reg edit

Microsoft Windows xp home edition with s...
April 25, 2010 at 17:50:16
Specs: Windows XP, 512
a virous took over my computer. now it keep
messing up my reg. don't know what to do. it's
called monxga32. i see it in my sys config and i
disabled and clean reg but it keep showing up
and mess the reg again. please help

See More: reg edit

Report •


#1
April 25, 2010 at 18:20:51
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt (do not zip just copy/paste)

Save both reports to your desktop then post them please.You may need to post in segments to get all the info to us as the logs may be to large to fit in one post.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
April 25, 2010 at 20:29:08
It's rather awesome,I have been searching materials relate to these stuffs for my paper.and it really helps me.

Report •

#3
April 26, 2010 at 09:54:01
thank you jabuck
the dds.text


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:43:06.95 on Mon 04/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.228 [GMT -4:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe


Report •

Related Solutions

#4
April 26, 2010 at 09:54:57

============== Pseudo HJT Report ===============

uStart Page = hxxp://sn129w.snt129.mail.live.com/default.aspx?n=594818445
uSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\monxga32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: mlJYRkiJ - mlJYRkiJ.dll
AppInit_DLLs: tshmmj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {DF9A99CF-49C6-4E3E-B668-498B718FD313} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXPJBSL
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-26 00:46:30 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-04-26 00:22:51 0 d--h--w- c:\windows\PIF
2010-04-25 23:13:43 29440 ----a-w- c:\windows\system32\wuaucldt.exe
2010-04-25 22:29:06 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-25 21:47:25 146432 ----a-w- c:\windows\regedit.com
2010-04-25 20:51:27 120 ----a-w- c:\windows\Jwoturayapev.dat
2010-04-25 20:51:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-25 20:51:27 0 ----a-w- c:\windows\Rxemiruburuy.bin
2010-04-25 17:49:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-24 21:50:32 4 ----a-w- c:\docume~1\owner\applic~1\avdrn.dat
2010-04-15 14:10:50 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2010-04-11 02:21:50 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2010-04-11 00:51:45 0 dc-h--w- c:\windows\ie8
2010-04-11 00:47:16 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-11 00:47:16 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-11 00:47:13 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-11 00:47:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-11 00:47:02 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-11 00:44:29 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-11 00:24:24 0 d-----w- c:\program files\CCleaner
2010-04-04 23:13:54 0 d-----w- c:\docume~1\owner\applic~1\Clone2Go Video Converter Free Version
2010-04-04 23:13:44 0 d-----w- c:\program files\Clone2Go Video Converter Free Version

==================== Find3M ====================

2010-03-18 22:38:30 91284 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-10 22:01:29 22720 -c--a-w- c:\windows\system32\emptyregdb.dat
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 12:47:36.06 ===============


Report •

#5
April 26, 2010 at 09:56:08
now the attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2/10/2010 5:09:31 PM
System Uptime: 4/26/2010 11:56:08 AM (1 hours ago)

Motherboard: Dell Inc. | | 0DK344
Processor: Intel(R) Celeron(R) M processor 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 45.934 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&1D1AAA2D&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&1D1AAA2D&0&0102
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1370 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Manufacturer: Broadcom
Name: Dell Wireless 1370 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_00051028&REV_02\4&2FA23535&0&18F0
Service: BCM43XX

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROM_NEC_DVD+-RW_ND-6650A___________________102C____\5&2C7C2BE&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: _NEC DVD+-RW ND-6650A
PNP Device ID: IDE\CDROM_NEC_DVD+-RW_ND-6650A___________________102C____\5&2C7C2BE&0&0.1.0
Service: cdrom

==== Installed Programs ======================

µTorrent
Adobe Audition 1.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Adobe Shockwave Player 11.5
Alarm Clock v1.0
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVS Update Manager 1.0
AVS Video Editor 4 4.2.1.166
AVS Video Recorder 2.4 (Service Version)
AVS YouTube Uploader version 2.1
AVS4YOU Software Navigator 1.3
Bonjour
CCleaner
Clone2Go Video Converter Free Version 1.9.1
Cole2k Media - Codec Pack (Advanced) 7.6.0
Compatibility Pack for the 2007 Office system
Creative WebCam Driver (1.02.08.0807)
CyberLink PhotoNow
CyberLink PowerDirector
Dell Resource CD
Dell Wireless WLAN Card
Express Rip
FileZilla Client 3.3.2.1
Finale 2010
Fontboard Arabic Keyboards
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotspot Shield 1.21
Intel(R) Graphics Media Accelerator Driver for Mobile
iTunes
Java(TM) 6 Update 14
Junk Mail filter update
KB408682
LAME v3.98.2 for Audacity
Messenger Plus! Live
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Moyea Flash Video MX Pro Version: 5.0.9.0
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
NCH Toolbox
NTI Backup Now EZ
Octoshape Streaming Services
ooVoo
Opera 10.51
PaltalkScene
Pando
pdfFactory Pro
PhotoPad Image Editor
PineCam Z100
Pixillion Image Converter
Prism Video Converter
QuickTime
RealPlayer
RealUpgrade 1.0
RegCure
RM to MP3 Converter 1.48
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
SigmaTel Audio
Skype™ 4.1
Sony Player Plug-in for Windows Media Player
SUPER © Version 2010.bld.37 (Jan 2, 2010)
Switch Sound File Converter
TeamViewer 5
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB914882)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC 9.0 Runtime
VLC media player 1.0.1
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Tools 4.1
WinPcap 3.1 beta3
WinRAR archiver
Winsyntax 2.0
Yahoo! Messenger
YouSendIt Express

==== End Of File ===========================


Report •

#6
April 26, 2010 at 12:06:41
sorry. repeated

Report •

#7
April 26, 2010 at 12:09:10
hello, did the mbam scan and here is the log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4039

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/26/2010 2:49:59 PM
mbam-log-2010-04-26 (14-49-59).txt

Scan type: Quick scan
Objects scanned: 126237
Time elapsed: 1 hour(s), 37 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{df9a99cf-49c6-4e3e-b668-498b718fd313} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\components (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Temp\~TMC.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\chrome.manifest (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\install.rdf (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rloci.bin (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\MSASCui.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuaucldt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\monxga32.exe (Trojan.Agent) -> Delete on reboot.


Report •

#8
April 26, 2010 at 14:20:33
Go to start> control panel> click the Java icon> update tab> update now and allow Java to update. If you are prompted for any add-ons uncheck the box and continue. The newest Java is version 6 update 20.

You should go t ostart> control panel> add/remove programs and uninstall these programs:


utorrent (known to harbor spyware)
Messenger Plus! Live (if and single add on is install it was probably spyware the program itself is ok)
Java(TM) 6 Update 14 (you should have the newer version 6 update 20)

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your ZoneAlarm Extreme Security Antivirus antivirus/firewall, Windows Defender, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#9
April 26, 2010 at 17:22:30
ComboFix 10-04-26.02 - Owner 04/26/2010 19:57:07.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.249 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PandoBar
c:\program files\PandoBar\bar\1.bin\P4FFXTBR.JAR
c:\program files\PandoBar\bar\1.bin\P4FFXTBR.MANIFEST
c:\program files\PandoBar\bar\1.bin\P4NTSTBR.JAR
c:\program files\PandoBar\bar\1.bin\P4NTSTBR.MANIFEST
c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL.vzr
c:\program files\PandoBar\bar\Cache\00A3ED93
c:\program files\PandoBar\bar\Cache\00A3F2B4
c:\program files\PandoBar\bar\Cache\00A3F469.bin
c:\program files\PandoBar\bar\Cache\00A3F573.bin
c:\program files\PandoBar\bar\Cache\00A3F738.bin
c:\program files\PandoBar\bar\Cache\00A3F9C8.bin
c:\program files\PandoBar\bar\Cache\00A3FC49.bin
c:\program files\PandoBar\bar\Cache\00A3FD52.bin
c:\program files\PandoBar\bar\Cache\00A40050.bin
c:\program files\PandoBar\bar\Cache\files.ini
c:\program files\PandoBar\bar\History\search2
c:\program files\PandoBar\bar\Settings\prevcfg2.htm
c:\program files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL.vzr
c:\windows\regedit.com
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\AVSredirect.dll
c:\windows\system32\rundll32.com

.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-26 23:42 . 2010-04-26 23:42 -------- d-----w- c:\program files\Common Files\Java
2010-04-26 23:42 . 2010-04-26 23:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-26 19:51 . 2004-08-04 02:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-26 19:51 . 2004-08-04 02:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-26 19:29 . 2010-04-26 19:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2010-04-26 18:59 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-26 18:59 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-26 18:59 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-26 18:59 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-26 18:59 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-26 18:59 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-26 18:59 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-26 18:59 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-26 18:59 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-26 17:08 . 2010-04-26 17:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-26 17:07 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 17:07 . 2010-04-26 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 17:07 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 17:07 . 2010-04-26 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 00:46 . 2010-04-26 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-04-26 00:22 . 2010-04-26 00:22 -------- d--h--w- c:\windows\PIF
2010-04-25 23:14 . 2010-04-25 23:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\d3davilibrary
2010-04-25 20:51 . 2010-04-25 23:14 120 ----a-w- c:\windows\Jwoturayapev.dat
2010-04-25 20:51 . 2010-04-25 20:51 0 ----a-w- c:\windows\Rxemiruburuy.bin
2010-04-25 20:51 . 2010-04-25 20:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\avG
2010-04-25 20:51 . 2010-04-25 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-25 20:51 . 2010-04-25 20:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{35586E69-50DC-4ACF-809D-DC1DC8C31C8E}
2010-04-25 20:43 . 2010-04-25 20:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-25 17:49 . 2010-04-26 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-25 17:49 . 2010-04-25 17:49 -------- d-----w- c:\program files\Alwil Software
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-04-11 02:21 . 2010-04-11 02:21 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-04-11 00:51 . 2010-04-11 00:55 -------- dc-h--w- c:\windows\ie8
2010-04-11 00:47 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-11 00:47 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-11 00:47 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-11 00:47 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-11 00:47 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-11 00:44 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-11 00:24 . 2010-04-11 00:24 -------- d-----w- c:\program files\CCleaner
2010-04-04 23:13 . 2010-04-26 18:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Clone2Go Video Converter Free Version
2010-04-04 23:13 . 2010-04-26 18:38 -------- d-----w- c:\program files\Clone2Go Video Converter Free Version
2010-04-02 05:36 . 2010-04-02 05:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Pando
2010-04-01 13:26 . 2010-04-01 13:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-03-31 00:21 . 2010-03-31 00:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Opera
2010-03-31 00:19 . 2010-03-31 00:20 -------- d-----w- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 23:42 . 2010-04-26 23:42 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76736a29-n\msvcp71.dll
2010-04-26 23:42 . 2010-04-26 23:42 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76736a29-n\jmc.dll
2010-04-26 23:42 . 2010-04-26 23:42 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-76736a29-n\msvcr71.dll
2010-04-26 23:42 . 2010-04-26 23:42 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e74757f-n\decora-sse.dll
2010-04-26 23:42 . 2010-04-26 23:42 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2e74757f-n\decora-d3d.dll
2010-04-26 23:24 . 2009-07-30 01:03 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-04-26 19:50 . 2009-04-29 22:59 -------- d-----w- c:\program files\Google
2010-04-26 19:32 . 2008-04-18 08:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Paltalk
2010-04-26 18:52 . 2010-02-01 00:58 -------- d-----w- c:\program files\TeamViewer
2010-04-25 23:14 . 2010-04-25 23:14 16 ----a-w- c:\documents and settings\LocalService\Application Data\kcmdte.dat
2010-04-25 20:49 . 2010-04-25 20:49 16 ----a-w- c:\documents and settings\NetworkService\Application Data\kcmdte.dat
2010-04-24 22:01 . 2010-04-24 22:01 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\kcmdte.dat
2010-04-24 05:33 . 2009-06-10 00:42 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software
2010-04-24 01:41 . 2008-09-28 03:35 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-24 01:38 . 2009-04-22 01:15 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2010-04-23 17:20 . 2010-04-23 17:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-23 17:20 . 2010-04-23 17:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-23 17:20 . 2010-04-23 17:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-23 17:20 . 2010-04-23 17:20 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-23 17:20 . 2010-04-23 17:20 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-23 17:20 . 2010-04-23 17:20 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-23 17:20 . 2010-04-23 17:20 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-23 17:20 . 2010-03-13 08:40 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-23 17:20 . 2010-03-13 08:40 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-23 17:20 . 2008-04-27 08:43 -------- d-----w- c:\program files\Common Files\Real
2010-04-23 17:19 . 2009-06-10 00:49 -------- d-----w- c:\program files\Real
2010-04-21 22:32 . 2009-11-10 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-21 20:09 . 2008-04-18 05:08 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-04-16 07:05 . 2009-10-04 09:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-13 18:53 . 2008-09-28 03:35 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-01 13:59 . 2010-02-19 04:18 -------- d-----w- c:\program files\Finale 2010
2010-03-22 16:06 . 2008-04-18 04:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 22:38 . 2008-04-19 17:48 91284 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-03-18 17:58 . 2010-03-18 17:58 -------- d-----w- c:\program files\AviSynth 2.5
2010-03-18 17:56 . 2010-03-18 17:56 -------- d-----w- c:\program files\eRightSoft
2010-03-17 18:04 . 2008-04-18 02:16 134128 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 17:48 . 2009-08-15 07:08 -------- d-----w- c:\program files\MSBuild
2010-03-17 17:40 . 2010-03-17 17:40 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-03-14 11:27 . 2009-10-04 09:32 -------- d-----w- c:\program files\Microsoft Works
2010-03-10 06:15 . 2010-02-13 00:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:22 . 2010-02-08 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-25 06:24 . 2010-02-13 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2010-03-08 17:39 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 12:31 . 2010-02-13 00:42 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 20:36 . 2009-04-29 13:08 133736 -c--a-w- c:\documents and settings\jido\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 13:19 . 2010-02-13 00:41 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2010-02-13 00:41 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 02:20 . 2008-03-12 17:41 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-12 04:47 . 2010-02-13 00:46 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2010-02-13 00:42 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-10 22:01 . 2008-03-12 17:39 22720 -c--a-w- c:\windows\system32\emptyregdb.dat
2006-05-03 10:06 . 2010-03-18 17:57 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-03-18 17:57 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-03-18 17:57 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-08-05 01:49 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-26 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-23 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^monxga32.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\monxga32.exe
backup=c:\windows\pss\monxga32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-04-14 16:47 2790472 ----a-w- c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 19:48 1392640 -c--a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-02-28 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d3davilibrary]
2010-04-25 02:56 69632 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-06-07 00:06 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-06-07 00:10 118784 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-06-07 00:09 94208 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2006-02-28 12:00 158208 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
2010-04-08 21:40 4922552 ----a-w- c:\program files\Pando Networks\Pando\Pando.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v3]
2010-01-18 16:30 614400 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sgepaciwiquloyar]
2006-02-28 12:00 176128 ----a-w- c:\windows\ixucuwusehihev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-07-21 08:17 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 17:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-23 17:18 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-01-04 15:02 222504 ----a-w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"rpcapd"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"HssTrayService"=3 (0x3)
"HssSrv"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"gupdate1c9c91e225b3798"=2 (0x2)
"FlingService"=2 (0x2)
"gusvc"=3 (0x3)
"idsvc"=3 (0x3)
"odserv"=3 (0x3)
"NTI BackupNowEZSvr"=2 (0x2)
"MsMpSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:ooVoo TCP ?????? 443
"443:UDP"= 443:UDP:ooVoo UDP ?????? 443
"37674:TCP"= 37674:TCP:ooVoo TCP ?????? 37674
"37674:UDP"= 37674:UDP:ooVoo UDP ?????? 37674
"37675:UDP"= 37675:UDP:ooVoo UDP ?????? 37675
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"58276:TCP"= 58276:TCP:Pando
"58276:UDP"= 58276:UDP:Pando
"58429:TCP"= 58429:TCP:Pando
"58429:UDP"= 58429:UDP:Pando
"57270:TCP"= 57270:TCP:Pando
"57270:UDP"= 57270:UDP:Pando

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/26/2010 2:59 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/26/2010 2:59 PM 19024]
S1 egklnrmq;egklnrmq;\??\c:\windows\system32\drivers\egklnrmq.sys --> c:\windows\system32\drivers\egklnrmq.sys [?]
S3 DivioUSBDCam;PineCam Z100;c:\windows\system32\drivers\pcam.sys [7/20/2001 5:48 PM 160876]
S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [4/21/2008 8:08 PM 311684]
S4 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 7:20 PM 45312]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-842925246-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 19:30]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-842925246-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-26 19:30]

2010-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-842925246-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-842925246-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sn129w.snt129.mail.live.com/default.aspx?n=594818445
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{06663B56-0D73-4f9f-BCC5-4AA941470AFD} - (no file)
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
ShellIconOverlayIdentifiers-{02696AD5-FF96-454b-9E00-81DA8B79B678} - (no file)
Notify-mlJYRkiJ - mlJYRkiJ.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-CheckPoint Cleanup - c:\docume~1\Owner\LOCALS~1\Temp\cpes_clean_launcher.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-Fling - c:\program files\NCH Software\Fling\fling.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Octoshape Streaming Services - c:\documents and settings\Owner\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
MSConfigStartUp-Opagik - c:\windows\kbvsfli.dll
MSConfigStartUp-osCheck - c:\progra~1\Symantec\osCheck.exe
MSConfigStartUp-quuoxa - c:\documents and settings\Owner\quuoxa.exe
MSConfigStartUp-Regedit32 - c:\windows\system32\regedit.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-syncman - c:\windows\system32\wuaucldt.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe
AddRemove-Creative WebCam - c:\windows\CtDrvIns.exe -uninstall USB\VID_041E&PID_400D -plugin P1001Pin.dll
AddRemove-{B9ECA41B-55CC-4654-B6B5-6731D009EC69} - c:\program files\InstallShield Installation Information\{B9ECA41B-55CC-4654-B6B5-6731D009EC69}\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="003732014A8A0EAC"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."
"FixId"=dword:00000005
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-04-26 20:20:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-27 00:20

Pre-Run: 49,213,390,848 bytes free
Post-Run: 49,446,961,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E8C785C6998529BC56AF5F84D4DA6BAA


Report •

#10
April 26, 2010 at 19:36:41
Please go to Virus Total and upload the following file for analysis:

c:\windows\Jwoturayapev.dat

c:\windows\Rxemiruburuy.bin

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Post the results in your reply.


Report •

#11
April 27, 2010 at 06:01:50
hello,

Thank you so much for your help. The computer is working
perfectly now. do i still need to do the last step?


Report •

#12
April 27, 2010 at 07:19:35
c:\windows\Jwoturayapev.dat

File Jwoturayapev.dat received on 2010.04.27 14:17:02 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.27 -
AhnLab-V3 5.0.0.2 2010.04.27 -
AntiVir 8.2.1.224 2010.04.27 -
Antiy-AVL 2.0.3.7 2010.04.27 -
Authentium 5.2.0.5 2010.04.27 -
Avast 4.8.1351.0 2010.04.27 -
Avast5 5.0.332.0 2010.04.27 -
AVG 9.0.0.787 2010.04.27 -
BitDefender 7.2 2010.04.27 -
CAT-QuickHeal 10.00 2010.04.27 -
ClamAV 0.96.0.3-git 2010.04.27 -
Comodo 4689 2010.04.27 -
DrWeb 5.0.2.03300 2010.04.27 -
eSafe 7.0.17.0 2010.04.26 -
eTrust-Vet 35.2.7453 2010.04.27 -
F-Prot 4.5.1.85 2010.04.26 -
F-Secure 9.0.15370.0 2010.04.27 -
Fortinet 4.0.14.0 2010.04.27 -
GData 21 2010.04.27 -
Ikarus T3.1.1.80.0 2010.04.27 -
Jiangmin 13.0.900 2010.04.27 -
Kaspersky 7.0.0.125 2010.04.27 -
McAfee 5.400.0.1158 2010.04.27 -
McAfee-GW-Edition 6.8.5 2010.04.27 -
Microsoft 1.5703 2010.04.27 -
NOD32 5065 2010.04.27 -
Norman 6.04.11 2010.04.27 -
nProtect 2010-04-27.01 2010.04.27 -
Panda 10.0.2.7 2010.04.26 -
PCTools 7.0.3.5 2010.04.27 -
Rising 22.45.01.04 2010.04.27 -
Sophos 4.53.0 2010.04.27 -
Sunbelt 6227 2010.04.27 -
Symantec 20091.2.0.41 2010.04.27 -
TheHacker 6.5.2.0.270 2010.04.27 -
TrendMicro 9.120.0.1004 2010.04.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.04.27 -
VBA32 3.12.12.4 2010.04.27 -
ViRobot 2010.4.26.2294 2010.04.26 -
VirusBuster 5.0.27.0 2010.04.27 -
Additional information
File size: 120 bytes
MD5...: 8efeabdeec3de81c3dc42a2801ddf461
SHA1..: 02f1032b36b1546af5815cd03befd0aa5a09b008
SHA256: 643f2d4a4311c9af9f31a361a0e827c1aaa6520328d1374e2ee4a65e6e9a2a37
ssdeep: 3:yxKdWoWgX6USwmaF5ctU0RpukCHeh2XVh:ycFWgX6LVTDUHM2Fh

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#13
April 27, 2010 at 07:25:01
as for this file i get this message

0 bytes size received / Se ha recibido un archivo vacio


Report •

#14
April 27, 2010 at 15:03:11
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\Jwoturayapev.dat
c:\windows\Rxemiruburuy.bin
c:\documents and settings\Owner\Start Menu\Programs\Startup\monxga32.exe
c:\windows\pss\monxga32.exeStartu
c:\windows\ixucuwusehihev.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sgepaciwiquloyar]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

How is the computer operating.



Report •

#15
April 27, 2010 at 16:21:13
ComboFix 10-04-26.02 - Owner 04/27/2010 18:28:52.2.1 -
x86
Microsoft Windows XP Home Edition
5.1.2600.2.1252.1.1033.18.503.159 [GMT -4:00]
Running from: c:\documents and
settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and
settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated)
{7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Extreme Security Firewall *disabled*
{829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Owner\Start
Menu\Programs\Startup\monxga32.exe"
"c:\windows\ixucuwusehihev.dll"
"c:\windows\Jwoturayapev.dat"
"c:\windows\pss\monxga32.exeStartu"
"c:\windows\Rxemiruburuy.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application
Data\{35586E69-50DC-4ACF-809D-DC1DC8C31C8E}
c:\documents and settings\Owner\Local Settings\Application
Data\{35586E69-50DC-4ACF-809D-
DC1DC8C31C8E}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application
Data\{35586E69-50DC-4ACF-809D-
DC1DC8C31C8E}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application
Data\{35586E69-50DC-4ACF-809D-
DC1DC8C31C8E}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application
Data\{35586E69-50DC-4ACF-809D-
DC1DC8C31C8E}\install.rdf
c:\windows\ixucuwusehihev.dll
c:\windows\Jwoturayapev.dat
c:\windows\Rxemiruburuy.bin

.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-
27 )))))))))))))))))))))))))))))))
.

2010-04-26 23:42 . 2010-04-26 23:42 -------- d-----w-
c:\program files\Common Files\Java
2010-04-26 23:42 . 2010-04-26 23:42 411368 ----a-w-
c:\windows\system32\deployJava1.dll
2010-04-26 19:51 . 2004-08-04 02:59 49536 -c--a-w-
c:\windows\system32\dllcache\cdrom.sys
2010-04-26 19:51 . 2004-08-04 02:59 49536 ----a-w-
c:\windows\system32\drivers\cdrom.sys
2010-04-26 19:29 . 2010-04-26 19:30 -------- d-----w-
c:\documents and settings\Owner\Local Settings\Application
Data\Deployment
2010-04-26 18:59 . 2010-04-14 16:31 19024 ----a-w-
c:\windows\system32\drivers\aswFsBlk.sys
2010-04-26 18:59 . 2010-04-14 16:35 162768 ----a-w-
c:\windows\system32\drivers\aswSP.sys
2010-04-26 18:59 . 2010-04-14 16:31 23376 ----a-w-
c:\windows\system32\drivers\aswRdr.sys
2010-04-26 18:59 . 2010-04-14 16:35 46672 ----a-w-
c:\windows\system32\drivers\aswTdi.sys
2010-04-26 18:59 . 2010-04-14 16:31 100432 ----a-w-
c:\windows\system32\drivers\aswmon2.sys
2010-04-26 18:59 . 2010-04-14 16:31 94800 ----a-w-
c:\windows\system32\drivers\aswmon.sys
2010-04-26 18:59 . 2010-04-14 16:30 28880 ----a-w-
c:\windows\system32\drivers\aavmker4.sys
2010-04-26 18:59 . 2010-04-14 16:47 38848 ----a-w-
c:\windows\system32\avastSS.scr
2010-04-26 18:59 . 2010-04-14 16:47 153184 ----a-w-
c:\windows\system32\aswBoot.exe
2010-04-26 17:08 . 2010-04-26 17:08 -------- d-----w-
c:\documents and settings\Owner\Application
Data\Malwarebytes
2010-04-26 17:07 . 2010-03-30 04:46 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 17:07 . 2010-04-26 17:07 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Malwarebytes
2010-04-26 17:07 . 2010-03-30 04:45 20824 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-04-26 17:07 . 2010-04-26 17:08 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-04-26 00:46 . 2010-04-26 19:33 -------- d-----w-
c:\documents and settings\All Users\Application
Data\RegCure
2010-04-26 00:22 . 2010-04-26 00:22 -------- d--h--w-
c:\windows\PIF
2010-04-25 23:14 . 2010-04-25 23:14 -------- d-----w-
c:\documents and settings\Owner\Local Settings\Application
Data\d3davilibrary
2010-04-25 20:51 . 2010-04-25 20:51 -------- d-----w-
c:\documents and settings\Owner\Local Settings\Application
Data\avG
2010-04-25 20:51 . 2010-04-25 20:51 -------- d-----w-
c:\documents and settings\All Users\Application Data\avG
2010-04-25 20:43 . 2010-04-25 20:43 -------- d-sh--w-
c:\documents and settings\Administrator\IETldCache
2010-04-25 17:49 . 2010-04-26 18:59 -------- d-----w-
c:\documents and settings\All Users\Application Data\Alwil
Software
2010-04-25 17:49 . 2010-04-25 17:49 -------- d-----w-
c:\program files\Alwil Software
2010-04-15 14:10 . 2010-04-15 14:10 -------- d-sh--w-
c:\documents and settings\Owner\IECompatCache
2010-04-11 02:21 . 2010-04-11 02:21 -------- d-sh--w-
c:\documents and settings\Owner\PrivacIE
2010-04-11 00:51 . 2010-04-11 00:55 -------- dc-h--w-
c:\windows\ie8
2010-04-11 00:47 . 2010-02-25 06:24 594432 -c----w-
c:\windows\system32\dllcache\msfeeds.dll
2010-04-11 00:47 . 2010-02-25 06:24 55296 -c----w-
c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-11 00:47 . 2010-02-25 06:24 247808 -c----w-
c:\windows\system32\dllcache\ieproxy.dll
2010-04-11 00:47 . 2010-02-25 06:24 12800 -c----w-
c:\windows\system32\dllcache\xpshims.dll
2010-04-11 00:47 . 2010-02-25 06:24 1985536 -c----w-
c:\windows\system32\dllcache\iertutil.dll
2010-04-11 00:44 . 2010-02-16 04:50 64000 -c----w-
c:\windows\system32\dllcache\iecompat.dll
2010-04-11 00:24 . 2010-04-11 00:24 -------- d-----w-
c:\program files\CCleaner
2010-04-04 23:13 . 2010-04-26 18:37 -------- d-----w-
c:\documents and settings\Owner\Application Data\Clone2Go
Video Converter Free Version
2010-04-04 23:13 . 2010-04-26 18:38 -------- d-----w-
c:\program files\Clone2Go Video Converter Free Version
2010-04-02 05:36 . 2010-04-02 05:36 -------- d-----w-
c:\documents and settings\Owner\Local Settings\Application
Data\Pando
2010-04-01 13:26 . 2010-04-01 13:26 -------- d-----w-
c:\documents and settings\NetworkService\Local
Settings\Application Data\PCHealth
2010-03-31 00:21 . 2010-03-31 00:21 -------- d-----w-
c:\documents and settings\Owner\Local Settings\Application
Data\Opera
2010-03-31 00:19 . 2010-03-31 00:20 -------- d-----w-
c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 22:26 . 2009-11-10 02:24 -------- d-----w-
c:\documents and settings\Owner\Application Data\Skype
2010-04-27 20:03 . 2008-04-18 05:08 -------- d-----w-
c:\documents and settings\Owner\Application Data\skypePM
2010-04-26 23:24 . 2009-07-30 01:03 -------- d-----w-
c:\documents and settings\Owner\Application Data\vlc
2010-04-26 19:50 . 2009-04-29 22:59 -------- d-----w-
c:\program files\Google
2010-04-26 19:32 . 2008-04-18 08:17 -------- d-----w-
c:\documents and settings\Owner\Application Data\Paltalk
2010-04-26 18:52 . 2010-02-01 00:58 -------- d-----w-
c:\program files\TeamViewer
2010-04-25 23:14 . 2010-04-25 23:14 16 ----a-w-
c:\documents and settings\LocalService\Application
Data\kcmdte.dat
2010-04-25 20:49 . 2010-04-25 20:49 16 ----a-w-
c:\documents and settings\NetworkService\Application
Data\kcmdte.dat
2010-04-24 22:01 . 2010-04-24 22:01 16 ----a-w-
c:\windows\system32\config\systemprofile\Application
Data\kcmdte.dat
2010-04-24 05:33 . 2009-06-10 00:42 -------- d-----w-
c:\documents and settings\Owner\Application Data\NCH
Software
2010-04-24 01:41 . 2008-09-28 03:35 -------- d-----w-
c:\documents and settings\Owner\Application Data\FileZilla
2010-04-24 01:38 . 2009-04-22 01:15 -------- d-----w-
c:\documents and settings\Owner\Application Data\dvdcss
2010-04-23 17:20 . 2008-04-27 08:43 -------- d-----w-
c:\program files\Common Files\Real
2010-04-23 17:19 . 2009-06-10 00:49 -------- d-----w-
c:\program files\Real
2010-04-16 07:05 . 2009-10-04 09:28 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Microsoft Help
2010-04-13 18:53 . 2008-09-28 03:35 -------- d-----w-
c:\program files\FileZilla FTP Client
2010-04-01 13:59 . 2010-02-19 04:18 -------- d-----w-
c:\program files\Finale 2010
2010-03-22 16:06 . 2008-04-18 04:03 -------- d--h--w-
c:\program files\InstallShield Installation Information
2010-03-18 22:38 . 2008-04-19 17:48 91284 -c-ha-w-
c:\windows\system32\mlfcache.dat
2010-03-18 17:58 . 2010-03-18 17:58 -------- d-----w-
c:\program files\AviSynth 2.5
2010-03-18 17:56 . 2010-03-18 17:56 -------- d-----w-
c:\program files\eRightSoft
2010-03-17 18:04 . 2008-04-18 02:16 134128 -c--a-w-
c:\documents and settings\Owner\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2010-03-17 17:48 . 2009-08-15 07:08 -------- d-----w-
c:\program files\MSBuild
2010-03-17 17:40 . 2010-03-17 17:40 -------- d-----w-
c:\program files\Microsoft Visual Studio 8
2010-03-14 11:27 . 2009-10-04 09:32 -------- d-----w-
c:\program files\Microsoft Works
2010-03-10 06:15 . 2010-02-13 00:43 420352 ----a-w-
c:\windows\system32\vbscript.dll
2010-03-08 17:22 . 2010-02-08 21:08 -------- d-----w-
c:\documents and settings\All Users\Application Data\avg9
2010-02-25 06:24 . 2010-02-13 00:43 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2010-03-08 17:39 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-02-24 12:31 . 2010-02-13 00:42 454016 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 20:36 . 2009-04-29 13:08 133736 -c--a-w-
c:\documents and settings\jido\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2010-02-16 13:19 . 2010-02-13 00:41 2181376 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2010-02-13 00:41 2058368 ----a-w-
c:\windows\system32\ntkrnlpa.exe
2010-02-13 02:20 . 2008-03-12 17:41 77423 ----a-w-
c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-12 04:47 . 2010-02-13 00:46 100864 ----a-w-
c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2010-02-13 00:42 226880 ----a-w-
c:\windows\system32\drivers\tcpip6.sys
2010-02-10 22:01 . 2008-03-12 17:39 22720 -c--a-w-
c:\windows\system32\emptyregdb.dat
2006-05-03 10:06 . 2010-03-18 17:57 163328 --sh--r-
c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-03-18 17:57 31232 --sh--r-
c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-03-18 17:57 216064 --sh--r-
c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-08-05 01:49 218160 ----a-w- c:\program
files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe"
[2010-04-26 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-
04-14 2790472]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" [2010-04-23 202256]
"SunJavaUpdateSched"="c:\program files\Common
Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Curr
entVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE"
[2006-02-28 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~
1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKLM\~\startupfolder\C:^Documents and
Settings^Owner^Start
Menu^Programs^Startup^monxga32.exe]
path=c:\documents and settings\Owner\Start
Menu\Programs\Startup\monxga32.exe
backup=c:\windows\pss\monxga32.exeStartup

[HKLM\~\startupfolder\C:^Documents and
Settings^Owner^Start Menu^Programs^Startup^Yahoo!
Widgets.lnk]
path=c:\documents and settings\Owner\Start
Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 -c--a-w- c:\program
files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\avast5]
2010-04-14 16:47 2790472 ----a-w-
c:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 19:48 1392640 -c--a-w-
c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents
and settings\Owner\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\ctfmon.exe]
2006-02-28 12:00 15360 ----a-w-
c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\d3davilibrary]
2010-04-25 02:56 69632 ----a-w- c:\documents
and settings\Owner\Local Settings\Application
Data\d3davilibrary\d3davilibrary.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program
files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxhkcmd]
2006-06-07 00:06 77824 -c--a-w-
c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxpers]
2006-06-07 00:10 118784 -c--a-w-
c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxtray]
2006-06-07 00:09 94208 -c--a-w-
c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 -c--a-w- c:\program
files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program
files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSConfig]
2006-02-28 12:00 158208 ----a-w-
c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program
files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Pando]
2010-04-08 21:40 4922552 ----a-w- c:\program
files\Pando Networks\Pando\Pando.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\pdfFactory Pro Dispatcher v3]
2010-01-18 16:30 614400 ----a-w-
c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program
files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Shockwave Updater]
2009-07-21 08:17 468408 ----a-w-
c:\windows\system32\Adobe\Shockwave
11\SwHelper_1151601.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 17:22 405504 ----a-w- c:\program
files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TkBellExe]
2010-04-23 17:18 202256 ----a-w- c:\program
files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\UpdatePDRShortCut]
2008-01-04 15:02 222504 ----a-w- c:\program
files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"rpcapd"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"HssTrayService"=3 (0x3)
"HssSrv"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"gupdate1c9c91e225b3798"=2 (0x2)
"FlingService"=2 (0x2)
"gusvc"=3 (0x3)
"idsvc"=3 (0x3)
"odserv"=3 (0x3)
"NTI BackupNowEZSvr"=2 (0x2)
"MsMpSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curren
tversion\run-]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" -osboot
"AVGIDS"="c:\program
files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows
Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Owner\\Application
Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft
Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:ooVoo TCP ?????? 443
"443:UDP"= 443:UDP:ooVoo UDP ?????? 443
"37674:TCP"= 37674:TCP:ooVoo TCP ?????? 37674
"37674:UDP"= 37674:UDP:ooVoo UDP ?????? 37674
"37675:UDP"= 37675:UDP:ooVoo UDP ?????? 37675
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"58276:TCP"= 58276:TCP:Pando
"58276:UDP"= 58276:UDP:Pando
"58429:TCP"= 58429:TCP:Pando
"58429:UDP"= 58429:UDP:Pando
"57270:TCP"= 57270:TCP:Pando
"57270:UDP"= 57270:UDP:Pando

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys
[4/26/2010 2:59 PM 162768]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.
sys [4/26/2010 2:59 PM 19024]
S1 egklnrmq;egklnrmq;\??
\c:\windows\system32\drivers\egklnrmq.sys -->
c:\windows\system32\drivers\egklnrmq.sys [?]
S3 DivioUSBDCam;PineCam
Z100;c:\windows\system32\drivers\pcam.sys [7/20/2001 5:48
PM 160876]
S3 icsak;icsak;\??\c:\program
files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program
files\CheckPoint\ZAForceField\AK\icsak.sys [?]
S3 NPF;NetGroup Packet Filter
Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10
PM 32512]
S3 P1001VID;Creative WebCam
(WDM);c:\windows\system32\drivers\P1001Vid.sys
[4/21/2008 8:08 PM 311684]
S4 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program
files\NewTech Infosystems\Backup Now
EZ\BackupNowEZSvr.exe [5/8/2009 7:20 PM 45312]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe
[2008-07-30 16:34]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-1229272821-842925246-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2010-04-26 19:30]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-1229272821-842925246-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2010-04-26 19:30]

2010-04-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-
21-1229272821-842925246-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-
02-25 02:09]

2010-04-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-
1-5-21-1229272821-842925246-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-
02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://sn129w.snt129.mail.live.com/default.aspx?
n=594818445
mSearch Bar =
hxxp://ca.red.clientapps.yahoo.com/customize/rogers/default
s/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://ca.red.clientapps.yahoo.com/customize/rogers/default
s/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

***********************************************************************
***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET
Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All
Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32
Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-
1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="003732014A8A0EAC"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."
"FixId"=dword:00000005
.
--------------------- DLLs Loaded Under Running Processes --------
-------------

- - - - - - - > 'winlogon.exe'(1848)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2856)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e1
8e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
.
***********************************************************************
***
.
Completion time: 2010-04-27 18:50:59 - machine was
rebooted
ComboFix-quarantined-files.txt 2010-04-27 22:50
ComboFix2.txt 2010-04-27 00:20

Pre-Run: 49,276,575,744 bytes free
Post-Run: 49,276,526,592 bytes free

- - End Of File - - B36C7C966A51FB31A5EF92FB06C0D423


Report •

#16
April 27, 2010 at 16:34:28
OMG... It's working like never before...it's faster, better and all.
how can i ever thank you.
one more thing..what is the best antivirus software i should get...i installed avast after this problem happened.

Report •

#17
April 27, 2010 at 17:17:44
Either avast or avg to me are the best free av's. Happy surfing ...jabuck.

Report •

#18
April 27, 2010 at 17:20:03
thank you again. i will keep avast and buy the full version .


Report •

#19
April 30, 2010 at 13:39:51
OK, here something weird...... after i did all of this the battery in
my laptop is working perfect now and it hold energy enough for 2
hours... before this i had to keep my lap top plugged all the time
cause it will die on battery after 10 mins. what is the relation
between what is done here and what happened with the battery?
am just curios that is all.

Report •

#20
April 30, 2010 at 19:30:54
I can't explain that, if I find an answer I will let you know.

Report •

Ask Question