Virus/trojan infected system/can't be removed

Unknown · August 2009

Hey really need some help. I have ad-aware, avast anti-virus and malawarebytes, but none of these are removing a trojan that I am infected with.

The hijackthis log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:38 PM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\Temp\_ex-68.exe
C:\Documents and Settings\All Users\Application Data\13145464\13145464.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] //~c:\progra~1\netass~1\smartb~1\motivesb.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-68.exe
O4 - HKLM\..\Run: [13145464] C:\Documents and Settings\All Users\Application Data\13145464\13145464.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ikowin32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7670 bytes

Any help is greatly appreciated.

sturgis · August 2009

New Hijackthis log as per 72 hour No Response Thread.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:00 AM, on 8/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zune\ZuneLauncher.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\18630934\18630934.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zune\Zune.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] //~c:\progra~1\netass~1\smartb~1\motivesb.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKLM\..\Run: [18630934] C:\Documents and Settings\All Users\Application Data\18630934\18630934.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ikowin32.exe
O4 - Startup: PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

chiaz · August 2009

Hey there.

Sorry for the delay.

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

sturgis · August 2009

The three new logs are as follows:

Malwarebytes' Anti-Malware 1.40
Database version: 2697
Windows 5.1.2600 Service Pack 2

8/26/2009 12:33:01 AM
mbam-log-2009-08-26 (00-33-01).txt

Scan type: Quick Scan
Objects scanned: 99561
Time elapsed: 22 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18630934 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\18630934 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\18630934\18630934 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\18630934\18630934.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\18630934\pc18630934ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\autorun.inf (SuspectAutorun.Rootdrive.H) -> Quarantined and deleted successfully.
C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146120114.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464949.xe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.

ComboFix 09-08-25.02 - Administrator 08/26/2009 0:50.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1528.1094 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090825-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\My Documents\Mark Rothko Artist 5.doc
c:\documents and settings\Administrator\My Documents\Mark Rothko Artist 5.doc
c:\program files\INSTALL.LOG
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\w32apiw.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_NPF

\Legacy_NWCWORKSTATION

\Service_npf

\Service_NWCWorkstation

((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-25 20:01 . 2009-08-25 20:01

d

w- c:\program files\MSXML 4.0
2009-08-23 01:47 . 2009-08-23 01:47

d

w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-08-23 01:44 . 2009-08-23 01:44

d

w- c:\windows\Logs
2009-08-23 01:38 . 2009-08-23 01:38 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-08-23 01:35 . 2009-08-23 01:35

d

w- c:\program files\Sony
2009-08-23 01:32 . 2009-08-23 01:32

d

w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-08-21 16:17 . 2009-08-21 16:17

d

w- c:\program files\Trend Micro
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 22:20 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 22:20 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 03:15 . 2009-08-18 03:15

d

w- c:\windows\system32\CatRoot_bak
2009-08-17 20:23 . 2008-06-24 16:23 74240 -c----w- c:\windows\system32\dllcache\mscms.dll
2009-08-17 20:22 . 2009-06-26 16:18 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2009-08-17 20:22 . 2009-07-18 16:20 1506304 -c----w- c:\windows\system32\dllcache\shdocvw.dll
2009-08-17 20:22 . 2009-06-26 16:18 532480 -c----w- c:\windows\system32\dllcache\mstime.dll
2009-08-17 20:22 . 2009-06-26 16:18 39424 -c----w- c:\windows\system32\dllcache\pngfilt.dll
2009-08-17 20:22 . 2009-06-26 16:18 146432 -c----w- c:\windows\system32\dllcache\msrating.dll
2009-08-17 20:22 . 2009-06-26 16:18 449024 -c----w- c:\windows\system32\dllcache\mshtmled.dll
2009-08-17 20:22 . 2009-07-18 16:20 3062272 -c----w- c:\windows\system32\dllcache\mshtml.dll
2009-08-17 20:22 . 2009-06-10 06:32 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-17 20:20 . 2008-06-12 14:16 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2009-08-17 20:20 . 2008-06-12 14:16 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2009-08-17 20:20 . 2008-06-12 14:16 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-08-17 20:20 . 2008-06-12 14:16 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2009-08-17 20:20 . 2008-06-12 14:16 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2009-08-17 20:20 . 2008-06-12 14:16 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll
2009-08-17 20:20 . 2007-10-27 21:40 227328 -c----w- c:\windows\system32\dllcache\wmasf.dll
2009-08-17 20:20 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-17 20:20 . 2008-12-11 11:57 333184 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-17 20:20 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-17 20:19 . 2008-06-20 17:41 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2009-08-17 20:19 . 2008-06-20 10:45 360320 -c----w- c:\windows\system32\dllcache\tcpip.sys
2009-08-17 20:19 . 2008-06-20 09:52 225920 -c----w- c:\windows\system32\dllcache\tcpip6.sys
2009-08-17 20:19 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-17 20:17 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-17 20:17 . 2009-06-25 08:44 56320 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-08-17 20:17 . 2009-06-12 11:50 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-17 20:17 . 2009-06-12 11:50 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-17 20:17 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-08-17 20:16 . 2009-06-03 19:27 1290752 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-08-17 20:16 . 2008-06-10 15:37 1026048 -c----w- c:\windows\system32\dllcache\WMNetmgr.dll
2009-08-17 20:16 . 2009-07-13 06:18 233472 -c----w- c:\windows\system32\dllcache\wmpdxm.dll
2009-08-17 20:15 . 2009-07-13 06:18 4960256 -c----w- c:\windows\system32\dllcache\wmp.dll
2009-08-17 20:15 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-17 20:15 . 2008-06-10 15:57 2364472 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2009-08-17 20:14 . 2008-07-03 13:16 8454656 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-08-17 20:13 . 2009-04-15 15:11 584192 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-08-17 20:13 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-17 20:13 . 2008-12-16 12:47 351232 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-08-17 20:12 . 2009-04-17 09:58 1846656 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-08-17 20:12 . 2008-09-04 16:42 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-08-17 01:24 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 17:38 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 17:37 . 2009-08-16 17:37

dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 17:37 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 17:36 . 2009-08-16 17:38

d

w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 17:36 . 2009-08-16 17:36

d

w- c:\program files\Lavasoft
2009-08-16 17:12 . 2002-10-16 03:03 151552 ----a-w- c:\windows\system32\igfxres.dll
2009-08-16 16:58 . 2004-08-04 01:07 42573 -c--a-w- c:\windows\system32\dllcache\hrtzzm.exe
2009-08-16 16:57 . 2004-08-04 01:07 68608 -c--a-w- c:\windows\system32\dllcache\isatq.dll
2009-08-16 16:49 . 2004-08-04 02:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2009-08-16 16:44 . 2004-08-04 01:07 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2009-08-16 16:44 . 2004-08-04 01:07 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2009-08-16 16:44 . 2004-08-04 01:07 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2009-08-16 16:44 . 2004-08-04 01:07 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2009-08-16 16:44 . 2004-08-04 01:07 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2009-08-16 16:44 . 2004-08-04 01:07 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2009-08-16 16:44 . 2004-08-04 01:07 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-08-16 16:44 . 2004-08-04 01:07 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-08-16 16:44 . 2004-08-04 01:07 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-08-16 16:44 . 2004-08-04 01:07 13312 ----a-w- c:\windows\system32\irclass.dll
2009-08-11 18:10 . 2004-08-04 01:07 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-08-11 13:30 . 2009-08-11 13:30

d

w- c:\windows\repair
2009-08-06 20:07 . 2009-08-06 20:07

d

w- c:\windows\system32\XPSViewer
2009-08-06 20:06 . 2009-08-06 20:06

d

w- c:\program files\Reference Assemblies
2009-08-06 20:06 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-06 20:06 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-06 20:06 . 2009-08-06 20:06

d

w- C:\e650b8496d495db0b405ceefdbae3e
2009-08-06 20:06 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-06 20:05 . 2009-08-06 20:22

d

w- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 05:08 . 2007-11-15 01:21

d

w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-23 02:04 . 2009-06-25 01:42

d

w- c:\program files\PeerGuardian2
2009-08-23 01:47 . 2007-09-08 03:48

d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 14:41 . 2008-11-19 21:14

d

w- c:\program files\Oxigen
2009-08-18 19:34 . 2007-09-10 18:22 76256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 22:33 . 2007-09-19 13:53

d

w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-16 16:53 . 2007-09-08 03:37 22732 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-11 18:32 . 2007-12-11 02:56

d

w- c:\program files\MSN Messenger
2009-08-05 09:11 . 2004-08-04 01:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 23:31 . 2007-11-21 03:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-29 04:53 . 2004-08-04 01:07 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:53 . 2004-08-04 01:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 00:37 . 2007-11-21 02:26

d

w- c:\documents and settings\Administrator\Application Data\Vso
2009-07-17 18:55 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 01:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 02:17 . 2009-07-09 02:16

d

w- c:\program files\iTunes
2009-07-09 02:17 . 2009-07-09 02:16

d

w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-09 02:16 . 2009-07-09 02:16

d

w- c:\program files\iPod
2009-07-09 02:16 . 2007-09-08 05:05

d

w- c:\program files\Common Files\Apple
2009-07-09 02:13 . 2009-07-09 02:13

d

w- c:\program files\Bonjour
2009-07-09 02:11 . 2008-10-07 03:52

d

w- c:\program files\QuickTime
2009-07-07 18:11 . 2007-09-08 05:06

d

w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-26 16:18 . 2004-08-04 01:07 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 01:07 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 01:07 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 01:07 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 01:07 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 01:07 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 01:07 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 01:07 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 01:07 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 01:07 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 01:07 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 01:07 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 01:07 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-04 01:07 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 01:07 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 01:07 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 01:07 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 01:07 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 01:07 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2004-08-04 01:07 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 01:07 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 01:07 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 01:07 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-04 01:07 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 11:50 . 2004-08-04 01:07 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 01:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 01:07 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 01:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 07:42 . 2007-09-08 03:36 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 01:07 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-23 288048]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-10-16 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 705832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-09-11 46592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-8-22 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-21 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-21 805392]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2008-10-28 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2008-12-18 15:41 200064 ----a-w- c:\windows\system32\WgaLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/16/2009 1:38 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2009 4:46 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2009 4:46 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [9/8/2007 12:30 AM 36960]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Motive SmartBridge - //~c:\progra~1\netass~1\smartb~1\motivesb.exe

.

Supplementary Scan

.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - www.atptennis.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 01:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(544)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1948)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\NetAssistant\bin\mpbtn.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\Logitech\SetPoint\LU\LULnchr.exe
c:\program files\Logitech\SetPoint\LU\LogitechUpdate.exe
c:\program files\MSN Messenger\usnsvc.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-08-26 1:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 05:26

Pre-Run: 251,162,624 bytes free
Post-Run: 179,707,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
328 --- E O F --- 2009-08-25 20:01

New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:27 AM, on 8/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

chiaz · August 2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the codebox below into it:

KILLALL::

File::
c:\windows\system32\5.tmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in anyway could damage your computer*

sturgis · August 2009

New combofix log:

ComboFix 09-08-25.02 - Administrator 08/26/2009 12:34.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1528.1081 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\My Documents\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090825-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\5.tmp"
.

((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-25 20:01 . 2009-08-25 20:01

d

w- c:\program files\MSXML 4.0
2009-08-23 01:47 . 2009-08-23 01:47

d

w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-08-23 01:44 . 2009-08-23 01:44

d

w- c:\windows\Logs
2009-08-23 01:38 . 2009-08-23 01:38 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-08-23 01:35 . 2009-08-23 01:35

d

w- c:\program files\Sony
2009-08-23 01:32 . 2009-08-23 01:32

d

w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-08-21 16:17 . 2009-08-21 16:17

d

w- c:\program files\Trend Micro
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-18 22:20 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-18 22:20 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 22:20 . 2009-08-18 22:20

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 03:15 . 2009-08-18 03:15

d

w- c:\windows\system32\CatRoot_bak
2009-08-17 20:23 . 2008-06-24 16:23 74240 -c----w- c:\windows\system32\dllcache\mscms.dll
2009-08-17 20:22 . 2009-06-26 16:18 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2009-08-17 20:22 . 2009-07-18 16:20 1506304 -c----w- c:\windows\system32\dllcache\shdocvw.dll
2009-08-17 20:22 . 2009-06-26 16:18 532480 -c----w- c:\windows\system32\dllcache\mstime.dll
2009-08-17 20:22 . 2009-06-26 16:18 39424 -c----w- c:\windows\system32\dllcache\pngfilt.dll
2009-08-17 20:22 . 2009-06-26 16:18 146432 -c----w- c:\windows\system32\dllcache\msrating.dll
2009-08-17 20:22 . 2009-06-26 16:18 449024 -c----w- c:\windows\system32\dllcache\mshtmled.dll
2009-08-17 20:22 . 2009-07-18 16:20 3062272 -c----w- c:\windows\system32\dllcache\mshtml.dll
2009-08-17 20:22 . 2009-06-10 06:32 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-17 20:20 . 2008-06-12 14:16 91648 -c----w- c:\windows\system32\dllcache\mtxoci.dll
2009-08-17 20:20 . 2008-06-12 14:16 66560 -c----w- c:\windows\system32\dllcache\mtxclu.dll
2009-08-17 20:20 . 2008-06-12 14:16 161792 -c----w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-08-17 20:20 . 2008-06-12 14:16 956928 -c----w- c:\windows\system32\dllcache\msdtctm.dll
2009-08-17 20:20 . 2008-06-12 14:16 58880 -c----w- c:\windows\system32\dllcache\msdtclog.dll
2009-08-17 20:20 . 2008-06-12 14:16 428032 -c----w- c:\windows\system32\dllcache\msdtcprx.dll
2009-08-17 20:20 . 2007-10-27 21:40 227328 -c----w- c:\windows\system32\dllcache\wmasf.dll
2009-08-17 20:20 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-17 20:20 . 2008-12-11 11:57 333184 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-17 20:20 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-17 20:19 . 2008-06-20 17:41 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2009-08-17 20:19 . 2008-06-20 10:45 360320 -c----w- c:\windows\system32\dllcache\tcpip.sys
2009-08-17 20:19 . 2008-06-20 09:52 225920 -c----w- c:\windows\system32\dllcache\tcpip6.sys
2009-08-17 20:19 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-17 20:17 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-17 20:17 . 2009-06-25 08:44 56320 -c----w- c:\windows\system32\dllcache\secur32.dll
2009-08-17 20:17 . 2009-06-12 11:50 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-17 20:17 . 2009-06-12 11:50 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-17 20:17 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-08-17 20:16 . 2009-06-03 19:27 1290752 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-08-17 20:16 . 2008-06-10 15:37 1026048 -c----w- c:\windows\system32\dllcache\WMNetmgr.dll
2009-08-17 20:16 . 2009-07-13 06:18 233472 -c----w- c:\windows\system32\dllcache\wmpdxm.dll
2009-08-17 20:15 . 2009-07-13 06:18 4960256 -c----w- c:\windows\system32\dllcache\wmp.dll
2009-08-17 20:15 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-17 20:15 . 2008-06-10 15:57 2364472 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2009-08-17 20:14 . 2008-07-03 13:16 8454656 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-08-17 20:13 . 2009-04-15 15:11 584192 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-08-17 20:13 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-17 20:13 . 2008-12-16 12:47 351232 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-08-17 20:12 . 2009-04-17 09:58 1846656 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-08-17 20:12 . 2008-09-04 16:42 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-08-17 01:24 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 17:38 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 17:37 . 2009-08-16 17:37

dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 17:37 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 17:36 . 2009-08-16 17:38

d

w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 17:36 . 2009-08-16 17:36

d

w- c:\program files\Lavasoft
2009-08-16 17:12 . 2002-10-16 03:03 151552 ----a-w- c:\windows\system32\igfxres.dll
2009-08-16 16:58 . 2004-08-04 01:07 42573 -c--a-w- c:\windows\system32\dllcache\hrtzzm.exe
2009-08-16 16:57 . 2004-08-04 01:07 68608 -c--a-w- c:\windows\system32\dllcache\isatq.dll
2009-08-16 16:49 . 2004-08-04 02:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2009-08-16 16:44 . 2004-08-04 01:07 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2009-08-16 16:44 . 2004-08-04 01:07 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2009-08-16 16:44 . 2004-08-04 01:07 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2009-08-16 16:44 . 2004-08-04 01:07 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2009-08-16 16:44 . 2004-08-04 01:07 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2009-08-16 16:44 . 2004-08-04 01:07 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2009-08-16 16:44 . 2004-08-04 01:07 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-08-16 16:44 . 2004-08-04 01:07 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-08-16 16:44 . 2004-08-04 01:07 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-08-16 16:44 . 2004-08-04 01:07 13312 ----a-w- c:\windows\system32\irclass.dll
2009-08-11 18:10 . 2004-08-04 01:07 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-08-11 13:30 . 2009-08-11 13:30

d

w- c:\windows\repair
2009-08-06 20:07 . 2009-08-06 20:07

d

w- c:\windows\system32\XPSViewer
2009-08-06 20:06 . 2009-08-06 20:06

d

w- c:\program files\Reference Assemblies
2009-08-06 20:06 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-06 20:06 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-06 20:06 . 2009-08-06 20:06

d

w- C:\e650b8496d495db0b405ceefdbae3e
2009-08-06 20:06 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-06 20:05 . 2009-08-06 20:22

d

w- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 05:08 . 2007-11-15 01:21

d

w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-23 02:04 . 2009-06-25 01:42

d

w- c:\program files\PeerGuardian2
2009-08-23 01:47 . 2007-09-08 03:48

d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 14:41 . 2008-11-19 21:14

d

w- c:\program files\Oxigen
2009-08-18 19:34 . 2007-09-10 18:22 76256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 22:33 . 2007-09-19 13:53

d

w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-16 16:53 . 2007-09-08 03:37 22732 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-11 18:32 . 2007-12-11 02:56

d

w- c:\program files\MSN Messenger
2009-08-05 09:11 . 2004-08-04 01:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 23:31 . 2007-11-21 03:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-29 04:53 . 2004-08-04 01:07 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:53 . 2004-08-04 01:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 00:37 . 2007-11-21 02:26

d

w- c:\documents and settings\Administrator\Application Data\Vso
2009-07-17 18:55 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 01:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 02:17 . 2009-07-09 02:16

d

w- c:\program files\iTunes
2009-07-09 02:17 . 2009-07-09 02:16

d

w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-09 02:16 . 2009-07-09 02:16

d

w- c:\program files\iPod
2009-07-09 02:16 . 2007-09-08 05:05

d

w- c:\program files\Common Files\Apple
2009-07-09 02:13 . 2009-07-09 02:13

d

w- c:\program files\Bonjour
2009-07-09 02:11 . 2008-10-07 03:52

d

w- c:\program files\QuickTime
2009-07-07 18:11 . 2007-09-08 05:06

d

w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-26 16:18 . 2004-08-04 01:07 659456

w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 01:07 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 01:07 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 01:07 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 01:07 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 01:07 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 01:07 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 01:07 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 01:07 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 01:07 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 01:07 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 01:07 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 01:07 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-04 01:07 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 01:07 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 01:07 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 01:07 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 01:07 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 01:07 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2004-08-04 01:07 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 01:07 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-04 01:07 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-04 01:07 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-04 01:07 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 11:50 . 2004-08-04 01:07 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 01:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 01:07 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 01:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 07:42 . 2007-09-08 03:36 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 01:07 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-26_05.07.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-26 16:43 . 2009-08-26 16:43 16384 c:\windows\Temp\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-12 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-23 288048]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-10-16 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 705832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-09-11 46592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-8-22 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-21 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-21 805392]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2008-10-28 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2008-12-18 15:41 200064 ----a-w- c:\windows\system32\WgaLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/16/2009 1:38 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/22/2009 4:46 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/22/2009 4:46 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [9/8/2007 12:30 AM 36960]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - www.atptennis.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2gb5dnpv.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 12:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(552)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3096)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\NetAssistant\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\Logitech\SetPoint\LU\LULnchr.exe
c:\program files\Logitech\SetPoint\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2009-08-26 13:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 17:01
ComboFix2.txt 2009-08-26 05:27

Pre-Run: 158,760,960 bytes free
Post-Run: 121,241,600 bytes free

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
301 --- E O F --- 2009-08-25 20:01

chiaz · August 2009

Your version of Java is outdated and may be exploited by infections.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

=======================================

Now let's have you go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop.
Post the contents of the ActiveScan.txt in your next reply.

sturgis · August 2009

Here is the log from the Panda ActiveScan 2.0. And new version of Java has been updated.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-28 08:34:23
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090827-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 18.08.2008 14-27-33.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 08.09.2007 14-08-11.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 08.09.2007 12-11-21.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 20.02.2009 13-14-33.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 07.02.2008 21-29-41.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 08.09.2007 11-49-09.dat
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 11.09.2007 23-47-26.dat
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\All Users\Application Data\Arovax\Antispyware\quarantine\archive 31.10.2007 22-44-55.dat
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{5CDF07DE-7B3F-4605-A09E-5BF70123FEDC}\RP17\A0002098.sys
00685047 Trj/WMAdownloader.J Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Shared\diece cento mille - greatest hits.wma
00685047 Trj/WMAdownloader.J Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Shared\womanizer, brittney spears.wma
02534388 Trj/Sinowal.DW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{5CDF07DE-7B3F-4605-A09E-5BF70123FEDC}\RP17\A0002093.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5CDF07DE-7B3F-4605-A09E-5BF70123FEDC}\RP17\A0002205.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5CDF07DE-7B3F-4605-A09E-5BF70123FEDC}\RP17\A0002308.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\moved\install.exe.2
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\moved\install.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\moved\install.exe.4
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Alwil Software\Avast4\DATA\moved\install.exe.3
;===================================================================================================================================================================================
SUSPECTS
Sent Location p
;===================================================================================================================================================================================
No C:\Program Files\Pure Networks\Network Magic\Patch - Firas911.exe p
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description p
;===================================================================================================================================================================================
211784 HIGH MS09-032 p
210618 HIGH MS09-019 p
208379 HIGH MS09-014 p
203806 HIGH MS08-078 p
203508 HIGH MS08-073 p
201250 HIGH MS08-058 p
209273 HIGH MS08-045 p
194862 HIGH MS08-032 p
194861 HIGH MS08-031 p
191617 HIGH MS08-024 p
191616 HIGH MS08-023 p
191613 HIGH MS08-020 p
187735 HIGH MS08-010 p
187733 HIGH MS08-008 p
182048 HIGH MS07-069 p
182046 HIGH MS07-067 p
179553 HIGH MS07-061 p
176382 HIGH MS07-057 p
170906 HIGH MS07-045 p
170904 HIGH MS07-043 p
164913 HIGH MS07-033 p
160623 HIGH MS07-027 p
157260 HIGH MS07-020 p
157259 HIGH MS07-019 p
156477 HIGH MS07-017 p
150253 HIGH MS07-016 p
150249 HIGH MS07-013 p
150248 HIGH MS07-012 p
150247 HIGH MS07-011 p
150243 HIGH MS07-008 p
150242 HIGH MS07-007 p
150241 MEDIUM MS07-006 p
141033 MEDIUM MS06-075 p
141030 HIGH MS06-072 p
137571 HIGH MS06-070 p
137568 HIGH MS06-067 p
133387 MEDIUM MS06-065 p
133379 HIGH MS06-057 p
129977 MEDIUM MS06-053 p
129976 MEDIUM MS06-052 p
126092 MEDIUM MS06-050 p
126087 HIGH MS06-046 p
108738 HIGH MS06-004 p
126083 HIGH MS06-042 p
126082 HIGH MS06-041 p
123421 HIGH MS06-036 p
120818 HIGH MS06-025 p
120815 HIGH MS06-022 p
120814 HIGH MS06-021 p
117384 MEDIUM MS06-018 p
114666 HIGH MS06-015 p
114664 HIGH MS06-013 p
108738 HIGH MS06-004 p
108738 HIGH MS06-004 p
96574 HIGH MS05-053 p
93395 HIGH MS05-051 p
93454 MEDIUM MS05-049 p
;=============================================================================================

chiaz · August 2009

Only thing that is worthy of concern is this.

C:\Documents and Settings\Administrator\Shared\diece cento mille - greatest hits.wma
00685047 Trj/WMAdownloader.J Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Shared\womanizer, brittney spears.wma

I would suggest you delete these two files above.

===============================

After you have done that, it's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.

sturgis · August 2009

Alright thanks for all the help. Does not seem to be any more problems. All the help was appreciated.

chiaz · August 2009

Glad we could be of assistance! This topic is now closed.

If I have helped you, please consider making a personal donation (Paypal) to me at parasite[AT]parasitedb.com.
To support Icrontic, click here:
http://icrontic.com/support
Donations are entirely voluntary in nature and will have no bearing on the future help that you may receive.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan or me with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

Virus/trojan infected system/can't be removed

Comments