Spyware continuously reinitilizing itself and interfering with internet access!
jkwak01
Pennsylvania
Greetings Icrontic Forums!
Here's my problem:
I have a series of weird spyware that keep on screwing around with my internet browsing. For example, let's say I do a general search for just about anything, like the name of a local bakery (that has a website). Upon clicking it, I am redirected to a website that provides further searches based on my key words.
One of such sites I was redirected to was a yellowpages site that tried to further search my key words.
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:04 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\DOCUME~1\Julius\LOCALS~1\Temp\clclean.0001
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\lcdmon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Julius\jye.exe \s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: (no name) - {21608B66-026F-4DCB-9244-0DACA328DCED} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CM108Sound] RunDll32 CM108.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [UniblueSpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BMIMZMHMFM] C:\DOCUME~1\Julius\LOCALS~1\Temp\Clz.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AccuWeatherDesktop.lnk = C:\Program Files\AccuWeather\Desktop\AccuWeatherDesktop.exe
O4 - Global Startup: AccuWeather Desktop.lnk = C:\Program Files\AccuWeather\Desktop\AccuWeatherDesktop.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ADB7F55-8A5D-40C5-8F76-4D3294BA90C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{36FE65F5-4428-411B-BD74-91AA7CBA48AB}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VLC media player - Unknown owner - C:\Program Files\VideoLAN\VLC\vlc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12816 bytes
I have already identified some of the processes that keep reoccurring and that I recognize being new/foreign:
clz.exe
jye.exe
msa.exe
Some programs I run that are not malware (and that I don't wish to get rid of): (some people might/might-not mistaken them for malware)
Accuweather Desktop application
Andrea Voice Center (Voice recording program)
AIM (AoL Instant Messenger)
Logitech Gaming Keyboard processes (G15 Keyboard applications)
Peer Guardian 2 (IP blocking application)
Razer Copperhead Mouse applications
Spybot SD (Search & Destroy)
Steam.exe (Steampowered game portal utility)
VLC Media Player
Winamp Agent
Zone Labs Zone Alarm Firewall
Some that I am iffy on keeping or uninstalling:
SUMP.exe (Speed Up My Computer by Uniblue)
And so I will wait for further assistance now. Thank you.
Here's my problem:
I have a series of weird spyware that keep on screwing around with my internet browsing. For example, let's say I do a general search for just about anything, like the name of a local bakery (that has a website). Upon clicking it, I am redirected to a website that provides further searches based on my key words.
One of such sites I was redirected to was a yellowpages site that tried to further search my key words.
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:04 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\DOCUME~1\Julius\LOCALS~1\Temp\clclean.0001
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\lcdmon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Julius\jye.exe \s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: (no name) - {21608B66-026F-4DCB-9244-0DACA328DCED} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CM108Sound] RunDll32 CM108.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [UniblueSpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BMIMZMHMFM] C:\DOCUME~1\Julius\LOCALS~1\Temp\Clz.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AccuWeatherDesktop.lnk = C:\Program Files\AccuWeather\Desktop\AccuWeatherDesktop.exe
O4 - Global Startup: AccuWeather Desktop.lnk = C:\Program Files\AccuWeather\Desktop\AccuWeatherDesktop.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ADB7F55-8A5D-40C5-8F76-4D3294BA90C4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{36FE65F5-4428-411B-BD74-91AA7CBA48AB}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VLC media player - Unknown owner - C:\Program Files\VideoLAN\VLC\vlc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12816 bytes
I have already identified some of the processes that keep reoccurring and that I recognize being new/foreign:
clz.exe
jye.exe
msa.exe
Some programs I run that are not malware (and that I don't wish to get rid of): (some people might/might-not mistaken them for malware)
Accuweather Desktop application
Andrea Voice Center (Voice recording program)
AIM (AoL Instant Messenger)
Logitech Gaming Keyboard processes (G15 Keyboard applications)
Peer Guardian 2 (IP blocking application)
Razer Copperhead Mouse applications
Spybot SD (Search & Destroy)
Steam.exe (Steampowered game portal utility)
VLC Media Player
Winamp Agent
Zone Labs Zone Alarm Firewall
Some that I am iffy on keeping or uninstalling:
SUMP.exe (Speed Up My Computer by Uniblue)
And so I will wait for further assistance now. Thank you.
0
This discussion has been closed.
Comments
My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.
Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
Somethings to remember while we are working together.
1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.
I would like to get a better look at your system, please do the following so I can get some more detailed logs.
DeFogger:
Please download
DeFogger to your desktop.Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
Do not re-enable these drivers until otherwise instructed.IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Download DDS:
Please download
DDS by sUBs from one of the links below and save it to your desktop:Download DDS and save it to your desktop
Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.
GMER:
Download GMER Rootkit Scanner from
here or here.- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
information and logs:
In your next post I need the following
1.logs from DDS 2.log from GMER 3.let me know of any problems you may have had
Gringo
DDS Logs:
attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/16/2006 3:36:35 PM
System Uptime: 1/16/2010 11:00:07 PM (0 hours ago)
Motherboard: Dell Inc. | | 0YD479
Processor: Genuine Intel(R) CPU T2500 @ 2.00GHz | Microprocessor | 1997/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 51 GiB total, 0.646 GiB free.
D: is CDROM (UDF)
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
==== System Restore Points ===================
RP1996: 12/20/2009 8:02:45 AM - System Checkpoint
RP1997: 12/20/2009 8:27:03 PM - Installed Compatibility Pack for the 2007 Office system
RP1998: 12/21/2009 2:29:16 PM - Software Distribution Service 3.0
RP1999: 12/21/2009 2:33:53 PM - Software Distribution Service 3.0
RP2000: 12/22/2009 11:31:53 AM - Avg8 Update
RP2001: 12/22/2009 12:01:13 PM - Software Distribution Service 3.0
RP2002: 12/23/2009 12:12:33 PM - System Checkpoint
RP2003: 12/23/2009 1:21:17 PM - Installed LG USB Modem Drivers
RP2004: 12/24/2009 1:41:35 PM - System Checkpoint
RP2005: 12/25/2009 6:55:35 PM - System Checkpoint
RP2006: 12/26/2009 8:19:30 PM - System Checkpoint
RP2007: 12/27/2009 2:34:39 PM - Installed Java(TM) 6 Update 17
RP2008: 12/28/2009 6:49:59 PM - System Checkpoint
RP2009: 12/29/2009 9:51:38 PM - System Checkpoint
RP2010: 12/31/2009 5:10:56 PM - System Checkpoint
RP2011: 1/1/2010 4:18:54 PM - Avg8 Update
RP2012: 1/3/2010 1:57:30 PM - System Checkpoint
RP2013: 1/4/2010 10:12:11 PM - System Checkpoint
RP2014: 1/6/2010 10:18:14 AM - System Checkpoint
RP2015: 1/8/2010 3:24:46 PM - System Checkpoint
RP2016: 1/10/2010 5:01:48 PM - System Checkpoint
RP2017: 1/12/2010 6:31:35 AM - System Checkpoint
RP2018: 1/13/2010 9:44:05 AM - Software Distribution Service 3.0
RP2019: 1/13/2010 9:40:06 PM - Installed Cisco Systems VPN Client 5.0.06.0110
RP2020: 1/15/2010 5:54:36 PM - System Checkpoint
==== Installed Programs ======================
µTorrent
32 Bit HP CIO Components Installer
AccuWeather Desktop
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.0
Adobe Shockwave Player
AGEIA PhysX v7.09.13
AIM 6
AJB 6000 update
Amazon MP3 Downloader 1.0.3
Andrea VoiceCenter
Apple Application Support
Audacity 1.2.6
AV Voice Changer Software DIAMOND 6.0
AV Voice Changer Software DIAMOND 7.0
AVG Free 9.0
Avid DVD by Sonic
BitPim 1.0.7.20091103
Bonjour
Broadcom 440x 10/100 Integrated Controller
C-Media USB 108 Sound
CCleaner
Cisco Systems VPN Client 5.0.06.0110
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Crash Analysis Tool
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
DefilerPak 1.22 (Remove Only)
Dell Digital Jukebox Driver
Digital Line Detect
ELIcon
Final Fantasy VII
FINAL FANTASY VIII
Finale Reader 2009
Fraps (remove only)
Half-Life(R) 2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 17
LAME v3.98.2 for Audacity
LeechFTP
LG USB Modem Drivers
Logitech GamePanel Software 3.03.133
mCore
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2004
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Theme Nunavut
mIRC
Modem Helper
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (3.5.7)
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicnotes Player V1.22.3
Musicnotes Software Suite 1.0
mWlsSafe
NVIDIA Drivers
Paint Shop Pro 6.01 CD
PeerGuardian 2.0
QuickTime
Razer Copperhead
SecondLife (remove only)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shipping Assistant 3.6
Sibelius Scorch Plugin
Sonic Audio module
Sonic Copy Module
Sonic Data Module
Sonic DLA
Sonic MyDVD LE
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Source SDK Base
Spybot - Search & Destroy
Steam(TM)
Synaptics Pointing Device Driver
Synthesia (remove only)
Team Fortress Classic
TI Connect 1.6
Tomb Raider:
TPP Storage Driver Installation
Uniblue ProcessScanner
Uniblue RegistryBooster 2009
Uniblue SpeedUpMyPC 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Dual Vibration Joystick
USB Storage Adapter (TPP)
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
VC 9.0 Runtime
VLC media player 1.0.3
Warcraft III: All Products
WC3Banlist
WebFldrs XP
Winamp
Winamp Application Detect
Windows Defender Signatures
Windows Driver Package - Razer (HidUsb) HIDClass (01/10/2007 1.00)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Bonus Pack for Windows XP
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 9 Series Power Toy - Ratings Migration
Windows Media Player 9 Series TweakMP PowerToy
Windows Media Player Firefox Plugin
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinPcap 4.1.1
WinRAR archiver
WM Recorder 14
YAMAHA SoftSynthesizer S-YXG70
ZoneAlarm
==== Event Viewer Messages From Past Week ========
1/16/2010 7:12:35 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/16/2010 2:05:09 PM, error: DCOM [10005] - DCOM got error "%3" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
1/13/2010 9:41:06 PM, error: PSched [14107] - QoS [Adapter {E1F33DB1-977E-4E1C-8D31-32DA14DD64A9}]: The Packet Scheduler could not initialize the virtual miniport with NDIS.
1/13/2010 9:08:51 PM, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
1/13/2010 7:29:36 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
1/13/2010 7:06:26 PM, error: Service Control Manager [7034] - The VLC media player service terminated unexpectedly. It has done this 1 time(s).
1/12/2010 6:11:52 AM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.
1/11/2010 7:53:39 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.103. The machine with the IP address 192.168.0.188 did not allow the name to be claimed by this machine.
1/11/2010 7:32:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VLC media player service to connect.
==== End Of File ===========================
DDS.txt:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Julius at 23:06:24.31 on Sat 01/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.980 [GMT -5:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Julius\jye.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Julius\LOCALS~1\Temp\Clz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\DOCUME~1\Julius\LOCALS~1\Temp\clclean.0001
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\AccuWeather\Desktop\AccuWeatherDesktop.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Julius\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uInternet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\julius\jye.exe \s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: {21608B66-026F-4DCB-9244-0DACA328DCED} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [UniblueSpeedUpMyPC] c:\program files\uniblue\speedupmypc\Launcher.exe
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [BMIMZMHMFM] c:\docume~1\julius\locals~1\temp\Clz.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TPP Auto Loader] c:\windows\tppaldr.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [razer] c:\program files\razer\copperhead\razerhid.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CM108Sound] RunDll32 CM108.cpl,CMICtrlWnd
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\julius\startm~1\programs\startup\accuweatherdesktop.lnk - c:\program files\accuweather\desktop\AccuWeatherDesktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\accuweather desktop.lnk - c:\program files\accuweather\desktop\AccuWeatherDesktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpn client.lnk - c:\windows\installer\{08b785c1-3893-4154-b53b-f5d341d0aaaa}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: saramin.co.kr\bestiz
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {2ADB7F55-8A5D-40C5-8F76-4D3294BA90C4} = 208.67.220.220,208.67.222.222
TCP: {36FE65F5-4428-411B-BD74-91AA7CBA48AB} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\julius\applic~1\mozilla\firefox\profiles\eyaig5oh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-16 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-16 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-16 360584]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-16 353672]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-16 285392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 VLC media player;VLC media player;c:\program files\videolan\vlc\vlc.exe [2009-10-30 135592]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-7-14 19720]
R3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2007-11-22 19020]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-1-16 17792]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2010-1-13 1294336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TPP200;USB Storage Adapter V2 (TPP);c:\windows\system32\drivers\TPP200.SYS [2006-5-16 35541]
=============== Created Last 30 ================
2010-01-17 03:58:31 0 ----a-w- c:\documents and settings\julius\defogger_reenable
2010-01-16 19:06:15 232960 ----a-w- c:\windows\system32\sshnas21.dll
2010-01-16 19:05:05 58368 ---h--w- c:\documents and settings\julius\jye.exe
2010-01-16 19:05:05 58368 ----a-w- c:\windows\system32\nkqebv.exe
2010-01-16 19:05:03 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-16 19:04:52 0 d
w- C:\AV_LOGS
2010-01-16 18:54:01 0 d
w- c:\docume~1\julius\applic~1\Avnex
2010-01-16 18:53:51 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-16 18:53:25 0 d
w- c:\program files\AV Vcs 7.0 DIAMOND
2010-01-14 02:40:12 0 d
w- c:\program files\common files\Deterministic Networks
2010-01-14 02:40:10 0 d
w- c:\program files\Cisco Systems
2010-01-14 02:39:55 1594 ----a-w- c:\windows\VPNInstall.MIF
2010-01-13 23:58:10 414 ----a-w- c:\windows\system\Cm108.ini
2010-01-13 23:57:51 712704 ----a-r- c:\windows\system32\a3d108pu.dll
2010-01-13 23:57:51 5783552 ----a-r- c:\windows\system\CM108.cpl
2010-01-13 23:57:51 315392 ----a-r- c:\windows\system\fltr108.dll
2010-01-13 23:57:51 249856 ----a-r- c:\windows\system32\CM108rm.exe
2010-01-13 23:57:50 45056 ----a-r- c:\windows\system32\CM108rm.dll
2010-01-13 23:57:50 32768 ----a-r- c:\windows\system32\c108prop.dll
2010-01-13 23:57:50 1294336 ----a-r- c:\windows\system32\drivers\CM108.sys
2010-01-13 23:57:34 262144
r- c:\windows\Cmi108Uninstall.exe
2010-01-13 23:57:15 0 d
w- c:\program files\C-Media USB 108 Sound
2010-01-11 12:55:54 0 d
w- c:\docume~1\alluse~1\applic~1\Stardock
2010-01-11 12:55:39 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{198DF385-4721-45F3-BF73-6D54286CF458}
2010-01-11 12:55:37 0 d
w- c:\program files\common files\Stardock
2010-01-11 12:55:37 0 d
w- c:\program files\AccuWeather
2009-12-27 20:15:48 218624 ----a-w- c:\windows\system32\uxtheme.backup
2009-12-23 23:14:36 0 d
w- c:\program files\Audacity
2009-12-23 23:09:57 0 d
w- c:\program files\Lame for Audacity
2009-12-23 23:03:29 0 d
w- c:\program files\BitPim
2009-12-23 18:22:41 0 d
w- c:\program files\V CAST Music with Rhapsody
2009-12-23 18:21:17 0 d
w- c:\program files\LG Electronics
2009-12-21 01:46:27 73 ----a-w- c:\windows\system32\-1
2009-12-21 01:26:47 0 d
w- c:\program files\MSECache
2009-12-21 01:00:24 0 d
w- c:\program files\WMR14
2009-12-19 19:24:38 0 d
w- c:\docume~1\julius\applic~1\Sibelius Software
==================== Find3M ====================
2010-01-17 03:56:28 85622 -c--a-w- c:\windows\system32\nvModes.dat
2009-12-04 03:51:27 146320 -c--a-w- c:\windows\War3Unin.dat
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-16 15:39:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-10 03:02:30 64128 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 22:25:36 86016 -c--a-w- c:\windows\system32\frapsvid.dll
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 18:19:54 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19:46 100880 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19:30 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2001-10-05 16:53:04 21866 -c--a-w- c:\program files\common files\tppupd2k.dll
2008-02-13 08:55:42 5 -csha-w- c:\windows\system32\bdbbcdcbaaaebcf_s.dll
2008-04-13 11:30:27 821780 --sha-r- c:\windows\system32\csrcs.exe
2008-08-24 13:56:03 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat
============= FINISH: 23:07:16.17 ===============
GMER Logs:
ark.txt:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 23:27:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Julius\LOCALS~1\Temp\pfrcrkow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB43C1FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB43BEC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB43D9170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB43C2580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB43D6900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB43D6B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB43DAB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB43C2670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB43BF210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB43D99F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB43D97A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB43D6280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB43D9F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB43D9F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB43BF070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB43D8180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB43D7F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB43DA6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB43DA150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB43C1BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB43DA540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB43C2190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB43BF440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB43D94E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB43D7200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB43D7080]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat AEA0FD20
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@ C:\PROGRA~1\COMMON~1\SYSTEM\OLEDB~1\MSDMENG.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\ProgID@ DMM.Classifier.1
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\TypeLib@ {C1CD5353-28E5-11D3-8C76-00600832DCED}
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\VersionIndependentProgID@ DMM.Classifier
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\Implemented Categories\{B19CAC33-475D-11D2-9714-00C04F79E98B}
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\InprocServer32@ C:\WINDOWS\system32\csseqchk.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\ProgID@ ISCHindi.ISCHindi.1
Reg HKLM\SOFTWARE\Classes\CLSID\{14427C58-FFDA-DC11-C543-A85CDB4A49C1}\VersionIndependentProgID@ ISCHindi.ISCHindi
---- EOF - GMER 1.0.15 ----
Problems & Errors:
GMER would sometimes crash. Would also sometimes cause my computer to crash instead.
After running GMER, computer would suddenly increase in CPU demand and lag out with insane 10+ minute delays. Minor functionality was still available such as ALT+TAB.
Edit: Had to force shutdown the machine in order to restart and post new posts to this topic.
thank you for the logs!!
Please do the following.
:run combofix:
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
When the tool is finished, it will produce a report for you.
Please include the report in your next post:
C:\ComboFix.txt
Gringo
ComboFix 10-01-16.04 - Julius 01/17/2010 11:00:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -5:00]
Running from: c:\documents and settings\Julius\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Julius\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Julius\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
C:\khq
c:\recycler\S-1-5-21-3173197536-107439084-4173312072-1006
c:\windows\CouponPrinter.ocx
c:\windows\system32\Cache
c:\windows\system32\csrcs.exe
c:\windows\system32\Data
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sshnas21.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WORK.DAT
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_SSHNAS
\Service_SSHNAS
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-16 19:41 . 2010-01-16 19:41
d
w- c:\documents and settings\All Users\Application Data\Logitech
2010-01-16 19:41 . 2010-01-16 19:41
d
w- c:\program files\Logitech
2010-01-16 19:05 . 2010-01-16 19:04 58368 ---h--w- c:\documents and settings\Julius\jye.exe
2010-01-16 19:05 . 2010-01-16 19:04 58368 ----a-w- c:\windows\system32\nkqebv.exe
2010-01-16 19:04 . 2010-01-16 19:06
d
w- C:\AV_LOGS
2010-01-16 18:54 . 2010-01-16 18:54
d
w- c:\documents and settings\Julius\Application Data\Avnex
2010-01-16 18:53 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-16 18:53 . 2010-01-16 19:32
d
w- c:\program files\AV Vcs 7.0 DIAMOND
2010-01-14 02:40 . 2010-01-14 02:40
d
w- c:\program files\Common Files\Deterministic Networks
2010-01-14 02:40 . 2010-01-14 02:40
d
w- c:\program files\Cisco Systems
2010-01-13 23:57 . 2006-10-13 02:02 249856 ----a-r- c:\windows\system32\CM108rm.exe
2010-01-13 23:57 . 2004-04-14 03:28 315392 ----a-r- c:\windows\system\fltr108.dll
2010-01-13 23:57 . 2001-11-23 04:08 712704 ----a-r- c:\windows\system32\a3d108pu.dll
2010-01-13 23:57 . 2006-12-21 09:05 1294336 ----a-r- c:\windows\system32\drivers\CM108.sys
2010-01-13 23:57 . 2006-03-09 09:45 32768 ----a-r- c:\windows\system32\c108prop.dll
2010-01-13 23:57 . 2005-03-07 06:29 45056 ----a-r- c:\windows\system32\CM108rm.dll
2010-01-13 23:57 . 2006-10-02 11:02 262144
r- c:\windows\Cmi108Uninstall.exe
2010-01-13 23:57 . 2010-01-13 23:57
d
w- c:\program files\C-Media USB 108 Sound
2010-01-12 23:26 . 2010-01-17 01:34 0 ----a-w- c:\documents and settings\Julius\Local Settings\Application Data\prvlcl.dat
2010-01-11 12:56 . 2010-01-11 12:56
d
w- c:\documents and settings\Julius\Local Settings\Application Data\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\documents and settings\All Users\Application Data\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
dc-h--w- c:\documents and settings\All Users\Application Data\{198DF385-4721-45F3-BF73-6D54286CF458}
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\program files\Common Files\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\program files\AccuWeather
2009-12-23 23:14 . 2009-12-29 20:00
d
w- c:\program files\Audacity
2009-12-23 23:09 . 2009-12-23 23:09
d
w- c:\program files\Lame for Audacity
2009-12-23 23:03 . 2009-12-23 23:03
d
w- c:\program files\BitPim
2009-12-23 23:03 . 2009-12-23 23:14
d
w- c:\documents and settings\Julius\Application Data\Audacity
2009-12-23 18:22 . 2009-12-23 18:29
d
w- c:\program files\V CAST Music with Rhapsody
2009-12-23 18:21 . 2009-12-23 18:21
d
w- c:\program files\LG Electronics
2009-12-21 01:26 . 2009-12-21 01:26
d
w- c:\program files\MSECache
2009-12-21 01:00 . 2009-12-28 01:55
d
w- c:\program files\WMR14
2009-12-19 19:24 . 2009-12-19 19:24
d
w- c:\documents and settings\Julius\Application Data\Sibelius Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 15:39 . 2006-08-01 19:04
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 05:00 . 2010-01-17 05:03 31232 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2010-01-17 04:11 . 2010-01-17 04:14 2610688 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2010-01-17 03:56 . 2006-05-10 04:05 85622 -c--a-w- c:\windows\system32\nvModes.dat
2010-01-17 01:26 . 2009-01-24 06:43
d
w- c:\program files\Warcraft III
2010-01-16 23:59 . 2009-09-15 18:21 1459824 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-16 20:44 . 2009-03-19 03:12
d
w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-16 20:44 . 2008-08-07 01:28
d
w- c:\program files\PeerGuardian2
2010-01-16 20:44 . 2009-09-17 01:48
d
w- c:\documents and settings\Julius\Application Data\uTorrent
2010-01-16 18:26 . 2006-06-02 20:33
d
w- c:\program files\Common Files\Adobe
2010-01-16 15:24 . 2009-12-11 19:59
d
w- c:\documents and settings\Julius\Application Data\vlc
2010-01-16 14:36 . 2006-08-01 19:04
d
w- c:\program files\Spybot - Search & Destroy
2010-01-16 14:04 . 2006-08-03 12:18 4068953 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-14 00:29 . 2008-11-23 03:35
d
w- c:\documents and settings\Julius\Application Data\dvdcss
2010-01-12 23:25 . 2006-05-17 12:58
d
w- c:\program files\Paint Shop Pro 6
2009-12-27 20:04 . 2009-05-26 08:34
d
w- c:\documents and settings\Julius\Application Data\mIRC
2009-12-27 19:35 . 2006-05-10 04:11
d
w- c:\program files\Java
2009-12-27 19:33 . 2009-12-27 19:33 152576 ----a-w- c:\documents and settings\Julius\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-27 19:33 . 2009-11-27 19:41 79488 ----a-w- c:\documents and settings\Julius\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-27 19:02 . 2009-05-26 08:34
d
w- c:\program files\mIRC
2009-12-26 16:26 . 2008-11-23 03:22 85656 -c--a-w- c:\documents and settings\Julius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 01:46 . 2009-04-25 06:10
d
w- c:\program files\WinPcap
2009-12-19 19:36 . 2009-07-26 18:37
d
w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-12-18 07:34 . 2009-01-20 08:22
d
w- c:\documents and settings\Julius\Application Data\SecondLife
2009-12-17 14:51 . 2009-07-19 00:12
d
w- c:\program files\Winamp
2009-12-17 14:51 . 2009-07-19 00:12
d
w- c:\documents and settings\Julius\Application Data\Winamp
2009-12-17 14:51 . 2009-12-17 14:51
d
w- c:\program files\Winamp Detect
2009-12-14 02:48 . 2007-04-06 05:30
d
w- c:\program files\Apple Software Update
2009-12-14 02:45 . 2006-05-10 04:28
d
w- c:\program files\QuickTime
2009-12-14 02:44 . 2008-11-18 20:17
d
w- c:\program files\Common Files\Apple
2009-12-12 00:06 . 2009-12-12 00:06
d
w- c:\program files\DefilerPak
2009-12-09 01:46 . 2009-08-26 14:44
d
w- c:\program files\Pando Networks
2009-12-09 01:44 . 2007-05-21 21:54
d
w- c:\program files\Combined Community Codec Pack
2009-12-05 16:28 . 2009-12-05 16:06
d
w- c:\program files\CCleaner
2009-12-04 03:51 . 2006-05-17 02:52 146320 -c--a-w- c:\windows\War3Unin.dat
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 18:10 . 2009-11-16 18:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-16 15:39 . 2009-11-16 15:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-16 15:39 . 2009-11-16 15:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-16 15:39 . 2009-11-16 15:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-16 15:39 . 2009-11-16 15:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-15 04:24 . 2009-11-15 04:24 15872 ----a-r- c:\documents and settings\Julius\Application Data\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2009-11-10 03:02 . 2008-06-09 15:43 64128 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 22:25 . 2009-11-07 22:25 86016 -c--a-w- c:\windows\system32\frapsvid.dll
2009-11-06 09:06 . 2009-11-06 14:04 6368256 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-11-03 23:28 . 2009-11-03 23:28 1527352 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4220\AIMinst.exe
2009-10-29 07:45 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 100880 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2001-10-05 16:53 . 2006-05-16 22:03 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
2008-02-13 08:55 . 2008-02-13 08:55 5 -csha-w- c:\windows\system32\bdbbcdcbaaaebcf_s.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"UniblueSpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC\Launcher.exe" [2009-04-28 614696]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-11-15 1217808]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2009-12-21 1803064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TPP Auto Loader"="c:\windows\tppaldr.exe" [2001-10-05 118784]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7118848]
"nwiz"="nwiz.exe" [2005-12-15 1519616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"razer"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-10-08 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-16 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AccuWeather Desktop.lnk - c:\program files\AccuWeather\Desktop\AccuWeatherDesktop.exe [2009-4-30 967472]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-1-13 6144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\nkqebv.exe"=
"c:\\Documents and Settings\\Julius\\jye.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/16/2009 10:39 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/16/2009 10:39 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/16/2009 10:38 AM 285392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 3:35 PM 19720]
R3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [11/22/2007 12:49 PM 19020]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [1/16/2010 1:53 PM 17792]
S2 VLC media player;VLC media player;c:\program files\VideoLAN\VLC\vlc.exe [10/30/2009 6:28 AM 135592]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [1/13/2010 6:57 PM 1294336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TPP200;USB Storage Adapter V2 (TPP);c:\windows\system32\drivers\TPP200.SYS [5/16/2006 5:03 PM 35541]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-01-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-02-13 20:31]
2010-01-17 c:\windows\Tasks\User_Feed_Synchronization-{23D265E7-CDFA-4331-9442-93CDE6170CDF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
Supplementary Scan
.
uInternet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: saramin.co.kr\bestiz
TCP: {2ADB7F55-8A5D-40C5-8F76-4D3294BA90C4} = 208.67.220.220,208.67.222.222
TCP: {36FE65F5-4428-411B-BD74-91AA7CBA48AB} = 208.67.220.220,208.67.222.222
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548}
FF - ProfilePath - c:\documents and settings\Julius\Application Data\Mozilla\Firefox\Profiles\eyaig5oh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
BHO-{21608B66-026F-4DCB-9244-0DACA328DCED} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-CM108Sound - CM108.cpl
Notify-termsrv - (no file)
AddRemove-AJB 6000 update - f:\archos\DeIsL1.isu
AddRemove-Final Fantasy VII - c:\program files\Square Soft
AddRemove-FINAL FANTASY VIII - c:\program files\Square Soft
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 11:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\stsystra.exe
c:\windows\System32\snmp.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RunDll32.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDRSS.exe
c:\program files\Razer\Copperhead\razertra.exe
c:\program files\Razer\Copperhead\razerofa.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-17 11:31:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 16:31
ComboFix2.txt 2008-11-08 16:28
Pre-Run: 867,688,448 bytes free
Post-Run: 781,512,704 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 73A50D35C8499E16542568A4D5D002C9
It may be helpful for you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.
Vista and Win 7 Users please Right Click and run as Admin all programs that I ask you to run
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
TFC(Temp File Cleaner):
- Please download TFC to your desktop,
- Save any unsaved work. TFC will close all open application windows.
- Double-click TFC.exe to run the program.
- If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.: Malwarebytes' Anti-Malware :
Please download
Malwarebytes' Anti-Malware to your desktop.[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
[*] then click Finish.[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
:Kaspersky scan:
Please go to
Kaspersky website and perform an online antivirus scan.- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[*]Click on My Computer under Scan.Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.
"information and logs"
In your next post I need the following
Gringo
ComboFix Log:
ComboFix 10-01-16.04 - Julius 01/17/2010 16:58:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1292 [GMT -5:00]
Running from: c:\documents and settings\Julius\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Julius\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\documents and settings\Julius\jye.exe"
"c:\windows\system32\bdbbcdcbaaaebcf_s.dll"
"c:\windows\system32\nkqebv.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Julius\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Julius\jye.exe
c:\documents and settings\Julius\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\bdbbcdcbaaaebcf_s.dll
c:\windows\system32\nkqebv.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 21:56 . 2010-01-17 21:56
d
w- c:\documents and settings\Julius\Application Data\Malwarebytes
2010-01-17 21:55 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 21:55 . 2010-01-17 21:55
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-17 21:55 . 2010-01-17 21:55
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 21:55 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 19:41 . 2010-01-16 19:41
d
w- c:\documents and settings\All Users\Application Data\Logitech
2010-01-16 19:41 . 2010-01-16 19:41
d
w- c:\program files\Logitech
2010-01-16 19:04 . 2010-01-16 19:06
d
w- C:\AV_LOGS
2010-01-16 18:54 . 2010-01-16 18:54
d
w- c:\documents and settings\Julius\Application Data\Avnex
2010-01-16 18:53 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-16 18:53 . 2010-01-16 19:32
d
w- c:\program files\AV Vcs 7.0 DIAMOND
2010-01-14 02:40 . 2010-01-14 02:40
d
w- c:\program files\Common Files\Deterministic Networks
2010-01-14 02:40 . 2010-01-14 02:40
d
w- c:\program files\Cisco Systems
2010-01-13 23:57 . 2006-10-13 02:02 249856 ----a-r- c:\windows\system32\CM108rm.exe
2010-01-13 23:57 . 2004-04-14 03:28 315392 ----a-r- c:\windows\system\fltr108.dll
2010-01-13 23:57 . 2001-11-23 04:08 712704 ----a-r- c:\windows\system32\a3d108pu.dll
2010-01-13 23:57 . 2006-12-21 09:05 1294336 ----a-r- c:\windows\system32\drivers\CM108.sys
2010-01-13 23:57 . 2006-03-09 09:45 32768 ----a-r- c:\windows\system32\c108prop.dll
2010-01-13 23:57 . 2005-03-07 06:29 45056 ----a-r- c:\windows\system32\CM108rm.dll
2010-01-13 23:57 . 2006-10-02 11:02 262144
r- c:\windows\Cmi108Uninstall.exe
2010-01-13 23:57 . 2010-01-13 23:57
d
w- c:\program files\C-Media USB 108 Sound
2010-01-12 23:26 . 2010-01-17 18:04 0 ----a-w- c:\documents and settings\Julius\Local Settings\Application Data\prvlcl.dat
2010-01-11 12:56 . 2010-01-11 12:56
d
w- c:\documents and settings\Julius\Local Settings\Application Data\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\documents and settings\All Users\Application Data\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
dc-h--w- c:\documents and settings\All Users\Application Data\{198DF385-4721-45F3-BF73-6D54286CF458}
2010-01-11 12:55 . 2009-04-30 21:34 2655784 -c--a-w- c:\documents and settings\All Users\Application Data\{198DF385-4721-45F3-BF73-6D54286CF458}\accuweather_setup.exe
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\program files\Common Files\Stardock
2010-01-11 12:55 . 2010-01-11 12:55
d
w- c:\program files\AccuWeather
2009-12-27 19:33 . 2009-12-27 19:33 152576 ----a-w- c:\documents and settings\Julius\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 23:14 . 2009-12-29 20:00
d
w- c:\program files\Audacity
2009-12-23 23:09 . 2009-12-23 23:09
d
w- c:\program files\Lame for Audacity
2009-12-23 23:03 . 2009-12-23 23:03
d
w- c:\program files\BitPim
2009-12-23 23:03 . 2009-12-23 23:14
d
w- c:\documents and settings\Julius\Application Data\Audacity
2009-12-23 18:22 . 2009-12-23 18:29
d
w- c:\program files\V CAST Music with Rhapsody
2009-12-23 18:21 . 2009-12-23 18:21
d
w- c:\program files\LG Electronics
2009-12-21 01:26 . 2009-12-21 01:26
d
w- c:\program files\MSECache
2009-12-21 01:00 . 2009-12-28 01:55
d
w- c:\program files\WMR14
2009-12-19 19:24 . 2009-12-19 19:24
d
w- c:\documents and settings\Julius\Application Data\Sibelius Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 19:29 . 2006-08-01 19:04
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 19:12 . 2006-05-10 04:05 85622 -c--a-w- c:\windows\system32\nvModes.dat
2010-01-17 05:00 . 2010-01-17 05:03 31232 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2010-01-17 04:11 . 2010-01-17 04:14 2610688 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2010-01-17 01:26 . 2009-01-24 06:43
d
w- c:\program files\Warcraft III
2010-01-16 23:59 . 2009-09-15 18:21 1459824 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-16 20:44 . 2009-03-19 03:12
d
w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-16 20:44 . 2008-08-07 01:28
d
w- c:\program files\PeerGuardian2
2010-01-16 20:44 . 2009-09-17 01:48
d
w- c:\documents and settings\Julius\Application Data\uTorrent
2010-01-16 18:26 . 2006-06-02 20:33
d
w- c:\program files\Common Files\Adobe
2010-01-16 15:24 . 2009-12-11 19:59
d
w- c:\documents and settings\Julius\Application Data\vlc
2010-01-16 14:36 . 2006-08-01 19:04
d
w- c:\program files\Spybot - Search & Destroy
2010-01-16 14:04 . 2006-08-03 12:18 4068953 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-14 00:29 . 2008-11-23 03:35
d
w- c:\documents and settings\Julius\Application Data\dvdcss
2010-01-12 23:25 . 2006-05-17 12:58
d
w- c:\program files\Paint Shop Pro 6
2009-12-27 20:04 . 2009-05-26 08:34
d
w- c:\documents and settings\Julius\Application Data\mIRC
2009-12-27 19:35 . 2006-05-10 04:11
d
w- c:\program files\Java
2009-12-27 19:33 . 2009-11-27 19:41 79488 ----a-w- c:\documents and settings\Julius\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-27 19:02 . 2009-05-26 08:34
d
w- c:\program files\mIRC
2009-12-26 16:26 . 2008-11-23 03:22 85656 -c--a-w- c:\documents and settings\Julius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 01:46 . 2009-04-25 06:10
d
w- c:\program files\WinPcap
2009-12-19 19:36 . 2009-07-26 18:37
d
w- c:\documents and settings\All Users\Application Data\Musicnotes
2009-12-18 07:34 . 2009-01-20 08:22
d
w- c:\documents and settings\Julius\Application Data\SecondLife
2009-12-17 14:51 . 2009-07-19 00:12
d
w- c:\program files\Winamp
2009-12-17 14:51 . 2009-07-19 00:12
d
w- c:\documents and settings\Julius\Application Data\Winamp
2009-12-17 14:51 . 2009-12-17 14:51
d
w- c:\program files\Winamp Detect
2009-12-14 02:48 . 2007-04-06 05:30
d
w- c:\program files\Apple Software Update
2009-12-14 02:45 . 2006-05-10 04:28
d
w- c:\program files\QuickTime
2009-12-14 02:44 . 2008-11-18 20:17
d
w- c:\program files\Common Files\Apple
2009-12-12 00:06 . 2009-12-12 00:06
d
w- c:\program files\DefilerPak
2009-12-09 01:46 . 2009-08-26 14:44
d
w- c:\program files\Pando Networks
2009-12-09 01:44 . 2007-05-21 21:54
d
w- c:\program files\Combined Community Codec Pack
2009-12-05 16:28 . 2009-12-05 16:06
d
w- c:\program files\CCleaner
2009-12-04 03:51 . 2006-05-17 02:52 146320 -c--a-w- c:\windows\War3Unin.dat
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 18:10 . 2009-11-16 18:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-16 15:39 . 2009-11-16 15:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-16 15:39 . 2009-11-16 15:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-16 15:39 . 2009-11-16 15:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-16 15:39 . 2009-11-16 15:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-15 04:24 . 2009-11-15 04:24 15872 ----a-r- c:\documents and settings\Julius\Application Data\Microsoft\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C9.exe
2009-11-10 03:02 . 2008-06-09 15:43 64128 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-11-07 22:25 . 2009-11-07 22:25 86016 -c--a-w- c:\windows\system32\frapsvid.dll
2009-11-06 09:06 . 2009-11-06 14:04 6368256 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-11-03 23:28 . 2009-11-03 23:28 1527352 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4220\AIMinst.exe
2009-10-29 07:45 . 2004-08-11 22:00 916480
w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 100880 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2001-10-05 16:53 . 2006-05-16 22:03 21866 -c--a-w- c:\program files\Common Files\tppupd2k.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"UniblueSpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC\Launcher.exe" [2009-04-28 614696]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2009-12-21 1803064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TPP Auto Loader"="c:\windows\tppaldr.exe" [2001-10-05 118784]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-15 7118848]
"nwiz"="nwiz.exe" [2005-12-15 1519616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"razer"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-10-08 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-16 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 357384]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-08-13 1573384]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 3161608]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-01 2033432]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AccuWeather Desktop.lnk - c:\program files\AccuWeather\Desktop\AccuWeatherDesktop.exe [2009-4-30 967472]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-1-13 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-16 15:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]
[BU]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 01:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/16/2009 10:39 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/16/2009 10:39 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/16/2009 10:38 AM 285392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [7/14/2009 3:35 PM 19720]
R3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [11/22/2007 12:49 PM 19020]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [1/16/2010 1:53 PM 17792]
S2 VLC media player;VLC media player;c:\program files\VideoLAN\VLC\vlc.exe [10/30/2009 6:28 AM 135592]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [1/13/2010 6:57 PM 1294336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TPP200;USB Storage Adapter V2 (TPP);c:\windows\system32\drivers\TPP200.SYS [5/16/2006 5:03 PM 35541]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-01-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-02-13 20:31]
2010-01-17 c:\windows\Tasks\User_Feed_Synchronization-{23D265E7-CDFA-4331-9442-93CDE6170CDF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
Supplementary Scan
.
uInternet Connection Wizard,ShellNext = https://login.live.com/resetpw.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: saramin.co.kr\bestiz
TCP: {2ADB7F55-8A5D-40C5-8F76-4D3294BA90C4} = 208.67.220.220,208.67.222.222
TCP: {36FE65F5-4428-411B-BD74-91AA7CBA48AB} = 208.67.220.220,208.67.222.222
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548}
FF - ProfilePath - c:\documents and settings\Julius\Application Data\Mozilla\Firefox\Profiles\eyaig5oh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 17:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2010-01-17 17:05:49
ComboFix-quarantined-files.txt 2010-01-17 22:05
ComboFix2.txt 2010-01-17 16:31
ComboFix3.txt 2008-11-08 16:28
Pre-Run: 973,074,432 bytes free
Post-Run: 904,183,808 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5AFE08B592CD760F1F26DE460EAAAD66
MBAM Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/17/2010 5:16:36 PM
mbam-log-2010-01-17 (17-16-36).txt
Scan type: Quick Scan
Objects scanned: 133594
Time elapsed: 4 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\BMIMZMHMFM (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WS9E3IQBKY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Kaspersky Log:
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 17, 2010 22:45:11
Records in database: 3325951
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 89690
Threats found: 3
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 02:07:54
File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\csrcs.exe.vir Infected: Packed.Win32.Klone.bj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sshnas21.dll.vir Infected: Packed.Win32.Krap.ag 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2020\A0286452.exe Infected: Packed.Win32.Krap.ag 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2020\A0289676.exe Infected: Packed.Win32.Klone.bj 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2020\A0289680.dll Infected: Packed.Win32.Krap.ag 1
Selected area has been scanned.
Overall performance:
So far the computer certainly seems to have been cured and rid of those pesky .exe files, as earlier mentioned in my first post. I'm sure glad I spotted these quick and sought help before accessing my financial online accounts.
For the time being, things are looking good and no more redirects when running web searches.
If it would help, I can restart and provide a HJT log as well.
Thanks to you Gringo, for aiding me through this disaster!
Very well done!!
Kaspersky is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.
The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.
:Uninstall ComboFix:
:DeFogger:
To re-enable your Emulation drivers, double click
DeFogger to run the tool.- The application window will appear
- Click the Re-enable button to re-enable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.
:Make your Internet Explorer more secure:
please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm:Turn On Automatic Updates:
Turn On Automatic Updates 1. Click
Start, click Run, type sysdm.cpl, and then press ENTER.2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
:antispyware programs:
you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also I would reccomend the download and installation of some or all of the following programs (all free),
and the updating of them regularly:totally free but for real-time protection you will have to pay a small one-time fee.
please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place
Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........
Malware Complaints
If you were infected .... Stand Up and be Counted.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.
Gringo
Other than that, this experience has been reinvigorating and another reminder of what it is I am up against with malware and spyware. I've probably had three to four other past significant occurrences that ended up rendering my machine's system functionality inoperable at a common user level. Since then, I've learned each time as to what my options can be and have been in combating and resisting these threats.
But in conclusion of it all, it's not a matter of "hey, mind helping me out again?" versus arming a victim with the knowledge and tools necessary to not only prevent further occurrences, but to also be able to identify and perhaps even diagnose the problem towards a viable solution.
Back then, we heavily used the HJT logs to pinpoint and target specific entries for removal. I guess things have gotten more automated nowadays, with constant database updates.
Thanks Gringo, things are good now.