Misc. Popups

ElminstyrElminstyr
edited March 2009 in Spyware & Virus Removal
I've been getting misc. popups for the last week. Most frequently is a page advertising RegCure, but some appear to be misc. advertisements, such as Caring4Cancer. Below is my HJT log. Thanks...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:38 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\dtmonx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\HPDESK\hppddir.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allan\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=,DTMONX.EXE
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {b02957c2-f6c1-1109-db44-db51425abe77} - {77eba524-15bd-44bd-9011-1c6f2c75920b} - C:\WINDOWS\system32\qkedny.dll
O2 - BHO: (no name) - {9a0a61bc-5d64-4a59-a313-67b03984376b} - C:\WINDOWS\system32\laviweta.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [zifikirolo] Rundll32.exe "C:\WINDOWS\system32\lasobemo.dll",s
O4 - HKLM\..\Run: [c0183d67] rundll32.exe "C:\WINDOWS\system32\wegagolu.dll",b
O4 - HKLM\..\Run: [CPMc32b0efb] Rundll32.exe "c:\windows\system32\wenihubi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [zifikirolo] Rundll32.exe "C:\WINDOWS\system32\lasobemo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zifikirolo] Rundll32.exe "C:\WINDOWS\system32\lasobemo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187794461859
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\zimuworo.dll c:\windows\system32\wenihubi.dll qkedny.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wenihubi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wenihubi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

--
End of file - 9579 bytes

Comments

  • chiazchiaz
    edited March 2009
    Hello. :)

    Please download Malwarebytes' Anti-Malware by clicking the link below:
    http://www.besttechie.net/tools/mbam-setup.exe

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * You'll be required to post the contents of this log later.

    Please Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    ==============================================


    Ok. Let's have you download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:

    MBAM log
    C:\ComboFix.txt
    New HijackThis log

    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • ElminstyrElminstyr
    edited March 2009
    Okay, ran the programs as instructed. Below are the requested logs.

    Malwarebytes' Anti-Malware 1.34
    Database version: 1856
    Windows 5.1.2600 Service Pack 3

    3/16/2009 6:00:28 PM
    mbam-log-2009-03-16 (18-00-28).txt

    Scan type: Quick Scan
    Objects scanned: 93030
    Time elapsed: 21 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 8
    Registry Keys Infected: 24
    Registry Values Infected: 5
    Registry Data Items Infected: 7
    Folders Infected: 3
    Files Infected: 26

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\hikenile.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\lasobemo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\laviweta.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\zimuworo.dll (Trojan.Vundo.H) -> Delete on reboot.
    c:\WINDOWS\system32\vemumise.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\vanabesa.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\afsebz.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\fimijole.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4efe2db1-fac2-4ba0-9cc9-883ecb4c3225} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4efe2db1-fac2-4ba0-9cc9-883ecb4c3225} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a0a61bc-5d64-4a59-a313-67b03984376b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{9a0a61bc-5d64-4a59-a313-67b03984376b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a0a61bc-5d64-4a59-a313-67b03984376b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4efe2db1-fac2-4ba0-9cc9-883ecb4c3225} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36a91cec-6c71-4758-b492-397bfc8e96a2} (Adware.Rightonadz) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{41c29b07-6f91-4966-91be-2e2841643c83} (Adware.Adssite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\adssite (Adware.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Adssite ToolBar (Adware.Adssite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0183d67 (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zifikirolo (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmc32b0efb (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zimuworo.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zimuworo.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zimuworo.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vemumise.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vemumise.dll -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Allan\Application Data\Adssite Advanced Toolbar (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Program Files\Adssite Advanced Toolbar (Adware.Adssite) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\afsebz.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\fimijole.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\elojimif.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hikenile.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\elinekih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\miziwiva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\aviwizim.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wegagolu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ulogagew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lasobemo.dll (Trojan.Vundo.H) -> Delete on reboot.
    c:\WINDOWS\system32\vemumise.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\laviweta.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\zimuworo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\vanabesa.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Allan\Local Settings\Temp\e.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Allan\Application Data\Adssite Advanced Toolbar\advertbuttons.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Allan\Application Data\Adssite Advanced Toolbar\selected.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gojobeju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zeveluhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\yulugezu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\labesina.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\6_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.


    ComboFix 09-03-15.01 - Allan 2009-03-16 18:38:33.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
    Running from: c:\documents and settings\Allan\Desktop\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\temp\fse
    C:\test.txt
    c:\windows\system32\acsapp.dll
    c:\windows\system32\agevafen.ini
    c:\windows\system32\clkqxz.dll
    c:\windows\system32\denjls.dll
    c:\windows\system32\epopapot.ini
    c:\windows\system32\fnkayb.dll
    c:\windows\system32\imujezaj.ini
    c:\windows\system32\kinotava.dll
    c:\windows\system32\mdm.exe
    c:\windows\system32\meyeyihi.dll
    c:\windows\system32\nufifini.dll
    c:\windows\system32\ofujupuy.ini
    c:\windows\system32\oyiniyej.ini
    c:\windows\system32\qkedny.dll
    c:\windows\system32\setup.exe.tmp
    c:\windows\system32\upufuhik.ini
    c:\windows\system32\vakemuna.dll
    c:\windows\system32\watusero.dll
    c:\windows\system32\wenihubi.dll
    c:\windows\system32\winpfz32.sys
    c:\windows\system32\yubihimo.dll
    c:\windows\system32\zusidebi.dll
    BITS: Possible infected sites

    hxxp://82.98.235.205
    .
    ((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
    .

    2009-03-16 17:35 . 2009-03-16 17:35 <DIR> d
    c:\documents and settings\Allan\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-03-16 17:35 <DIR> d
    c:\program files\Malwarebytes' Anti-Malware
    2009-03-16 17:34 . 2009-03-16 17:34 <DIR> d
    c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-02-11 10:19 38,496 --a
    c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-16 17:34 . 2009-02-11 10:19 15,504 --a
    c:\windows\system32\drivers\mbam.sys
    2009-03-13 12:36 . 2009-03-13 12:36 <DIR> d
    c:\program files\Common Files\Wise Installation Wizard
    2009-03-11 08:58 . 2009-03-11 08:58 <DIR> d
    C:\VundoFix Backups
    2009-03-08 13:30 . 2009-03-08 13:30 <DIR> d
    c:\documents and settings\Administrator\Application Data\Intuit
    2009-03-08 12:31 . 2009-03-08 12:31 <DIR> d
    c:\documents and settings\Administrator\Application Data\Yahoo!
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Bluetooth Software
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Application Data\Subversion
    2009-03-07 19:33 . 2009-03-07 19:33 <DIR> d--h
    c:\windows\system32\GroupPolicy
    2009-03-06 22:39 . 2009-03-08 07:28 365 --a
    c:\windows\PSADMIN.INI
    2009-03-06 22:30 . 2009-03-07 00:06 <DIR> d
    C:\PSADMIN
    2009-03-06 22:25 . 1996-01-08 10:34 246,784 --a
    c:\windows\UNINST16.EXE
    2009-03-06 22:25 . 1994-09-16 15:00 20,976 --a
    c:\windows\system\CTL3D.DLL
    2009-02-26 21:11 . 2009-02-27 21:16 <DIR> d
    c:\program files\AskBarDis

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 17:36
    d
    w c:\program files\Lavasoft
    2009-03-13 17:35
    d
    w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-10 01:06
    d
    w c:\program files\MyRecipes
    2009-03-08 13:41
    d
    w c:\program files\CCleaner
    2009-03-08 03:33
    d
    w c:\documents and settings\Allan\Application Data\LimeWire
    2009-02-27 02:21
    d
    w c:\documents and settings\Allan\Application Data\FrostWire
    2009-02-27 02:12
    d
    w c:\program files\FrostWire
    2009-02-14 17:19
    d--h--w c:\program files\InstallShield Installation Information
    2009-02-14 17:19
    d
    w c:\program files\KingsIsle Entertainment
    2009-01-31 00:55
    d
    w c:\documents and settings\Allan\Application Data\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\Common Files\TortoiseOverlays
    2009-01-29 01:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-01-29 01:53
    d
    w c:\documents and settings\All Users\Application Data\avg8
    2009-01-24 00:39 39,056 ----a-w c:\documents and settings\Allan\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-09-08 23:08 279944 --a
    c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @=&quot;{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @=&quot;{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @=&quot;{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @=&quot;{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @=&quot;{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @=&quot;{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @=&quot;{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @=&quot;{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @=&quot;{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
    "nwiz"="nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
    "NVHotkey"="nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
    "NvMediaCenter"="NvMCTray.dll" [2007-05-11 c:\windows\system32\nvmctray.dll]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
    Document Assistant.lnk - c:\hpdesk\hppddir.exe [2008-07-11 384512]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-01-28 20:56 10520 c:\windows\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^Allan^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=c:\windows\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
    --a
    2007-11-20 17:40 731136 c:\program files\dvd43\DVD43_Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a
    2007-04-27 09:41 282624 c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a
    2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a
    2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "VMware NAT Service"=2 (0x2)
    "vmserverdWin32"=2 (0x2)
    "vmount2"=2 (0x2)
    "VMnetDHCP"=2 (0x2)
    "VMAuthdService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
    "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "c:\\Program Files\\Dune - The Battle for Arrakis\\Fusion.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Java\\jdk1.5.0_14\\jre\\bin\\java.exe"=
    "c:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\java.exe"=
    "c:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\appletviewer.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
    R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2007-09-17 102912]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 298264]
    R2 xmppd-jse;Collaboration Runtime Service;c:\program files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2008-03-11 184374]
    S2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2008-07-11 42048]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-SITEguard - (no file)
    MSConfigStartUp-c0183d67 - c:\windows\system32\kihufupu.dll
    MSConfigStartUp-CPMc32b0efb - c:\windows\system32\zusidebi.dll
    MSConfigStartUp-zifikirolo - c:\windows\system32\lasobemo.dll


    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    Trusted Zone: gotsport.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-16 18:43:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    Other Running Processes
    .
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\WLTRYSVC.EXE
    c:\windows\system32\BCMWLTRY.EXE
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\hidfind.exe
    c:\program files\DellTPad\ApntEx.exe
    c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    .
    **************************************************************************
    .
    Completion time: 2009-03-16 18:52:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-16 23:52:12

    Pre-Run: 91,070,943,232 bytes free
    Post-Run: 91,128,369,152 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    259 --- E O F --- 2009-02-25 16:02:41


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:53:38 PM, on 3/16/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\HPDESK\hppddir.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Allan\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187794461859
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

    --
    End of file - 8476 bytes
  • chiazchiaz
    edited March 2009
    Please go to Control Panel > Add/Remove Programs and uninstall the following if found:
    AskBar
    Ask Toolbar
    AskBarDis

    Reboot even if not prompted to.


    Next go to this folder:
    c:\program files\

    Delete the following folder name if it exists:
    AskBarDis


    Now run HijackThis and place a tick by the following entries if they still exist:
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll


    Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.



    Finally, restart your PC once more. Run new scans with both ComboFix and HijackThis and post the 2 new logs in your reply. Also, let me know how your computer is running now.
  • ElminstyrElminstyr
    edited March 2009
    The popups seem to be gone. The Ask Toolbar was the only one in the list that you gave. Here are the new logs.

    ComboFix 09-03-15.01 - Allan 2009-03-17 9:32:41.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT -5:00]
    Running from: C:\Documents and Settings\Allan\Desktop\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    .

    ((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
    .

    2009-03-16 19:31 . 2009-03-16 19:31 1,374 --a
    C:\WINDOWS\imsins.BAK
    2009-03-16 17:35 . 2009-03-16 17:35 <DIR> d
    C:\Documents and Settings\Allan\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-03-16 17:35 <DIR> d
    C:\Program Files\Malwarebytes' Anti-Malware
    2009-03-16 17:34 . 2009-03-16 17:34 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-02-11 10:19 38,496 --a
    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2009-03-16 17:34 . 2009-02-11 10:19 15,504 --a
    C:\WINDOWS\system32\drivers\mbam.sys
    2009-03-13 12:36 . 2009-03-13 12:36 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2009-03-11 08:58 . 2009-03-11 08:58 <DIR> d
    C:\VundoFix Backups
    2009-03-08 13:30 . 2009-03-08 13:30 <DIR> d
    C:\Documents and Settings\Administrator\Application Data\Intuit
    2009-03-08 12:31 . 2009-03-08 12:31 <DIR> d
    C:\Documents and Settings\Administrator\Application Data\Yahoo!
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    C:\Documents and Settings\Administrator\Bluetooth Software
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    C:\Documents and Settings\Administrator\Application Data\Subversion
    2009-03-07 19:33 . 2009-03-07 19:33 <DIR> d--h
    C:\WINDOWS\system32\GroupPolicy
    2009-03-06 22:39 . 2009-03-08 07:28 365 --a
    C:\WINDOWS\PSADMIN.INI
    2009-03-06 22:30 . 2009-03-07 00:06 <DIR> d
    C:\PSADMIN
    2009-03-06 22:25 . 1996-01-08 10:34 246,784 --a
    C:\WINDOWS\UNINST16.EXE
    2009-03-06 22:25 . 1994-09-16 15:00 20,976 --a
    C:\WINDOWS\system\CTL3D.DLL

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 17:36
    d
    w C:\Program Files\Lavasoft
    2009-03-13 17:35
    d
    w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2009-03-10 01:06
    d
    w C:\Program Files\MyRecipes
    2009-03-08 13:41
    d
    w C:\Program Files\CCleaner
    2009-03-08 03:33
    d
    w C:\Documents and Settings\Allan\Application Data\LimeWire
    2009-02-27 02:21
    d
    w C:\Documents and Settings\Allan\Application Data\FrostWire
    2009-02-27 02:12
    d
    w C:\Program Files\FrostWire
    2009-02-14 17:19
    d--h--w C:\Program Files\InstallShield Installation Information
    2009-02-14 17:19
    d
    w C:\Program Files\KingsIsle Entertainment
    2009-02-09 11:13 1,846,784 ----a-w C:\WINDOWS\system32\win32k.sys
    2009-01-31 00:55
    d
    w C:\Documents and Settings\Allan\Application Data\TortoiseSVN
    2009-01-29 14:56
    d
    w C:\Program Files\TortoiseSVN
    2009-01-29 14:56
    d
    w C:\Program Files\Common Files\TortoiseOverlays
    2009-01-29 01:56 325,128 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2009-01-29 01:56 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
    2009-01-29 01:53
    d
    w C:\Documents and Settings\All Users\Application Data\avg8
    2009-01-24 00:39 39,056 ----a-w C:\Documents and Settings\Allan\Application Data\GDIPFONTCACHEV1.DAT
    2008-12-20 23:15 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-16_18.51.30.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-12-05 06:54:55 144,896 -c----w C:\WINDOWS\system32\dllcache\schannel.dll
    - 2008-09-15 12:12:56 1,846,400 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 -c----w C:\WINDOWS\system32\dllcache\win32k.sys
    - 2009-02-15 01:37:10 191,384 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2009-03-17 13:39:10 191,384 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2009-02-25 17:55:00 24,768,960 ----a-w C:\WINDOWS\system32\MRT.exe
    - 2009-03-16 23:06:27 86,192 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2009-03-17 14:20:19 86,192 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2009-03-16 23:06:27 481,912 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2009-03-17 14:20:19 481,912 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2008-04-14 00:12:05 144,384 ----a-w C:\WINDOWS\system32\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    - 2008-07-09 07:38:24 17,272
    w C:\WINDOWS\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272
    w C:\WINDOWS\system32\spmsg.dll
    + 2008-04-15 17:47:33 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @=&quot;{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @=&quot;{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @=&quot;{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @=&quot;{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @=&quot;{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @=&quot;{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @=&quot;{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @=&quot;{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @=&quot;{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 22:57 8429568]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
    "Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-04-17 19:31 159744]
    "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 16:10 184320]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-01-28 20:56 1601304]
    "nwiz"="nwiz.exe" [2007-05-11 22:57 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NVHotkey"="nvHotkey.dll" [2007-05-11 22:57 67584 C:\WINDOWS\system32\nvhotkey.dll]
    "NvMediaCenter"="NvMCTray.dll" [2007-05-11 22:57 81920 C:\WINDOWS\system32\nvmctray.dll]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 17:10 405504 C:\WINDOWS\stsystra.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 15:43:18 568176]
    Document Assistant.lnk - C:\HPDESK\hppddir.exe [2008-07-11 17:15:01 384512]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-01-28 20:56 10520 C:\WINDOWS\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^Allan^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=C:\Documents and Settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
    --a
    2007-11-20 17:40 731136 C:\Program Files\dvd43\DVD43_Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a
    2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a
    2006-08-17 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a
    2006-11-05 11:22 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "VMware NAT Service"=2 (0x2)
    "vmserverdWin32"=2 (0x2)
    "vmount2"=2 (0x2)
    "VMnetDHCP"=2 (0x2)
    "VMAuthdService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
    "C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "C:\\Program Files\\Dune - The Battle for Arrakis\\Fusion.exe"=
    "C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "C:\\Java\\jdk1.5.0_14\\jre\\bin\\java.exe"=
    "C:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"=
    "C:\\Java\\jdk1.5.0_14\\bin\\java.exe"=
    "C:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe"=
    "C:\\Java\\jdk1.5.0_14\\bin\\appletviewer.exe"=
    "C:\\WINDOWS\\system32\\spoolsv.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [2008-05-27 09:49:58 325128]
    R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\drivers\FWDRV.SYS [2007-09-17 09:04:51 102912]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 20:56:57 298264]
    R2 xmppd-jse;Collaboration Runtime Service;C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2008-03-11 22:30:36 184374]
    S2 HPPECP00;hppecp00;C:\WINDOWS\system32\drivers\hppecp00.sys [2008-07-11 17:15:02 42048]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01:16 2799808]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    IE: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    Trusted Zone: gotsport.com\www
    DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
    .


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:43, on 2009-03-17
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\HPDESK\hppddir.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allan\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187794461859
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

    --
    End of file - 8227 bytes
  • chiazchiaz
    edited March 2009
    Sorry I missed some stuff out, let's hope we get them all fixed up now.



    First please run HijackThis and place a tick by the following entry:
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

    Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


    Next copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
    It's IMPORTANT to carry out the instructions in the sequence listed below.
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Open *notepad* and copy/paste the text in the quotebox below into it:

    File::
    c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
    c:\windows\pss\Think-Adz.lnkStartup
    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

    CFScript.gif
    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt
    Please copy and paste the ComboFix.txt in your next reply please, along with a new HijackThis log.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer*
  • ElminstyrElminstyr
    edited March 2009
    Okay, here are the next two logs.

    ComboFix 09-03-15.01 - Allan 2009-03-18 19:16:34.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1544 [GMT -5:00]
    Running from: c:\documents and settings\Allan\Desktop\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Allan\Desktop\Downloads\cfScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
    .

    2009-03-16 19:31 . 2009-03-16 19:31 1,374 --a
    c:\windows\imsins.BAK
    2009-03-16 17:35 . 2009-03-16 17:35 <DIR> d
    c:\documents and settings\Allan\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-03-16 17:35 <DIR> d
    c:\program files\Malwarebytes' Anti-Malware
    2009-03-16 17:34 . 2009-03-16 17:34 <DIR> d
    c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-02-11 10:19 38,496 --a
    c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-16 17:34 . 2009-02-11 10:19 15,504 --a
    c:\windows\system32\drivers\mbam.sys
    2009-03-13 12:36 . 2009-03-13 12:36 <DIR> d
    c:\program files\Common Files\Wise Installation Wizard
    2009-03-11 08:58 . 2009-03-11 08:58 <DIR> d
    C:\VundoFix Backups
    2009-03-08 13:30 . 2009-03-08 13:30 <DIR> d
    c:\documents and settings\Administrator\Application Data\Intuit
    2009-03-08 12:31 . 2009-03-08 12:31 <DIR> d
    c:\documents and settings\Administrator\Application Data\Yahoo!
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Bluetooth Software
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Application Data\Subversion
    2009-03-07 19:33 . 2009-03-07 19:33 <DIR> d--h
    c:\windows\system32\GroupPolicy
    2009-03-06 22:39 . 2009-03-08 07:28 365 --a
    c:\windows\PSADMIN.INI
    2009-03-06 22:30 . 2009-03-07 00:06 <DIR> d
    C:\PSADMIN
    2009-03-06 22:25 . 1996-01-08 10:34 246,784 --a
    c:\windows\UNINST16.EXE
    2009-03-06 22:25 . 1994-09-16 15:00 20,976 --a
    c:\windows\system\CTL3D.DLL

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 17:36
    d
    w c:\program files\Lavasoft
    2009-03-13 17:35
    d
    w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-10 01:06
    d
    w c:\program files\MyRecipes
    2009-03-08 13:41
    d
    w c:\program files\CCleaner
    2009-03-08 03:33
    d
    w c:\documents and settings\Allan\Application Data\LimeWire
    2009-02-27 02:21
    d
    w c:\documents and settings\Allan\Application Data\FrostWire
    2009-02-27 02:12
    d
    w c:\program files\FrostWire
    2009-02-14 17:19
    d--h--w c:\program files\InstallShield Installation Information
    2009-02-14 17:19
    d
    w c:\program files\KingsIsle Entertainment
    2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
    2009-01-31 00:55
    d
    w c:\documents and settings\Allan\Application Data\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\Common Files\TortoiseOverlays
    2009-01-29 01:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-01-29 01:56 10,520 ----a-w c:\windows\system32\avgrsstx.dll
    2009-01-29 01:53
    d
    w c:\documents and settings\All Users\Application Data\avg8
    2009-01-24 00:39 39,056 ----a-w c:\documents and settings\Allan\Application Data\GDIPFONTCACHEV1.DAT
    2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-16_18.51.30.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
    - 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
    - 2009-02-15 01:37:10 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-03-17 13:39:10 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
    - 2009-03-16 23:06:27 86,192 ----a-w c:\windows\system32\perfc009.dat
    + 2009-03-17 14:20:19 86,192 ----a-w c:\windows\system32\perfc009.dat
    - 2009-03-16 23:06:27 481,912 ----a-w c:\windows\system32\perfh009.dat
    + 2009-03-17 14:20:19 481,912 ----a-w c:\windows\system32\perfh009.dat
    - 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
    - 2008-07-09 07:38:24 17,272
    w c:\windows\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272
    w c:\windows\system32\spmsg.dll
    + 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @=&quot;{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @=&quot;{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @=&quot;{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @=&quot;{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @=&quot;{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @=&quot;{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @=&quot;{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @=&quot;{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @=&quot;{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
    "nwiz"="nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
    "NVHotkey"="nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
    "NvMediaCenter"="NvMCTray.dll" [2007-05-11 c:\windows\system32\nvmctray.dll]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
    Document Assistant.lnk - c:\hpdesk\hppddir.exe [2008-07-11 384512]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-01-28 20:56 10520 c:\windows\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^Allan^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=c:\windows\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
    --a
    2007-11-20 17:40 731136 c:\program files\dvd43\DVD43_Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a
    2007-04-27 09:41 282624 c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a
    2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a
    2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "VMware NAT Service"=2 (0x2)
    "vmserverdWin32"=2 (0x2)
    "vmount2"=2 (0x2)
    "VMnetDHCP"=2 (0x2)
    "VMAuthdService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
    "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "c:\\Program Files\\Dune - The Battle for Arrakis\\Fusion.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Java\\jdk1.5.0_14\\jre\\bin\\java.exe"=
    "c:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\java.exe"=
    "c:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\appletviewer.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
    R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2007-09-17 102912]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 298264]
    R2 xmppd-jse;Collaboration Runtime Service;c:\program files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2008-03-11 184374]
    S2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2008-07-11 42048]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    Trusted Zone: gotsport.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-18 19:24:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    Completion time: 2009-03-18 19:27:24
    ComboFix-quarantined-files.txt 2009-03-19 00:26:21
    ComboFix2.txt 2009-03-16 23:52:16

    Pre-Run: 90,925,961,216 bytes free
    Post-Run: 90,975,858,688 bytes free

    207 --- E O F --- 2009-03-17 00:32:38


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:32:28 PM, on 3/18/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\HPDESK\hppddir.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\DellTPad\Apntex.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allan\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
    O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187794461859
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O23 - Service: Collaboration Runtime Service (xmppd-jse) - Unknown owner - C:\Program Files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe

    --
    End of file - 8102 bytes
  • chiazchiaz
    edited March 2009
    Elminstyr, did you perform my previous instructions to the letter?

    The script doesn't appear to work.
  • ElminstyrElminstyr
    edited March 2009
    The only two differences were that the executable is saved to my download folder not my desktop and I think I named the file cfScript.txt and not CFScript.txt
  • chiazchiaz
    edited March 2009
    OK, let's try another tool.


    Download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your Desktop.
    • Run avenger.exe by double-clicking on it.
    • The Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
      Files to delete:
      c:\windows\imsins.BAK
      c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
      c:\windows\pss\Think-Adz.lnkStartup
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    • Please post the content of the logfile, along with a new ComboFix log.
  • ElminstyrElminstyr
    edited March 2009
    Ok, here is the log. The first attempt I failed to copy the command line. If there was one for the previous script that may have been the issue, but don't remember.

    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 3)
    Thu Mar 19 20:39:19 2009

    20:39:19: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "c:\windows\imsins.BAK" deleted successfully.

    Error: file "c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk" not found!
    Deletion of file "c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    File "c:\windows\pss\Think-Adz.lnkStartup" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
  • chiazchiaz
    edited March 2009
    Great! Let's see a new ComboFix log.
  • ElminstyrElminstyr
    edited March 2009
    Here ya go.

    ComboFix 09-03-15.01 - Allan 2009-03-22 8:24:40.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1516 [GMT -5:00]
    Running from: c:\documents and settings\Allan\Desktop\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    .

    ((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
    .

    2009-03-16 17:35 . 2009-03-16 17:35 <DIR> d
    c:\documents and settings\Allan\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-03-16 17:35 <DIR> d
    c:\program files\Malwarebytes' Anti-Malware
    2009-03-16 17:34 . 2009-03-16 17:34 <DIR> d
    c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-16 17:34 . 2009-02-11 10:19 38,496 --a
    c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-16 17:34 . 2009-02-11 10:19 15,504 --a
    c:\windows\system32\drivers\mbam.sys
    2009-03-13 12:36 . 2009-03-13 12:36 <DIR> d
    c:\program files\Common Files\Wise Installation Wizard
    2009-03-11 08:58 . 2009-03-11 08:58 <DIR> d
    C:\VundoFix Backups
    2009-03-08 13:30 . 2009-03-08 13:30 <DIR> d
    c:\documents and settings\Administrator\Application Data\Intuit
    2009-03-08 12:31 . 2009-03-08 12:31 <DIR> d
    c:\documents and settings\Administrator\Application Data\Yahoo!
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Bluetooth Software
    2009-03-07 20:44 . 2009-03-07 20:44 <DIR> d
    c:\documents and settings\Administrator\Application Data\Subversion
    2009-03-07 19:33 . 2009-03-07 19:33 <DIR> d--h
    c:\windows\system32\GroupPolicy
    2009-03-06 22:39 . 2009-03-08 07:28 365 --a
    c:\windows\PSADMIN.INI
    2009-03-06 22:30 . 2009-03-07 00:06 <DIR> d
    C:\PSADMIN
    2009-03-06 22:25 . 1996-01-08 10:34 246,784 --a
    c:\windows\UNINST16.EXE
    2009-03-06 22:25 . 1994-09-16 15:00 20,976 --a
    c:\windows\system\CTL3D.DLL

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-13 17:36
    d
    w c:\program files\Lavasoft
    2009-03-13 17:35
    d
    w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-10 01:06
    d
    w c:\program files\MyRecipes
    2009-03-08 13:41
    d
    w c:\program files\CCleaner
    2009-03-08 03:33
    d
    w c:\documents and settings\Allan\Application Data\LimeWire
    2009-02-27 02:21
    d
    w c:\documents and settings\Allan\Application Data\FrostWire
    2009-02-27 02:12
    d
    w c:\program files\FrostWire
    2009-02-14 17:19
    d--h--w c:\program files\InstallShield Installation Information
    2009-02-14 17:19
    d
    w c:\program files\KingsIsle Entertainment
    2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
    2009-01-31 00:55
    d
    w c:\documents and settings\Allan\Application Data\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\TortoiseSVN
    2009-01-29 14:56
    d
    w c:\program files\Common Files\TortoiseOverlays
    2009-01-29 01:56 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-01-29 01:56 10,520 ----a-w c:\windows\system32\avgrsstx.dll
    2009-01-29 01:53
    d
    w c:\documents and settings\All Users\Application Data\avg8
    2009-01-24 00:39 39,056 ----a-w c:\documents and settings\Allan\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-16_18.51.30.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
    - 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
    - 2009-02-15 01:37:10 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-03-17 13:39:10 191,384 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-02-25 17:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
    - 2009-03-16 23:06:27 86,192 ----a-w c:\windows\system32\perfc009.dat
    + 2009-03-17 14:20:19 86,192 ----a-w c:\windows\system32\perfc009.dat
    - 2009-03-16 23:06:27 481,912 ----a-w c:\windows\system32\perfh009.dat
    + 2009-03-17 14:20:19 481,912 ----a-w c:\windows\system32\perfh009.dat
    - 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
    - 2008-07-09 07:38:24 17,272
    w c:\windows\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272
    w c:\windows\system32\spmsg.dll
    + 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @=&quot;{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @=&quot;{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @=&quot;{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @=&quot;{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @=&quot;{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @=&quot;{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @=&quot;{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @=&quot;{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @=&quot;{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 18:52 80384 --a
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-13 2356088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
    "nwiz"="nwiz.exe" [2007-05-11 c:\windows\system32\nwiz.exe]
    "NVHotkey"="nvHotkey.dll" [2007-05-11 c:\windows\system32\nvhotkey.dll]
    "NvMediaCenter"="NvMCTray.dll" [2007-05-11 c:\windows\system32\nvmctray.dll]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 c:\windows\stsystra.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-05-17 568176]
    Document Assistant.lnk - c:\hpdesk\hppddir.exe [2008-07-11 384512]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-01-28 20:56 10520 c:\windows\system32\avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^Allan^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=c:\documents and settings\Allan\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=c:\windows\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
    --a
    2007-11-20 17:40 731136 c:\program files\dvd43\DVD43_Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a
    2007-04-27 09:41 282624 c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a
    2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a
    2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "VMware NAT Service"=2 (0x2)
    "vmserverdWin32"=2 (0x2)
    "vmount2"=2 (0x2)
    "VMnetDHCP"=2 (0x2)
    "VMAuthdService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
    "c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
    "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "c:\\Program Files\\Dune - The Battle for Arrakis\\Fusion.exe"=
    "c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
    "c:\\Java\\jdk1.5.0_14\\jre\\bin\\java.exe"=
    "c:\\Program Files\\Kerio\\Personal Firewall\\PERSFW.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\java.exe"=
    "c:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe"=
    "c:\\Java\\jdk1.5.0_14\\bin\\appletviewer.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
    R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2007-09-17 102912]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-28 298264]
    R2 xmppd-jse;Collaboration Runtime Service;c:\program files\Sun\jstudio_ent81\collab\bin\xmppd-jse.exe [2008-03-11 184374]
    S2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2008-07-11 42048]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    Trusted Zone: gotsport.com\www
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-22 08:31:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    Completion time: 2009-03-22 8:35:13
    ComboFix-quarantined-files.txt 2009-03-22 13:34:15
    ComboFix2.txt 2009-03-19 00:27:25
    ComboFix3.txt 2009-03-16 23:52:16

    Pre-Run: 90,881,028,096 bytes free
    Post-Run: 90,958,471,168 bytes free

    205 --- E O F --- 2009-03-17 00:32:38
  • chiazchiaz
    edited March 2009
    Thanks for posting back.

    How's your PC running now? Any more of your previous problems?
  • ElminstyrElminstyr
    edited March 2009
    chiaz wrote:
    Thanks for posting back.

    How's your PC running now? Any more of your previous problems?


    Everything seems to be running okay. At startup I have a boot menu that gives me the option of going into the recovery console. Is there a way to changes this, or do I need to keep it?
  • chiazchiaz
    edited March 2009
    That came along with ComboFix. Recovery Console is a great tool to have whenever you may be having problems with your PC.

    You can change the boot time-out here:
    http://www.howtogeek.com/howto/windows/install-recovery-console-as-a-boot-menu-option-on-windows-xp/

    Of course if you would like to remove it I will post the instructions here as well.
Sign In or Register to comment.