Trojan jorse PSW.Generic6.BEJD

Sony / Vgc-rb30
March 6, 2009 at 18:29:23
Specs: Windows XP
I am having troubles similar to ZGMFX05A's post of 7/3/08. I don't know how to get an HJT log or I would include it here. Can you help?
Thank you.

See More: Trojan jorse PSW.Generic6.BEJD

Report •


#1
March 6, 2009 at 19:05:32
Run the following scans and post their logs.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
March 7, 2009 at 04:42:10
I installed and ran malwarebytes. Below is the log.
Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2

3/7/2009 7:33:33 AM
mbam-log-2009-03-07 (07-33-33).txt

Scan type: Quick Scan
Objects scanned: 90250
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\ (Hijack.Tray) -> Bad: (C:\DOCUME~1\ADMINI~1.EXP\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:16 AM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=mi...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\config" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Cursors" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Connection Wizard" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Inetsrv" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Npp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\help" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\pchealth" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\ime" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\msagent" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_11] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\Oobe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_12] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_13] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Help\Tours" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_14] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\MsDtc" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_15] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\system32\NtmsData" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_16] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_17] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_18] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_19] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_20] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_21] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

--
End of file - 10010 bytes


Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

Thanks very much for your help with this.


Report •

#3
March 7, 2009 at 06:04:36
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spybot, and any other realtime antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
March 7, 2009 at 06:36:35
I have never been able to disable avg. There are no obvious ways to make it inactive. Also, I believe that spybot is not active unless I start a scan.
When I installed combofix I got a application failure message due to a missing mspnabke.dll. When I click ok to close the message combofix starts to run. I closed it right away and did not let it run. Perhaps you can advise me on disabling the anti spyware.

Thanks for your help.


Report •

#5
March 7, 2009 at 07:57:15
I found a way to disable avg resident shield. I then ran combofix. The .dll message came up repeatedly, but after clicking ok the program continued. below is the log from combofix.

Thanks again.

ComboFix 09-03-06.02 - Administrator 2009-03-07 10:56:29.1 - NTFSx86
Running from: c:\documents and settings\Administrator.EXPERIENCE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

[COLOR=RED] c:\windows\system32\imm32.dll . . . is infected!![/COLOR]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\xircom
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\restore
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\oobe
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\npp
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\srchasst
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\pchealth
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\msagent
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 07:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 15:49 . 2009-03-06 15:49 <DIR> d-------- c:\windows\Cache
2009-03-06 15:49 . 2009-03-06 15:49 <DIR> d-------- c:\program files\Coupons
2009-03-06 15:49 . 2009-03-06 15:49 202,072 -ra------ c:\windows\system32\cpnprt2.cid
2009-02-21 00:38 . 2009-03-07 10:58 <DIR> d-------- c:\windows\HELP
2009-02-21 00:38 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-21 00:38 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-19 15:18 . 2009-02-19 15:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\35271
2009-02-17 13:11 . 2009-02-17 13:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\A37A
2009-02-17 11:09 . 2009-02-17 11:09 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\1735B
2009-02-17 10:53 . 2008-09-25 08:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-02-17 10:11 . 2009-02-17 10:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-17 10:10 . 2009-02-17 10:10 <DIR> d-------- c:\program files\Java
2009-02-17 10:03 . 2009-02-17 10:03 <DIR> d-------- c:\program files\LimeWire
2009-02-16 18:05 . 2009-02-16 18:05 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Playrix Entertainment
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d--hs---- c:\windows\ftpcache
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Sandlot Games
2009-02-12 20:39 . 2009-02-12 20:39 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NeoEdge Networks
2009-02-07 12:54 . 2006-08-06 12:21 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-07 12:54 . 2006-08-06 12:21 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 01:10 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-06 12:40 --------- d-----w c:\program files\Blue Coat K9 Web Protection
2009-03-05 23:17 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-17 15:10 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-10 11:00 --------- d-----w c:\program files\Lavasoft
2009-02-10 11:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 02:01 --------- d-----w c:\program files\Gpotato
2009-01-30 00:54 --------- d-----w c:\program files\Hasbro Interactive
2009-01-30 00:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 00:41 --------- d-----w c:\program files\Microsoft Games
2009-01-29 22:55 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:55 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-29 22:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-26 18:59 --------- d-----w c:\program files\zoomplayer402
2009-01-26 15:37 --------- d-----w c:\program files\Abacast
2009-01-20 01:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
2009-01-16 21:14 --------- d-----w c:\program files\1 Click PC Fix
2009-01-16 21:06 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-16 20:56 --------- d-----w c:\program files\SmartPCTools
2009-01-16 19:49 --------- d-----w c:\program files\Common Files\AOL
2009-01-16 17:22 --------- d-----w c:\program files\KeyScrambler
2009-01-12 03:17 --------- d-----w c:\documents and settings\Administrator.EXPERIENCE\Application Data\LimeWire
2009-01-08 01:19 --------- d-----w c:\program files\WinPcap
2009-01-08 01:08 --------- d-----w c:\program files\VirtualDJ
2009-01-08 00:55 --------- d-----w c:\program files\Virtware
2009-01-08 00:21 2,275,328 ----a-w c:\windows\system32\TUKernel.exe
2009-01-08 00:13 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-08 00:13 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-01-08 00:13 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software
2009-01-08 00:13 --------- d-----w c:\documents and settings\Administrator.EXPERIENCE\Application Data\TuneUp Software
2009-01-08 00:12 --------- d-sh--w c:\documents and settings\All Users.WINDOWS\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-08 00:10 --------- d-----w c:\documents and settings\Administrator.EXPERIENCE\Application Data\vlc
2008-12-30 22:15 110,592 ----a-w c:\windows\system32\imm32.dll
2008-12-11 20:03 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-12-11 18:31 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 21:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
2009-01-19 17:14 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-19 17:14 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-19 17:14 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-19 17:14 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-19 17:14 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-08-06 07:00 360576 c7be59b07c6eb74bea6fd67c1b164015 c:\windows\system32\drivers\tcpip.sys

2008-12-30 17:15 110592 28276765be18218cef4a16201f5568a6 c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoRecentDocsNetHood"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 17:55 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-10-08 10:25 497152 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 06:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 17:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-12-14 11:13 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Gpotato\\Flyff\\Flyff.exe"=

R3 motccgp;Motorola USB Composite Device Driver; [x]
R3 motccgpfl;MotCcgpFlService; [x]
R3 motport;Motorola USB Diagnostic Port; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-29 325128]
S1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-05-14 48640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-01-07 603904]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-06-24 113896]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
*Deregistered* - AFD
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - ElbyCDIO
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RichVideo
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StillCam
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Themes
*Deregistered* - TuneUp.ProgramStatisticsSvc
*Deregistered* - Update
*Deregistered* - UxTuneUp
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - Wanarp
*Deregistered* - WebFilter
*Deregistered* - winmgmt
*Deregistered* - WmiApSrv
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Schedule
Seclogon
SENS
Sharedaccess
Tapisrv
Themes
UxTuneUp
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d581fb2-da7d-11dc-9d8f-bac1f0304e67}]
\Shell\AutoRun\command - L:\PCConnect.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf72b140-117c-11dd-9e5f-8a0a4b52b3c8}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_04\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\components\FoxyTunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 10:58:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\VCOM\PowerDesk\pddlghlp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Blue Coat K9 Web Protection\k9filter.exe
.
**************************************************************************
.
Completion time: 2009-03-07 11:00:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 16:00:14

Pre-Run: 3,214,843,904 bytes free
Post-Run: 4,387,577,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=M347W0 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=M347W0-BAK

362


Report •

#6
March 7, 2009 at 18:57:58

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Next, download the file at this link and unzip it.

http://download.bleepingcomputer.com/sUBs/Beta/XPSP2_netsvcs.zip

Then doubleclick the XPSP2_netsvcs & allow it to merge into the Registry

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\cpnprt2.cid

Driver::
Folder::
c:\program files\Coupons
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#7
March 9, 2009 at 04:48:46
jabuck:

I did all that you suggested. I found what I think was the offending .exe on my desktop but did not delete it until after I finished following your directions. Could this thing have replanted itself in the registry in the couple of minutes between finishing the combofix and my deleting it? Also, can you tell me what the missing mspnabke.dll is and where I can find it to install. Thanks for all of your help and below is the combofix log.

Scott

ComboFix 09-03-06.02 - Administrator 2009-03-09 6:44:17.2 - NTFSx86
Running from: c:\documents and settings\Administrator.EXPERIENCE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.EXPERIENCE\Desktop\CFScript.txt

FILE ::
c:\windows\system32\cpnprt2.cid
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{019584BA-573E-7057-FF25-231D16BBC97A}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{1A50FFB5-5C01-DBE2-C323-BB97CA2FC8CE}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{33440788-4A08-E489-57F6-3945B69EBAFA}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{33B3C939-10CB-CBFD-211B-6A2F7A7D546F}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{3BC59D79-5AE4-B202-AFF4-810CFDF169B5}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{41356B96-1B69-4DB6-CD3E-D33FD896B82B}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{4834D65D-E4C5-8746-A1D8-CB5DE2B87971}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{59304325-C808-EF08-5F3A-CCA138855553}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{5D6E2611-9B1D-9326-F3E3-DBC5878BDA67}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{621C91EC-2471-09B9-2DA8-910ED0435D29}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{6C6A4CCC-CF5D-43CF-4072-96EA57ACD84E}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{749AECB5-9BAC-54C7-415A-B3EADD0CAAE8}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{7C1ED521-653E-1D4D-A144-29F1391E06FE}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{80C447F4-B7A2-3AE8-5AEC-92E289C8182F}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{83BC6E17-B00C-8140-BA86-E49A6E7B47C5}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{92DE372F-67F7-CB70-78FC-362DC91108DF}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{938FDA2A-2859-BFFA-9EE7-ABE6B8136D63}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{945D188F-2B0B-ACA8-3CB4-2FFE420E5FFD}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{9683D0EC-D0BB-10FF-C0EB-FE9CE64A6DEE}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{A09D539C-1DD1-5FCA-94C3-2C5BF415D224}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{A46AF2F0-D212-CA64-281B-0F50AF81007D}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{A83E8C55-2AFE-2D21-EB39-843903F0EB08}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{ADB8207E-E021-A715-EE91-24CABF6E89F6}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{B7B9FADF-4EAA-F1CD-7B30-ACB70B66F697}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{C3392FAD-2B47-3F37-06F6-BC2E43C69EC3}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{C74E1A99-AC5B-8C99-1D8F-B6F589C19BA1}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{D34C5B70-B099-3610-FB2F-8CEBBEFF7A29}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{E99958FF-204C-3FC0-07AF-7FB16F917195}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{EE09A2CF-1EA6-574A-80DE-FF344A595800}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{F4A993D2-1DD2-F377-81ED-465EF864DAD7}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{FAACD659-E153-7C4E-4D4D-E898619D2F23}
c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia\data\{FF9CEC29-49BD-58DD-21F0-6CA28EC0E194}
c:\program files\Coupons
c:\program files\Coupons\Coupons.com.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml
c:\windows\system32\cpnprt2.cid

[COLOR=RED] c:\windows\system32\imm32.dll . . . is infected!![/COLOR]

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\xircom
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\restore
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\oobe
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\npp
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\srchasst
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\pchealth
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\msagent
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 07:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 15:49 . 2009-03-06 15:49 <DIR> d-------- c:\windows\Cache
2009-02-21 00:38 . 2009-03-07 10:58 <DIR> d-------- c:\windows\HELP
2009-02-21 00:38 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-21 00:38 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-19 15:18 . 2009-02-19 15:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\35271
2009-02-17 13:11 . 2009-02-17 13:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\A37A
2009-02-17 11:09 . 2009-02-17 11:09 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\1735B
2009-02-17 10:53 . 2008-09-25 08:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-02-17 10:11 . 2009-02-17 10:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-17 10:10 . 2009-02-17 10:10 <DIR> d-------- c:\program files\Java
2009-02-17 10:03 . 2009-02-17 10:03 <DIR> d-------- c:\program files\LimeWire
2009-02-16 18:05 . 2009-02-16 18:05 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Playrix Entertainment
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d--hs---- c:\windows\ftpcache
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Sandlot Games
2009-02-12 20:39 . 2009-02-12 20:39 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NeoEdge Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 22:03 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-03-07 01:10 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-06 12:40 --------- d-----w c:\program files\Blue Coat K9 Web Protection
2009-03-05 23:17 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-17 15:10 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-10 11:00 --------- d-----w c:\program files\Lavasoft
2009-02-10 11:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 02:01 --------- d-----w c:\program files\Gpotato
2009-01-30 00:54 --------- d-----w c:\program files\Hasbro Interactive
2009-01-30 00:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 00:41 --------- d-----w c:\program files\Microsoft Games
2009-01-29 22:55 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:55 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-26 18:59 --------- d-----w c:\program files\zoomplayer402
2009-01-26 15:37 --------- d-----w c:\program files\Abacast
2009-01-16 21:14 --------- d-----w c:\program files\1 Click PC Fix
2009-01-16 21:06 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-16 20:56 --------- d-----w c:\program files\SmartPCTools
2009-01-16 19:49 --------- d-----w c:\program files\Common Files\AOL
2009-01-16 17:22 --------- d-----w c:\program files\KeyScrambler
2009-01-12 03:17 --------- d-----w c:\documents and settings\Administrator.EXPERIENCE\Application Data\LimeWire
2009-01-08 00:21 2,275,328 ----a-w c:\windows\system32\TUKernel.exe
2009-01-08 00:13 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-08 00:13 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-30 22:15 110,592 ----a-w c:\windows\system32\imm32.dll
2008-12-11 20:03 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-12-11 18:31 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 21:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
2009-01-19 17:14 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-19 17:14 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-19 17:14 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-19 17:14 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-19 17:14 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-08-06 07:00 360576 c7be59b07c6eb74bea6fd67c1b164015 c:\windows\system32\drivers\tcpip.sys

2008-12-30 17:15 110592 28276765be18218cef4a16201f5568a6 c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-07_10.59.12.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-09 11:46:19 16,384 ----atw c:\windows\system32\config\systemprofile\Local Settings\temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoRecentDocsNetHood"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 17:55 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-10-08 10:25 497152 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 06:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 17:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-12-14 11:13 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Gpotato\\Flyff\\Flyff.exe"=

R3 motccgp;Motorola USB Composite Device Driver; [x]
R3 motccgpfl;MotCcgpFlService; [x]
R3 motport;Motorola USB Diagnostic Port; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-29 325128]
S1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-05-14 48640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-01-07 603904]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-06-24 113896]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - ElbyCDIO
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RichVideo
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StillCam
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Themes
*Deregistered* - TuneUp.ProgramStatisticsSvc
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - Viewpoint Manager Service
*Deregistered* - Wanarp
*Deregistered* - WebFilter
*Deregistered* - winmgmt
*Deregistered* - WmiApSrv
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d581fb2-da7d-11dc-9d8f-bac1f0304e67}]
\Shell\AutoRun\command - L:\PCConnect.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf72b140-117c-11dd-9e5f-8a0a4b52b3c8}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\components\FoxyTunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 06:46:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\VCOM\PowerDesk\pddlghlp.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Blue Coat K9 Web Protection\k9filter.exe
c:\program files\TuneUp Utilities 2009\Shredder.exe
.
**************************************************************************
.
Completion time: 2009-03-09 6:47:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-09 11:47:44
ComboFix2.txt 2009-03-07 16:00:17

Pre-Run: 3,921,666,048 bytes free
Post-Run: 4,432,318,464 bytes free

345


Report •

#8
March 9, 2009 at 14:41:21
My son had the computer shut down on him this afternoon. He was watching a video on youtube with int. exp. when it happened . I started the computer up and found "a.exe"on my desktop. I deleted it immediately followed by running avg and spybot s&d. I did all this in safe mode. Should I do anything else.
Thanks for your help.

Report •

#9
March 9, 2009 at 15:36:17
This note in the Combofix log:

[COLOR=RED] c:\windows\system32\imm32.dll . . . is infected!![/COLOR]

Means you have an infected file that combofix cannot replace because it does not see one in you system.

Probably where the bad files are coming from.

You should be able to get a free copy of this file off of the internet. Find it and download it to your desktop, let us know when you get it downloaded of just replace it if you know how to.


Report •

#10
March 9, 2009 at 16:17:16
I have downloaded the imm.dll to my desktop and am ready for instructions.


Thanks,
Scott


Report •

#11
March 9, 2009 at 20:02:31
That file name should be imm32.dll, if it is not do not do the following.

Go to start> my computer>local disk (c:)> Windows>System32> scroll down to the imm32.ll file> right click it> click rename< rename the file imm32.dll.old> click a blank spot on the screen then minimize the window to keep it open.

Next, with the system32 window opened but minimized find the new imm32.dll file on your desktop and drag it over into the system32 window.

Once you have the new files in the system 32 folder delete the old imm32.dll.old file but do not remove it from the recycle bin yet.

Post a new Combofix log following the previous directions.


Report •

#12
March 10, 2009 at 05:18:33
I followed your directions for the imm32.dll file. After renaming the old one windows asked for a restore disk. I canceled several times to get past it. After dragging the new file over I could not find the old one.
Again, thanks for your patience.


ComboFix 09-03-06.02 - Administrator 2009-03-10 7:16:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2039.1555 [GMT -5:00]
Running from: c:\documents and settings\Administrator.EXPERIENCE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2009-03-09 18:22 . 2004-05-13 15:51 103,936 --a------ c:\windows\system32\IMM32.DLL
2009-03-09 15:55 . 2009-03-09 15:55 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\DivX
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\xircom
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\restore
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\oobe
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\system32\npp
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\srchasst
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\pchealth
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\windows\msagent
2009-03-07 10:58 . 2009-03-07 10:58 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-03-07 07:27 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Malwarebytes
2009-03-07 07:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 07:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 15:49 . 2009-03-06 15:49 <DIR> d-------- c:\windows\Cache
2009-02-21 00:38 . 2009-03-07 10:58 <DIR> d-------- c:\windows\HELP
2009-02-21 00:38 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-21 00:38 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-21 00:38 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-21 00:38 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-19 15:18 . 2009-02-19 15:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\35271
2009-02-17 13:11 . 2009-02-17 13:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\A37A
2009-02-17 11:09 . 2009-02-17 11:09 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\1735B
2009-02-17 10:53 . 2008-09-25 08:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-02-17 10:11 . 2009-02-17 10:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-17 10:10 . 2009-02-17 10:10 <DIR> d-------- c:\program files\Java
2009-02-16 18:05 . 2009-02-16 18:05 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Playrix Entertainment
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d--hs---- c:\windows\ftpcache
2009-02-12 20:40 . 2009-02-12 20:40 <DIR> d-------- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Sandlot Games
2009-02-12 20:39 . 2009-02-12 20:39 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NeoEdge Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 21:39 --------- d-----w c:\program files\DivX
2009-03-09 20:56 --------- d-----w c:\program files\zoomplayer402
2009-03-09 17:31 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-03-09 17:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 16:39 --------- d-----w c:\program files\Blue Coat K9 Web Protection
2009-03-08 22:03 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-03-07 01:10 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-02-17 15:10 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-10 11:00 --------- d-----w c:\program files\Lavasoft
2009-02-10 11:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 02:01 --------- d-----w c:\program files\Gpotato
2009-01-30 00:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 00:41 --------- d-----w c:\program files\Microsoft Games
2009-01-29 22:55 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 22:55 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-26 15:37 --------- d-----w c:\program files\Abacast
2009-01-16 21:14 --------- d-----w c:\program files\1 Click PC Fix
2009-01-16 21:06 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-16 20:56 --------- d-----w c:\program files\SmartPCTools
2009-01-16 19:49 --------- d-----w c:\program files\Common Files\AOL
2009-01-16 17:22 --------- d-----w c:\program files\KeyScrambler
2009-01-12 03:17 --------- d-----w c:\documents and settings\Administrator.EXPERIENCE\Application Data\LimeWire
2009-01-08 00:21 2,275,328 ----a-w c:\windows\system32\TUKernel.exe
2009-01-08 00:13 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-08 00:13 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-11 20:03 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-12-11 18:31 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2001-07-26 21:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 21:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w c:\program files\gtx73.ini
2009-01-19 17:14 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-19 17:14 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-19 17:14 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-19 17:14 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-19 17:14 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2006-08-06 07:00 360576 c7be59b07c6eb74bea6fd67c1b164015 c:\windows\system32\drivers\tcpip.sys

2004-05-13 15:51 103936 c9f9e3e6b59c6d6cbce7f14494a4518a c:\windows\system32\IMM32.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-03-07_10.59.12.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-10 12:00:49 16,384 ----atw c:\windows\system32\config\systemprofile\Local Settings\temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2004-08-02 40960]

c:\documents and settings\Administrator.EXPERIENCE\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2004-08-02 40960]
PowerReg Scheduler.exe [2009-01-29 189952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoRecentDocsNetHood"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-29 17:55 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2006-10-08 10:25 497152 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 06:09 49152 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 17:57 30208 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-12-14 11:13 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Gpotato\\Flyff\\Flyff.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-24 325128]
R1 cwmtdi;cwmtdi;c:\windows\system32\drivers\cwmtdi.sys [2007-05-14 48640]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-24 298264]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-07 603904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-28 24652]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-10-26 113896]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d581fb2-da7d-11dc-9d8f-bac1f0304e67}]
\Shell\AutoRun\command - L:\PCConnect.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf72b140-117c-11dd-9e5f-8a0a4b52b3c8}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\5d8pjntg.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\components\FoxyTunes.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 07:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-10 7:18:06
ComboFix-quarantined-files.txt 2009-03-10 12:18:04
ComboFix2.txt 2009-03-09 11:47:48
ComboFix3.txt 2009-03-07 16:00:17

Pre-Run: 4,606,832,640 bytes free
Post-Run: 4,606,676,992 bytes free

205


Report •

#13
March 11, 2009 at 08:50:41
jabuck:

Does the last combofix log look good. My novice eye didn't spot anything that looked bad. I have still had the AVG resident shield warning about Trojan horse PSW.Generic6.BEJD. Any thoughts on that?
Thanks,
Scott


Report •


Ask Question