboFix2.txt 2009-05-03 10:17

Pre-Run: 82,279,436,288 bytes free
Post-Run: 82,274,000,896 bytes free

293


Report •

#6
May 3, 2009 at 14:22:14
After that, Spybot popped up AGAIN with a registry edit confirm/deny dialog (even though I had disabled it's resident defense, closed the program, and closed it again with tskmgr during combofix run)...so I denied the change, as this was what it said when I clicked "info":

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list

So I denied that registry change...after this, I was thinking spybot running may have f'd up the combo run, so I uninstalled it and afterward re-ran combofix, for which this is the log:


ComboFix 09-05-03.1 - Judith 05/03/2009 15:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1537 [GMT -6:00]
Running from: D:\Toolb.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 12:04 . 2009-05-03 12:04 -------- d-----w c:\documents and settings\Judith\Application Data\Malwarebytes
2009-05-03 11:55 . 2009-05-03 11:55 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 10:08 . 2009-05-03 10:17 -------- d-----w C:\ComboFix
2009-05-03 09:34 . 2009-05-03 21:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 09:08 . 2009-05-03 13:23 -------- d-----w c:\documents and settings\Administrator\Tracing
2009-05-03 06:58 . 2009-05-03 06:58 -------- d-----w C:\VundoFix Backups
2009-05-03 06:57 . 2009-05-03 11:36 -------- d-----w c:\program files\MA2
2009-05-03 06:51 . 2009-05-03 06:52 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-03 05:52 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 05:51 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 05:51 . 2009-05-03 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 05:32 . 2009-05-03 05:32 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 05:30 . 2009-05-03 05:31 -------- d-----w C:\MWBs anti mal
2009-05-03 05:26 . 2009-05-03 05:26 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 03:12 . 2009-05-03 03:12 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2009-05-03 03:11 . 2009-05-03 03:11 -------- d-sh--w c:\documents and settings\Administrator\IECompatCache
2009-05-03 03:00 . 2009-05-03 03:00 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Judith\IECompatCache
2009-05-03 00:46 . 2009-05-03 03:35 -------- d-----w c:\program files\CCleaner
2009-05-03 00:36 . 2009-05-03 21:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 00:36 . 2009-05-03 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 23:36 . 2009-05-02 23:36 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Deployment
2009-04-30 19:14 . 2009-04-30 19:14 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-29 21:57 . 2009-04-29 21:57 -------- d-sh--w c:\documents and settings\Judith\PrivacIE
2009-04-29 21:54 . 2009-04-29 21:54 -------- d-sh--w c:\documents and settings\Judith\IETldCache
2009-04-29 21:02 . 2009-04-29 21:03 -------- dc-h--w c:\windows\ie8
2009-04-29 21:02 . 2009-04-29 21:05 -------- d--h--w c:\windows\msdownld.tmp
2009-04-29 12:05 . 2009-04-29 12:05 -------- d-----w c:\program files\IrfanView
2009-04-28 07:50 . 2009-04-28 09:21 -------- d-----w c:\documents and settings\Judith\Application Data\IObit
2009-04-28 07:50 . 2009-04-28 08:27 -------- d-----w c:\program files\IObit
2009-04-27 11:36 . 2009-04-27 11:39 -------- d-----w c:\program files\DAEMON Tools Pro d
2009-04-27 11:34 . 2009-04-27 11:34 -------- d-----w c:\program files\DAEMON Tools Pro c
2009-04-27 11:31 . 2009-04-27 11:31 -------- d-----w c:\program files\DAEMON Tools Pro b
2009-04-27 09:48 . 2009-04-27 09:49 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\CutePDF Writer
2009-04-27 09:47 . 2009-04-27 09:47 -------- d-----w c:\program files\GPLGS
2009-04-27 09:43 . 2007-07-13 04:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-04-27 09:43 . 2009-04-27 09:43 -------- d-----w c:\program files\Acro Software
2009-04-25 18:25 . 2009-04-25 18:25 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-04-25 18:25 . 2009-04-27 11:33 -------- d-----w c:\program files\DAEMON Tools Pro
2009-04-23 20:21 . 2009-04-27 11:42 -------- d-----w c:\documents and settings\Judith\Application Data\DAEMON Tools Pro
2009-04-22 22:33 . 1998-10-29 22:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-22 04:17 . 2009-04-22 04:20 -------- d-----w c:\windows\system32\Adobe
2009-04-22 03:50 . 2009-04-22 04:05 -------- d-----w c:\documents and settings\Judith\Application Data\ImgBurn
2009-04-22 03:40 . 2009-04-22 03:40 -------- d-----w c:\program files\ImgBurn
2009-04-22 03:30 . 2009-04-23 20:22 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-22 02:48 . 2009-04-22 02:45 216064 ----a-w c:\windows\iun3405.exe
2009-04-21 21:56 . 2009-04-22 20:11 -------- d-----w c:\program files\uTorrent
2009-04-21 21:56 . 2009-04-23 22:42 -------- d-----w c:\documents and settings\Judith\Application Data\uTorrent
2009-04-21 05:28 . 1993-05-12 06:00 398416 ----a-w c:\windows\system\VBRUN300.DLL
2009-04-21 05:27 . 2009-04-21 05:28 -------- d-----w C:\VISMAN
2009-04-21 05:27 . 2009-04-21 05:27 -------- d-----w c:\documents and settings\Judith\WINDOWS
2009-04-19 02:30 . 2009-04-19 02:30 -------- d-----w c:\documents and settings\Judith\Application Data\Leadertech
2009-04-18 21:47 . 2009-05-03 01:09 -------- d-----w c:\program files\iCall
2009-04-18 21:40 . 2009-04-18 21:42 -------- d-----w c:\documents and settings\Judith\Application Data\Gizmo5
2009-04-12 22:26 . 2009-04-12 22:28 35382 ----a-w c:\windows\scunin.dat
2009-04-12 22:26 . 2009-04-12 22:28 967 ----a-w c:\windows\ScUnin.pif
2009-04-12 22:26 . 2009-04-12 22:28 94208 ----a-w c:\windows\ScUnin.exe
2009-04-12 22:24 . 2009-04-26 08:31 -------- d-----w c:\program files\Starcraft
2009-04-10 09:07 . 2009-04-10 09:13 -------- d-----w c:\documents and settings\Judith\Application Data\vlc
2009-04-10 09:01 . 2009-04-10 09:01 -------- d-----w c:\program files\VideoLAN
2009-04-06 09:26 . 2009-04-07 03:12 -------- d-----w c:\program files\MSECache
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\documents and settings\Judith\Tracing
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Microsoft
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-05 14:15 . 2009-04-05 14:16 -------- d-----w c:\program files\Windows Live
2009-04-05 14:09 . 2009-04-05 14:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\scripting
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\l2schemas
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\en
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\bits
2009-04-05 13:51 . 2009-04-05 13:51 -------- d-----w c:\windows\ServicePackFiles
2009-04-05 13:35 . 2004-08-04 04:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-05 13:21 . 2009-04-05 13:21 -------- d--h--w c:\windows\$hf_mig$
2009-04-05 13:14 . 2008-10-16 20:09 43544 ----a-w c:\windows\system32\wups2.dll
2009-04-05 11:42 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Yahoo
2009-04-05 11:36 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 11:36 . 2009-04-05 11:36 -------- d-----w c:\program files\Yahoo!
2009-04-05 10:03 . 2009-05-02 19:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-05 09:54 . 2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-05 09:54 . 2009-05-02 15:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-05 09:54 . 2009-05-02 15:13 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-05 09:54 . 2009-05-03 21:03 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-05 09:54 . 2009-04-05 09:54 -------- d-----w c:\program files\AVG
2009-04-05 09:54 . 2009-04-30 06:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-05 03:25 . 2009-04-05 08:45 -------- d-----w c:\documents and settings\Judith\Application Data\DMCache
2009-04-05 00:17 . 2009-04-05 00:17 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 21:41 . 2009-03-31 08:38 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 11:41 . 2009-04-21 03:14 930 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
2009-05-01 08:31 . 2009-02-01 08:31 47104 --sha-w c:\windows\system32\tiworita.exe
2009-04-30 20:30 . 2009-01-30 20:30 47104 --sha-w c:\windows\system32\welemige.exe
2009-04-30 08:33 . 2009-01-30 08:33 46592 --sha-w c:\windows\system32\vajilola.exe
2009-04-29 09:20 . 2009-03-31 09:21 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-29 04:01 . 2009-03-31 11:09 -------- d-----w c:\program files\PhotoScape
2009-04-28 08:27 . 2009-04-28 08:27 386 ----a-w c:\windows\Tasks\SmartDefrag.job
2009-04-06 11:21 . 2009-03-31 08:37 49304 ----a-w c:\documents and settings\Judith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 13:56 . 2009-03-31 08:34 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-05 10:58 . 2009-03-31 19:08 -------- d-----w c:\program files\Opera 10 Preview
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Symantec
2009-04-02 19:18 . 2009-03-31 08:31 -------- d-----w c:\program files\HP
2009-04-02 19:17 . 2009-03-31 08:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 19:11 . 2009-04-02 19:11 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-02 14:33 . 2009-04-02 14:33 -------- d-----w c:\program files\Free PDF to Word Doc Converter
2009-04-02 12:23 . 2009-03-31 09:31 -------- d-----w c:\program files\Camfrog
2009-03-31 20:18 . 2009-03-31 20:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 20:18 . 2009-03-31 09:10 -------- d-----w c:\program files\Java
2009-03-31 11:43 . 2009-03-31 11:43 0 ----a-w c:\windows\nsreg.dat
2009-03-31 10:48 . 2009-03-31 10:48 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-31 10:41 . 2009-03-31 10:41 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-31 09:30 . 2009-03-31 09:30 -------- d-----w c:\program files\GRETECH
2009-03-31 09:27 . 2009-03-31 08:28 165598 ----a-w c:\windows\hpoins29.dat
2009-03-31 09:20 . 2009-03-31 09:20 -------- d-----w c:\program files\Microsoft.NET
2009-03-31 09:11 . 2009-03-31 09:02 -------- d-----w c:\program files\HPQ
2009-03-31 09:10 . 2009-03-31 09:10 -------- d-----w c:\program files\Common Files\Java
2009-03-31 09:09 . 2009-03-31 09:09 1772 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Pavilion zd8000 (PD726AV#ABA)_YN_0Pavi_QCNF512081T_EU_46_I3082_SQuanta_V36.30_BF.22_T050223_WXP2_L409_M2047_J100_7Intel_8Pentium 4_93.19_#090331_N10EC8139_(PD726AV#ABA)_XMOBILE_CN10_Z8086266D_2F.22.MRK
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Sonic
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\InterVideo
2009-03-31 09:03 . 2009-03-31 08:48 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-31 09:02 . 2009-03-31 09:01 -------- d-----w c:\program files\ATI Technologies
2009-03-31 09:01 . 2009-03-31 09:01 -------- d-----w c:\program files\Synaptics
2009-03-31 08:57 . 2009-03-31 08:57 -------- d-----w c:\program files\CONEXANT
2009-03-31 08:50 . 2009-03-31 08:50 -------- d-----w c:\program files\Intel
2009-03-31 08:35 . 2009-03-31 08:34 -------- d-----w c:\program files\Common Files\Adobe
2009-03-31 08:35 . 2009-03-31 08:35 -------- d-----w c:\program files\microsoft frontpage
2009-03-31 08:34 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\HP
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Hewlett-Packard
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-31 08:31 . 2009-03-31 08:31 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-16 20:18 . 2009-03-31 10:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 20:18 . 2009-03-31 10:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 21:27 . 2009-03-31 10:48 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-08 10:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_21.21.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 21:37 . 2009-05-03 21:37 16384 c:\windows\temp\Perflib_Perfdata_59c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro d\DTProAgent.exe" [2009-01-26 228808]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"avgupdater"="c:\windows\avgupdater.exe" [2008-08-26 239299]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-09 184320]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"dopumoyanu"="c:\windows\system32\ledalesa.dll" [BU]
"5012edcf"="c:\windows\system32\yudivoyo.dll" [BU]
"CPM5321de53"="c:\windows\system32\vojiyiye.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-31 113664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-3-31 184320]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-4-2 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Magic-i.lnk - c:\program files\HP\ArcSoft\ArcSoft\Magic-i 3\Magic-i.exe [2009-4-2 530944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"BITS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Judith\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
- c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 03:14]

2009-04-28 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-28 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.flipdummie.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Judith\Application Data\Mozilla\Firefox\Profiles\neuuduro.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 15:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?5?3?4??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-05-03 15:45
ComboFix-quarantined-files.txt 2009-05-03 21:45
ComboFix2.txt 2009-05-03 21:28
ComboFix3.txt 2009-05-03 10:17

Pre-Run: 82,314,829,824 bytes free
Post-Run: 82,309,353,472 bytes free

284


Report •

#7
May 3, 2009 at 14:43:45
Please go to Virus Total and upload the following files one at the time for analysis:

c:\windows\system32\tiworita.exe


c:\windows\system32\welemige.exe


c:\windows\system32\vajilola.exe

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#8
May 3, 2009 at 15:01:34
File tiworita.exe received on 05.03.2009 23:50:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/40 (27.5%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.03 Trojan.Win32.Vundo!IK
AhnLab-V3 5.0.0.2 2009.05.03 -
AntiVir 7.9.0.160 2009.05.03 TR/Vundo.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
Avast 4.8.1335.0 2009.05.03 Win32:MoPack
AVG 8.5.0.327 2009.05.03 -
BitDefender 7.2 2009.05.03 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.03 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.03 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6487 2009.05.02 Win32/Vundo.CVP
F-Prot 4.4.4.56 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.03 -
Fortinet 3.117.0.0 2009.05.03 -
GData 19 2009.05.03 Win32:MoPack
Ikarus T3.1.1.49.0 2009.05.03 Trojan.Win32.Vundo
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.03 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.03 Trojan.Vundo.Gen
Microsoft 1.4602 2009.05.03 -
NOD32 4050 2009.05.03 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.03 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.03 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.03 Troj/Virtum-Gen
Sunbelt 3.2.1858.2 2009.05.03 Trojan-Downloader.Win32.FraudLoad.vnjh
Symantec 1.4.4.12 2009.05.03 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.03 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.03 -
Additional information
File size: 47104 bytes
MD5...: f91cbb863b57cac54d0b3ef2953eb23e
SHA1..: e4f181ba84ac5db900375d423da85593d684149c
SHA256: f02f54d60d99fee57c3cb36ca54b7ed5b61fb90a9e6fc9c7bc930067bebba177
SHA512: c8929b5a107dba00c0b87b5253a6137dc21f3f8e29e2c837be1367f6d807d654
e17af9acbc1c7dcefc7c088456ded16d1de08939f277b1045ee1bb741c6406c9
ssdeep: 768:Dqf9jIUPn02V8enWJbEzFPd42jy69D69IsWFQ993irRW+:DoIUPK5bwPy2jy
aO99y8
PEiD..: tElock 0.99 - 1.0 private -> tE!
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3800
timedatestamp.....: 0x4009c586 (Sat Jan 17 23:30:14 2004)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x2a00 6.31 8a04d94bc31d0e783b77b7cd82b64a27
.rdata 0x4000 0x1000 0x400 0.35 665cff32954ef639a99d204f34d86aad
.data 0x5000 0x2000 0x1e00 7.97 c7896e8783ccee7e91385b66c3b76b36
.rsrc 0x7000 0x2000 0x1e00 7.97 e38bd98cac2fb715b19b6d902342648d
.reloc 0x9000 0x2000 0x1e00 7.98 4c81e5896d4c283165e986cdad0bacc4
.pdata 0xb000 0x6000 0x2000 7.43 b0776037b878675f85659de18aff061a

( 6 imports )
> COMCTL32.dll: InitCommonControlsEx
> KERNEL32.dll: ExitProcess, GetModuleHandleW, GetSystemInfo
> USER32.dll: DispatchMessageW, TranslateMessage, LoadIconA, GetSystemMetrics
> GDI32.dll: Arc, SelectClipPath
> comdlg32.dll: PrintDlgExA
> ADVAPI32.dll: RegQueryValueExW

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch


File welemige.exe received on 05.03.2009 23:57:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/40 (27.5%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.03 Trojan.Win32.Vundo!IK
AhnLab-V3 5.0.0.2 2009.05.03 -
AntiVir 7.9.0.160 2009.05.03 TR/Vundo.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
Avast 4.8.1335.0 2009.05.03 Win32:MoPack
AVG 8.5.0.327 2009.05.03 -
BitDefender 7.2 2009.05.03 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.03 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.03 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6487 2009.05.02 Win32/Vundo.CVP
F-Prot 4.4.4.56 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.03 -
Fortinet 3.117.0.0 2009.05.03 -
GData 19 2009.05.03 Win32:MoPack
Ikarus T3.1.1.49.0 2009.05.03 Trojan.Win32.Vundo
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.03 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.03 Trojan.Vundo.Gen
Microsoft 1.4602 2009.05.03 -
NOD32 4050 2009.05.03 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.03 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.03 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.03 Troj/Virtum-Gen
Sunbelt 3.2.1858.2 2009.05.03 Trojan-Downloader.Win32.FraudLoad.vnjh
Symantec 1.4.4.12 2009.05.03 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.03 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.03 -
Additional information
File size: 47104 bytes
MD5...: 5fdd50764a33d5771cafb3a707d004e3
SHA1..: 762f3ca899516673ab260082945ad771cf228712
SHA256: 3e2fb6ab416f3312726bf54c9b7966d07a7b9c95862b6a0c8b47038249b1c959
SHA512: 75a57ee2b23fa9e87e3b684d42a1ebd058599d56d36d1880f0039a478f1980c5
29a674cf5da99f1393598ed6c411eef5cd67866b1b8a6ce03a9308f789a3278a
ssdeep: 768:Dqf9jIUPn02V8enWJbEzFPd42jy69D69IsWFQ993irRW:DoIUPK5bwPy2jya
O99y8
PEiD..: tElock 0.99 - 1.0 private -> tE!
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3800
timedatestamp.....: 0x4009c586 (Sat Jan 17 23:30:14 2004)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x2a00 6.31 8a04d94bc31d0e783b77b7cd82b64a27
.rdata 0x4000 0x1000 0x400 0.35 665cff32954ef639a99d204f34d86aad
.data 0x5000 0x2000 0x1e00 7.97 c7896e8783ccee7e91385b66c3b76b36
.rsrc 0x7000 0x2000 0x1e00 7.97 e38bd98cac2fb715b19b6d902342648d
.reloc 0x9000 0x2000 0x1e00 7.98 4c81e5896d4c283165e986cdad0bacc4
.pdata 0xb000 0x6000 0x2000 7.43 0394f6665e20165da300b07df8e4dbe1

( 6 imports )
> COMCTL32.dll: InitCommonControlsEx
> KERNEL32.dll: ExitProcess, GetModuleHandleW, GetSystemInfo
> USER32.dll: DispatchMessageW, TranslateMessage, LoadIconA, GetSystemMetrics
> GDI32.dll: Arc, SelectClipPath
> comdlg32.dll: PrintDlgExA
> ADVAPI32.dll: RegQueryValueExW

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch


File vajilola.exe received on 05.04.2009 00:00:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 10/40 (25%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.03 Trojan.Win32.Vundo!IK
AhnLab-V3 5.0.0.2 2009.05.03 -
AntiVir 7.9.0.160 2009.05.03 TR/Vundo.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
Avast 4.8.1335.0 2009.05.03 Win32:MoPack
AVG 8.5.0.327 2009.05.03 -
BitDefender 7.2 2009.05.03 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.03 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.03 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.03 W32/Virtumonde.BA2.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.03 -
Fortinet 3.117.0.0 2009.05.03 -
GData 19 2009.05.03 Win32:MoPack
Ikarus T3.1.1.49.0 2009.05.03 Trojan.Win32.Vundo
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.03 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.03 Trojan.Vundo.Gen
Microsoft 1.4602 2009.05.03 -
NOD32 4050 2009.05.03 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.03 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.04 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.03 Troj/Virtum-Gen
Sunbelt 3.2.1858.2 2009.05.03 Trojan-Downloader.Win32.FraudLoad.vnjh
Symantec 1.4.4.12 2009.05.03 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.03 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.03 -
Additional information
File size: 46592 bytes
MD5...: aaa2c0d4bae63b1b3d4dab4812304aea
SHA1..: 075616b5a1878194ce55be497538c3db5df0eb8b
SHA256: 6dbe64c5b01dd9c642061e3fe58f3ea2387affe6c2bbd22bfb7540233e0c7af4
SHA512: 0f9474d115ea46bf97ea916749c22fb0878a511d558ea4aff64484792c296907
84498fcbad1c20614fd44540fd0f8fc4bb78f05ab05c365a0679698e333474e3
ssdeep: 768:1V6o7YgpMh5Drtzkmm6vP2XKNkKnuZE3IFagiI5hSHtmfDTS:1lYgKrtoUvP
2ZUME3IFWI5oHQbTS
PEiD..: tElock 0.99 - 1.0 private -> tE!
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3800
timedatestamp.....: 0x40378ce0 (Sat Feb 21 16:52:48 2004)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x2a00 6.35 d5b3b1e58d0d0d5cc88fd1daac7992dc
.rdata 0x4000 0x1000 0x200 0.64 2c3e8773cb4a8184e245ea72758038e8
.data 0x5000 0x2000 0x1e00 7.97 9ba91dc07b7d2163f54b1d803917e63c
.rsrc 0x7000 0x2000 0x1c00 7.97 0040b5e9631331ec50f4a9423d87b51b
.reloc 0x9000 0x2000 0x1e00 7.97 d9d1fe1f6306d40f3eb0a7192dbe32f7
.pdata 0xb000 0x6000 0x2200 7.47 85b695ca43d1cab64f1ff8baa405b79e

( 6 imports )
> COMCTL32.dll: InitCommonControlsEx
> KERNEL32.dll: ExitProcess, GetModuleHandleW, GetSystemInfo
> USER32.dll: DispatchMessageW, TranslateMessage, LoadIconA, GetSystemMetrics
> GDI32.dll: Arc, SelectClipPath
> comdlg32.dll: PrintDlgExA
> ADVAPI32.dll: RegQueryValueExW

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch


Report •

#9
May 3, 2009 at 15:53:58
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\tiworita.exe
c:\windows\system32\welemige.exe
c:\windows\system32\vajilola.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#10
May 3, 2009 at 16:11:40
K - didn't know if I was supposed to disable AVG resident again or not, I did not (CF gave me warning, I said "OK)...

'puter seems faster, but what do I know.

Here's the log:

ComboFix 09-05-03.1 - Judith 05/03/2009 18:00.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1519 [GMT -6:00]
Running from: D:\Toolb.exe
Command switches used :: D:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\tiworita.exe
c:\windows\system32\vajilola.exe
c:\windows\system32\welemige.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tiworita.exe
c:\windows\system32\vajilola.exe
c:\windows\system32\welemige.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-03 12:04 . 2009-05-03 12:04 -------- d-----w c:\documents and settings\Judith\Application Data\Malwarebytes
2009-05-03 11:55 . 2009-05-03 11:55 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-03 10:08 . 2009-05-03 10:17 -------- d-----w C:\ComboFix
2009-05-03 09:34 . 2009-05-03 21:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 09:08 . 2009-05-03 13:23 -------- d-----w c:\documents and settings\Administrator\Tracing
2009-05-03 06:58 . 2009-05-03 06:58 -------- d-----w C:\VundoFix Backups
2009-05-03 06:57 . 2009-05-03 11:36 -------- d-----w c:\program files\MA2
2009-05-03 06:51 . 2009-05-03 06:52 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-03 05:52 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 05:51 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 05:51 . 2009-05-03 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 05:32 . 2009-05-03 05:32 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 05:30 . 2009-05-03 05:31 -------- d-----w C:\MWBs anti mal
2009-05-03 05:26 . 2009-05-03 05:26 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 03:12 . 2009-05-03 03:12 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2009-05-03 03:11 . 2009-05-03 03:11 -------- d-sh--w c:\documents and settings\Administrator\IECompatCache
2009-05-03 03:00 . 2009-05-03 03:00 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Judith\IECompatCache
2009-05-03 00:46 . 2009-05-03 03:35 -------- d-----w c:\program files\CCleaner
2009-05-03 00:36 . 2009-05-03 21:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-03 00:36 . 2009-05-03 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-02 23:36 . 2009-05-02 23:36 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Deployment
2009-04-30 19:14 . 2009-04-30 19:14 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-29 21:57 . 2009-04-29 21:57 -------- d-sh--w c:\documents and settings\Judith\PrivacIE
2009-04-29 21:54 . 2009-04-29 21:54 -------- d-sh--w c:\documents and settings\Judith\IETldCache
2009-04-29 21:02 . 2009-04-29 21:03 -------- dc-h--w c:\windows\ie8
2009-04-29 21:02 . 2009-04-29 21:05 -------- d--h--w c:\windows\msdownld.tmp
2009-04-29 12:05 . 2009-04-29 12:05 -------- d-----w c:\program files\IrfanView
2009-04-28 07:50 . 2009-04-28 09:21 -------- d-----w c:\documents and settings\Judith\Application Data\IObit
2009-04-28 07:50 . 2009-04-28 08:27 -------- d-----w c:\program files\IObit
2009-04-27 11:36 . 2009-04-27 11:39 -------- d-----w c:\program files\DAEMON Tools Pro d
2009-04-27 11:34 . 2009-04-27 11:34 -------- d-----w c:\program files\DAEMON Tools Pro c
2009-04-27 11:31 . 2009-04-27 11:31 -------- d-----w c:\program files\DAEMON Tools Pro b
2009-04-27 09:48 . 2009-04-27 09:49 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\CutePDF Writer
2009-04-27 09:47 . 2009-04-27 09:47 -------- d-----w c:\program files\GPLGS
2009-04-27 09:43 . 2007-07-13 04:33 87552 ----a-w c:\windows\system32\cpwmon2k.dll
2009-04-27 09:43 . 2009-04-27 09:43 -------- d-----w c:\program files\Acro Software
2009-04-25 18:25 . 2009-04-25 18:25 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-04-25 18:25 . 2009-04-27 11:33 -------- d-----w c:\program files\DAEMON Tools Pro
2009-04-23 20:21 . 2009-04-27 11:42 -------- d-----w c:\documents and settings\Judith\Application Data\DAEMON Tools Pro
2009-04-22 22:33 . 1998-10-29 22:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-22 04:17 . 2009-04-22 04:20 -------- d-----w c:\windows\system32\Adobe
2009-04-22 03:50 . 2009-04-22 04:05 -------- d-----w c:\documents and settings\Judith\Application Data\ImgBurn
2009-04-22 03:40 . 2009-04-22 03:40 -------- d-----w c:\program files\ImgBurn
2009-04-22 03:30 . 2009-04-23 20:22 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-22 02:48 . 2009-04-22 02:45 216064 ----a-w c:\windows\iun3405.exe
2009-04-21 21:56 . 2009-04-22 20:11 -------- d-----w c:\program files\uTorrent
2009-04-21 21:56 . 2009-04-23 22:42 -------- d-----w c:\documents and settings\Judith\Application Data\uTorrent
2009-04-21 05:28 . 1993-05-12 06:00 398416 ----a-w c:\windows\system\VBRUN300.DLL
2009-04-21 05:27 . 2009-04-21 05:28 -------- d-----w C:\VISMAN
2009-04-21 05:27 . 2009-04-21 05:27 -------- d-----w c:\documents and settings\Judith\WINDOWS
2009-04-19 02:30 . 2009-04-19 02:30 -------- d-----w c:\documents and settings\Judith\Application Data\Leadertech
2009-04-18 21:47 . 2009-05-03 01:09 -------- d-----w c:\program files\iCall
2009-04-18 21:40 . 2009-04-18 21:42 -------- d-----w c:\documents and settings\Judith\Application Data\Gizmo5
2009-04-12 22:26 . 2009-04-12 22:28 35382 ----a-w c:\windows\scunin.dat
2009-04-12 22:26 . 2009-04-12 22:28 967 ----a-w c:\windows\ScUnin.pif
2009-04-12 22:26 . 2009-04-12 22:28 94208 ----a-w c:\windows\ScUnin.exe
2009-04-12 22:24 . 2009-04-26 08:31 -------- d-----w c:\program files\Starcraft
2009-04-10 09:07 . 2009-04-10 09:13 -------- d-----w c:\documents and settings\Judith\Application Data\vlc
2009-04-10 09:01 . 2009-04-10 09:01 -------- d-----w c:\program files\VideoLAN
2009-04-06 09:26 . 2009-04-07 03:12 -------- d-----w c:\program files\MSECache
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\documents and settings\Judith\Tracing
2009-04-05 14:16 . 2009-04-05 14:16 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Microsoft
2009-04-05 14:15 . 2009-04-05 14:15 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-05 14:15 . 2009-04-05 14:16 -------- d-----w c:\program files\Windows Live
2009-04-05 14:09 . 2009-04-05 14:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\scripting
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\l2schemas
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\en
2009-04-05 13:54 . 2009-04-05 13:54 -------- d-----w c:\windows\system32\bits
2009-04-05 13:51 . 2009-04-05 13:51 -------- d-----w c:\windows\ServicePackFiles
2009-04-05 13:35 . 2004-08-04 04:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-05 13:21 . 2009-04-05 13:21 -------- d--h--w c:\windows\$hf_mig$
2009-04-05 13:14 . 2008-10-16 20:09 43544 ----a-w c:\windows\system32\wups2.dll
2009-04-05 11:42 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\Yahoo
2009-04-05 11:36 . 2009-04-05 11:42 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 11:36 . 2009-04-05 11:36 -------- d-----w c:\program files\Yahoo!
2009-04-05 10:03 . 2009-05-02 19:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-05 09:54 . 2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-05 09:54 . 2009-05-02 15:13 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-05 09:54 . 2009-05-02 15:13 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-05 09:54 . 2009-05-03 21:03 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-05 09:54 . 2009-04-05 09:54 -------- d-----w c:\program files\AVG
2009-04-05 09:54 . 2009-04-30 06:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-05 03:25 . 2009-04-05 08:45 -------- d-----w c:\documents and settings\Judith\Application Data\DMCache
2009-04-05 00:17 . 2009-04-05 00:17 -------- d-----w c:\documents and settings\Judith\Local Settings\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 00:03 . 2009-04-21 03:14 930 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
2009-05-04 00:03 . 2009-03-31 08:38 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-29 09:20 . 2009-03-31 09:21 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-29 04:01 . 2009-03-31 11:09 -------- d-----w c:\program files\PhotoScape
2009-04-28 08:27 . 2009-04-28 08:27 386 ----a-w c:\windows\Tasks\SmartDefrag.job
2009-04-06 11:21 . 2009-03-31 08:37 49304 ----a-w c:\documents and settings\Judith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 13:56 . 2009-03-31 08:34 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-05 10:58 . 2009-03-31 19:08 -------- d-----w c:\program files\Opera 10 Preview
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-05 10:02 . 2009-03-31 08:57 -------- d-----w c:\program files\Symantec
2009-04-02 19:18 . 2009-03-31 08:31 -------- d-----w c:\program files\HP
2009-04-02 19:17 . 2009-03-31 08:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 19:11 . 2009-04-02 19:11 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-02 14:33 . 2009-04-02 14:33 -------- d-----w c:\program files\Free PDF to Word Doc Converter
2009-04-02 12:23 . 2009-03-31 09:31 -------- d-----w c:\program files\Camfrog
2009-03-31 20:18 . 2009-03-31 20:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 20:18 . 2009-03-31 09:10 -------- d-----w c:\program files\Java
2009-03-31 11:43 . 2009-03-31 11:43 0 ----a-w c:\windows\nsreg.dat
2009-03-31 10:48 . 2009-03-31 10:48 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-31 10:41 . 2009-03-31 10:41 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-31 09:30 . 2009-03-31 09:30 -------- d-----w c:\program files\GRETECH
2009-03-31 09:27 . 2009-03-31 08:28 165598 ----a-w c:\windows\hpoins29.dat
2009-03-31 09:20 . 2009-03-31 09:20 -------- d-----w c:\program files\Microsoft.NET
2009-03-31 09:11 . 2009-03-31 09:02 -------- d-----w c:\program files\HPQ
2009-03-31 09:10 . 2009-03-31 09:10 -------- d-----w c:\program files\Common Files\Java
2009-03-31 09:09 . 2009-03-31 09:09 1772 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Pavilion zd8000 (PD726AV#ABA)_YN_0Pavi_QCNF512081T_EU_46_I3082_SQuanta_V36.30_BF.22_T050223_WXP2_L409_M2047_J100_7Intel_8Pentium 4_93.19_#090331_N10EC8139_(PD726AV#ABA)_XMOBILE_CN10_Z8086266D_2F.22.MRK
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-31 09:07 . 2009-03-31 09:07 -------- d-----w c:\program files\Sonic
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\muvee Technologies
2009-03-31 09:05 . 2009-03-31 09:05 -------- d-----w c:\program files\InterVideo
2009-03-31 09:03 . 2009-03-31 08:48 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-31 09:02 . 2009-03-31 09:01 -------- d-----w c:\program files\ATI Technologies
2009-03-31 09:01 . 2009-03-31 09:01 -------- d-----w c:\program files\Synaptics
2009-03-31 08:57 . 2009-03-31 08:57 -------- d-----w c:\program files\CONEXANT
2009-03-31 08:50 . 2009-03-31 08:50 -------- d-----w c:\program files\Intel
2009-03-31 08:35 . 2009-03-31 08:34 -------- d-----w c:\program files\Common Files\Adobe
2009-03-31 08:35 . 2009-03-31 08:35 -------- d-----w c:\program files\microsoft frontpage
2009-03-31 08:34 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\HP
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Hewlett-Packard
2009-03-31 08:33 . 2009-03-31 08:33 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-31 08:31 . 2009-03-31 08:31 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-16 20:18 . 2009-03-31 10:48 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 20:18 . 2009-03-31 10:48 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 20:18 . 2009-03-31 10:48 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 21:27 . 2009-03-31 10:48 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 21:27 . 2009-03-31 10:48 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-08 10:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-07 00:52 . 2009-02-07 00:52 49504 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_21.21.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 00:04 . 2009-05-04 00:04 16384 c:\windows\temp\Perflib_Perfdata_474.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro d\DTProAgent.exe" [2009-01-26 228808]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"avgupdater"="c:\windows\avgupdater.exe" [2008-08-26 239299]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-09 184320]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"dopumoyanu"="c:\windows\system32\ledalesa.dll" [BU]
"5012edcf"="c:\windows\system32\yudivoyo.dll" [BU]
"CPM5321de53"="c:\windows\system32\vojiyiye.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-31 113664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-3-31 184320]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-4-2 266240]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Magic-i.lnk - c:\program files\HP\ArcSoft\ArcSoft\Magic-i 3\Magic-i.exe [2009-4-2 530944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 15:13 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"BITS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Judith\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-725345543-1003.job
- c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 03:14]

2009-04-28 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-28 00:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.flipdummie.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Judith\Application Data\Mozilla\Firefox\Profiles\neuuduro.default\
FF - plugin: c:\documents and settings\Judith\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 18:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?5?3?4??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1444)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\HP\ArcSoft\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-05-04 18:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 00:07
ComboFix2.txt 2009-05-03 21:52
ComboFix3.txt 2009-05-03 21:45
ComboFix4.txt 2009-05-03 21:28
ComboFix5.txt 2009-05-04 00:00

Pre-Run: 82,223,124,480 bytes free
Post-Run: 82,296,254,464 bytes free

311


Report •

#11
May 3, 2009 at 16:25:32
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dopumoyanu"=-
"5012edcf"=-
"CPM5321de53"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

It will take 3hrs. or longer to run the Kaspersky scan but it is worth it.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#12
May 3, 2009 at 16:48:05
it's DLing the updated database now...

When I run it, do I need to run it on all drives or just C? I have an external hard drive (D:) with like 400 gig on it...whereas C only has 17 gig...

Already did the registry combofix run, system restore dump, and ATF cleaned me up.

Also, your instructions amde me think I needed to turn AVG Resident off while Kap runs...please let me know if I've misunderstood.


Report •

#13
May 3, 2009 at 16:57:50
Run it on C: drive and for best results turn off your antivirus. Wait until you get into the Kaspersky site to turn off your av.

Report •

#14
May 3, 2009 at 17:59:20
Found 0! :-D Now what? (I have not restarted the computer, and amstill in normal mode, with AVG Resident back on)

Report •

#15
May 3, 2009 at 18:14:53
Your computer appears to be clean


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#16
May 3, 2009 at 18:22:13
It's running at least 3x-4x as fast...no exaggeration.

Not finding Kaspersky in program list, but have removed the other 3...*UPDATE* After reading their site, it looks like they install to the temp folder and "there is no need to delete them"

After getting spywareblaster, should I still keep AVG or will blaster handle it all? Blaster has a list of browsers that it supports, and my favorite (Google Chrome, for speed!) is not supported...will this be an issue?

Also, is there a way to tell if any of my firefox add-ons are being sneaky (running a complete scan with AVG, it's finding tracking cookies)? Lastly (sorta), is AFT better than CCleaner?

Any tips on how to eliminate any other unneccessary stuff that may be slowing me down? I used powertoys, and it seemed to help, as did advanced system care (both from CNET)...but I'm all ears here, especially if either of these are actually worse for me (just a lamb, here.).

You're a champion.

Thanks!


Report •

#17
May 3, 2009 at 19:30:26
Keep AVG as it is an antivirus and keep Spywareblaster as it is an antispyware program. CCleaner and AFT are both good cleaners. Powertools is also a good tool.

Glad we could help.


Report •


Ask Question