Computer Hope
Software => Computer viruses and spyware => Topic started by: jorgekabayo on June 09, 2009, 10:59:26 PM
-
2 weeks ago i was having time/date reset to september 2020 everytime i boot my PC. back then i thought it was a virus/malware problem but my avg antivirus cannot see it. this week i started to have the error missing file msnmgnr.exe after my pc starts. then i started reading about that file and realized its in fact a virus. i found out that the file msnmgnr.exe in fact causes the date reset i experienced 2 weeks ago. however, i wasnt able to find a clear fix over the net for my problem. i need help. the necessary logs are found below. thanks.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/10/2009 at 01:35 AM
Application Version : 4.26.1004
Core Rules Database Version : 3930
Trace Rules Database Version: 1873
Scan type : Complete Scan
Total Scan Time : 01:02:37
Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 6375
Registry threats detected : 29
File items scanned : 93254
File threats detected : 6
Trojan.Downloader-Gen/FotoMoto
HKLM\Software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733716E1-76D2-4003-AC39-845281C0EF85}
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{733716E1-76D2-4003-AC39-845281C0EF85}
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\ProgID
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\Programmable
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\TypeLib
HKCR\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\VersionIndependentProgID
Adware.MyWebSearch
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
Adware.HotBar/ShopperReports (Low Risk)
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465}
Unclassified.Unknown Origin
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}
E:\DOWNLOADS\MISC\COLLAGE MAKER\KEYGEN.NFO
E:\DOWNLOADS\MISC\KEYGEN.NFO
Adware.Zango/ShoppingReport
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}
HKU\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}
Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
Trojan.Media-Codec/V4
C:\Program Files\Video Add-on Setup
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP
Rogue.Component/Trace
HKLM\Software\Microsoft\600DE937
HKLM\Software\Microsoft\600DE937#600de937
HKLM\Software\Microsoft\600DE937#Version
Trojan.Net-SvHoster
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PROTECT\SVHOST.EXE
Adware.AdRotator/SuperiorAds
C:\WINDOWS\SYSTEM32\SUPERIORADS-UNINST.EXE
Adware.180solutions/Seekmo/Zango
E:\DOWNLOADS\SETUP.EXE
Malwarebytes' Anti-Malware 1.37
Database version: 2255
Windows 5.1.2600 Service Pack 3
6/10/2009 2:00:38 AM
mbam-log-2009-06-10 (02-00-38).txt
Scan type: Quick Scan
Objects scanned: 96960
Time elapsed: 4 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\dc_ads.ads (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dc_ads.ads.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iebrowsercmp.browsercmp.1 (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{733716e1-76d2-4003-ac39-845281c0ef85} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\a1301497-029d-cff7-a294-146df193dc0e (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dcadssocial (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.bqva (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cont_dcads (Adware.Adrotator) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rqbmvpso (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pdoskegl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-648-2323245-23256) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\a1301497-029d-cff7-a294-146df193dc0e.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\DcadsSocial-uninstall.exe (Adware.RightOnAds) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cont_dcads-remove.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:46 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fmz.qiwa.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=62548
R3 - URLSearchHook: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
F2 - REG:system.ini: Shell=Explorer.exe msnmgnr.exe
O2 - BHO: (no name) - {0021042F-2CC8-EFD8-B715-2713974D46A3} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D2E6AF-F47E-45B8-917F-DE66D9C379B8} - (no file)
O2 - BHO: (no name) - {706D5729-5152-4040-8978-F49C6D23F9C7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {a0b71f07-c3b7-1c4a-99c9-0bbe2de60d71} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {B0F73815-DCE5-4838-9000-41CF13C3610F} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: qalkfxor - {8BE3A45C-46D2-407E-8A70-878D0828634D} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: xxyXOhFX - xxyXOhFX.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 9831 bytes
-
Download DDS from |HERE| (http://www.techsupportforum.com/sectools/sUBs/dds) or |HERE| (http://download.bleepingcomputer.com/sUBs/dds.scr) or |HERE| (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
-
required logs below:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Jared at 14:16:14.85 on Wed 06/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1397 [GMT 8:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jared\Desktop\dds.pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://fmz.qiwa.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
mWinlogon: Shell=Explorer.exe msnmgnr.exe
BHO: {0021042F-2CC8-EFD8-B715-2713974D46A3} - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {60D2E6AF-F47E-45B8-917F-DE66D9C379B8} - No File
BHO: {706D5729-5152-4040-8978-F49C6D23F9C7} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Encarta Web Companion Helper Object: {955be0b8-bc85-4caf-856e-8e0d8b610560} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {a0b71f07-c3b7-1c4a-99c9-0bbe2de60d71} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B0F73815-DCE5-4838-9000-41CF13C3610F} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Encarta Web Companion: {147d6308-0614-4112-89b1-31402f9b82c4} - c:\program files\common files\microsoft shared\encarta web companion\2007\ENCWCBAR.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: qalkfxor: {8be3a45c-46d2-407e-8a70-878d0828634d} -
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {97F32659-2957-DE6E-6FA4-EC24F7C7CEF0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s
uRun: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m
mRun: [Gainward] c:\program files\vdotool\TBPanel.exe /A
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.ph/com/EGamesPlugin.cab
DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} - hxxp://legendofares.netgame.com/download/MusaLauncherNew.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: xxyXOhFX - xxyXOhFX.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {60D2E6AF-F47E-45B8-917F-DE66D9C379B8} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGxWqrr
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\jared\applic~1\mozilla\firefox\profiles\rfcjzjrh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-16 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-16 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-16 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-16 298776]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-9-7 38656]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
=============== Created Last 30 ================
2009-06-10 12:39 <DIR> --d----- c:\program files\Trend Micro
2009-06-10 01:49 <DIR> --d----- c:\docume~1\jared\applic~1\Malwarebytes
2009-06-10 01:49 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-10 01:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-10 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-10 01:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-10 00:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-10 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-10 00:22 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-10 00:22 <DIR> --d----- c:\docume~1\jared\applic~1\SUPERAntiSpyware.com
2009-06-09 23:52 <DIR> --d----- c:\program files\CCleaner
2009-06-09 09:26 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-09 09:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Uniblue
2009-06-09 09:07 <DIR> --d----- c:\program files\Uniblue
2009-06-09 08:44 <DIR> --d----- c:\docume~1\jared\applic~1\Uniblue
2009-06-09 08:43 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-06-08 12:39 23,392 a------- c:\windows\system32\nscompat.tlb
2009-06-08 12:39 16,832 a------- c:\windows\system32\amcompat.tlb
2009-05-29 15:44 <DIR> --d----- c:\program files\MSECache
2009-05-28 22:52 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-05-27 10:17 3,255 a------- c:\windows\system32\wbem\Outlook_01c9de71480d7222.mof
==================== Find3M ====================
2009-05-09 09:54 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 09:54 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-09 09:54 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-25 21:22 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl1129139270.dat
2007-10-25 11:28 18,895,728 a------- c:\program files\Install_Messenger.exe
2008-08-28 19:09 29,587 a--sh--- c:\windows\system32\rrqWxGgh.ini2
2008-09-09 22:49 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-09-09 22:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-09 22:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat
2008-09-09 22:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 14:16:37.10 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/7/2005 11:24:05 PM
System Uptime: 6/10/2009 12:19:00 PM (2 hours ago)
Motherboard: ASUSTeK Computer INC. | | M2N8-VMX
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | CPU 1 | 2209/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 156 GiB total, 120.383 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 142 GiB total, 89.403 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP364: 3/13/2009 11:21:21 PM - System Checkpoint
RP365: 3/15/2009 6:08:19 PM - System Checkpoint
RP366: 3/17/2009 8:10:08 PM - System Checkpoint
RP367: 3/18/2009 8:20:55 AM - Avg8 Update
RP368: 3/19/2009 8:33:21 AM - System Checkpoint
RP369: 3/20/2009 12:12:03 PM - System Checkpoint
RP370: 3/21/2009 12:42:51 PM - System Checkpoint
RP371: 3/22/2009 12:01:07 AM - Software Distribution Service 3.0
RP372: 3/24/2009 8:12:04 AM - System Checkpoint
RP373: 3/25/2009 11:38:20 AM - System Checkpoint
RP374: 3/25/2009 7:08:55 PM - Configured AVG Free 8.5
RP375: 3/26/2009 8:31:33 AM - Avg8 Update
RP376: 3/27/2009 8:51:28 AM - Avg8 Update
RP377: 3/28/2009 10:22:00 AM - System Checkpoint
RP378: 3/30/2009 10:07:04 AM - System Checkpoint
RP379: 3/31/2009 1:21:33 PM - System Checkpoint
RP380: 4/1/2009 1:44:20 PM - System Checkpoint
RP381: 4/2/2009 2:39:14 PM - System Checkpoint
RP382: 4/3/2009 10:40:12 PM - System Checkpoint
RP383: 4/4/2009 10:59:16 PM - System Checkpoint
RP384: 4/4/2009 11:59:57 PM - Installed Windows Media Player 10
RP385: 4/5/2009 12:20:02 AM - Software Distribution Service 3.0
RP386: 4/6/2009 12:23:20 AM - System Checkpoint
RP387: 4/6/2009 3:00:15 AM - Software Distribution Service 3.0
RP388: 4/7/2009 8:37:10 AM - System Checkpoint
RP389: 4/8/2009 9:20:54 AM - System Checkpoint
RP390: 4/11/2009 12:14:05 PM - Avg8 Update
RP391: 4/12/2009 1:07:08 PM - System Checkpoint
RP392: 4/13/2009 1:51:45 PM - System Checkpoint
RP393: 4/14/2009 2:22:25 PM - System Checkpoint
RP394: 4/15/2009 8:50:45 PM - System Checkpoint
RP395: 4/16/2009 9:10:32 AM - Avg8 Update
RP396: 4/17/2009 3:00:22 AM - Software Distribution Service 3.0
RP397: 4/18/2009 7:58:30 AM - System Checkpoint
RP398: 4/19/2009 9:18:17 AM - System Checkpoint
RP399: 4/20/2009 2:50:10 PM - System Checkpoint
RP400: 4/21/2009 3:58:01 PM - System Checkpoint
RP401: 4/22/2009 5:37:38 PM - System Checkpoint
RP402: 4/23/2009 9:27:13 PM - System Checkpoint
RP403: 4/30/2009 9:45:26 PM - System Checkpoint
RP404: 5/1/2009 9:16:43 AM - Software Distribution Service 3.0
RP405: 5/7/2009 9:27:51 PM - System Checkpoint
RP406: 5/7/2009 11:40:17 PM - Software Distribution Service 3.0
RP407: 5/9/2009 9:50:28 AM - Avg8 Update
RP408: 5/9/2009 9:55:04 AM - Avg8 Update
RP409: 5/10/2009 1:14:55 PM - System Checkpoint
RP410: 5/10/2009 2:30:02 PM - Removed GG E-Sports Platform
RP411: 5/12/2009 5:29:01 PM - System Checkpoint
RP412: 5/13/2009 5:36:28 PM - Software Distribution Service 3.0
RP413: 5/14/2009 10:48:59 PM - System Checkpoint
RP414: 5/16/2009 10:45:07 AM - Avg8 Update
RP415: 5/18/2009 9:26:47 AM - System Checkpoint
RP416: 5/19/2009 8:13:39 AM - Avg8 Update
RP417: 5/19/2009 8:16:54 AM - Avg8 Update
RP418: 5/21/2009 11:52:12 AM - System Checkpoint
RP419: 5/22/2009 10:45:03 PM - System Checkpoint
RP420: 5/24/2009 5:47:53 PM - System Checkpoint
RP421: 5/25/2009 8:21:50 PM - System Checkpoint
RP422: 5/26/2009 9:30:28 PM - System Checkpoint
RP423: 5/28/2009 8:40:26 AM - System Checkpoint
RP424: 5/28/2009 10:40:52 PM - Installed DirectX
RP425: 5/28/2009 10:45:50 PM - Installed DirectX
RP426: 5/29/2009 3:44:39 PM - Installed Compatibility Pack for the 2007 Office system
RP427: 5/30/2009 4:41:19 PM - System Checkpoint
RP428: 5/31/2009 5:40:10 PM - System Checkpoint
RP429: 6/2/2009 12:43:05 PM - System Checkpoint
RP430: 6/3/2009 5:20:09 PM - System Checkpoint
RP431: 6/5/2009 7:51:11 PM - System Checkpoint
RP432: 6/7/2009 10:57:53 PM - System Checkpoint
RP433: 6/8/2009 11:59:43 AM - Removed Ad-Aware
RP434: 6/8/2009 12:37:37 PM - Installed Windows Media Player 11
RP435: 6/8/2009 12:41:01 PM - Installed Windows Media Player 11
RP436: 6/8/2009 12:42:54 PM - Installed Windows XP MSCompPackV1.
RP437: 6/9/2009 1:12:03 AM - Software Distribution Service 3.0
RP438: 6/9/2009 9:11:10 AM - Uniblue RegistryBooster
RP439: 6/9/2009 9:16:17 AM - Uniblue RegistryBooster
RP440: 6/9/2009 9:26:02 AM - Removed TuneUp Utilities 2008
RP441: 6/9/2009 9:27:02 AM - Installed TuneUp Utilities 2009
RP442: 6/9/2009 10:13:46 AM - Removed TuneUp Utilities 2009
RP443: 6/9/2009 11:00:17 AM - Software Distribution Service 3.0
RP444: 6/9/2009 11:29:48 PM - Removed Comic Life
RP445: 6/10/2009 12:22:44 AM - Installed SUPERAntiSpyware Free Edition
RP446: 6/10/2009 12:52:39 AM - Installed Java(TM) 6 Update 13
RP447: 6/10/2009 12:31:03 PM - Removed Java(TM) 6 Update 2
RP448: 6/10/2009 12:31:47 PM - Removed Java(TM) 6 Update 3
RP449: 6/10/2009 12:32:25 PM - Removed Java(TM) 6 Update 5
RP450: 6/10/2009 12:33:18 PM - Removed Java(TM) 6 Update 7
==== Installed Programs ======================
32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop CS2
Adobe Reader 8.1.2
AIO_Scan
Apple Mobile Device Support
Apple Software Update
Attansic Giga Ethernet Utility
AVG 8.5
Bonjour
BufferChm
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Copy
CorelDRAW Graphics Suite X3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DivX
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
EN
eSupportQFolder
F4100
F4100_Help
Final Draft 7
FontNav
Garena
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Smart Web Printing 1.0
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Imikimi Plugin
InterActual Player
InterVideo WinDVD 7
iTunes
Java(TM) 6 Update 13
LimeWire 4.16.6
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Premium 2007
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero Suite
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picture Collage Maker
QuickFix
QuickTime
Realtek High Definition Audio Driver
Scan
Scrapbook Flair
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SereneScreen Marine Aquarium 2.6
Skype™ 3.8
SolutionCenter
Status
SUPERAntiSpyware Free Edition
The Settlers II - 10th Anniversary
ToggleEN Toolbar
Toolbox
TrayApp
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Uniblue SpyEraser
UnloadSupport
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Manager
VBA
VDOTool 5.3
Ventrilo Client
WebFldrs XP
WebReg
Winamp (remove only)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
6/9/2009 8:35:37 AM, error: Service Control Manager [7000] - The Cardex service failed to start due to the following error: Cannot create a file when that file already exists.
6/8/2009 12:43:06 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
6/3/2009 2:34:20 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
6/10/2009 2:03:37 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
==== End Of File ===========================
-
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
DO NOT run it yet!
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
BHO: {0021042F-2CC8-EFD8-B715-2713974D46A3} - No File
BHO: {60D2E6AF-F47E-45B8-917F-DE66D9C379B8} - No File
BHO: {706D5729-5152-4040-8978-F49C6D23F9C7} - No File
BHO: {a0b71f07-c3b7-1c4a-99c9-0bbe2de60d71} - No File
BHO: {B0F73815-DCE5-4838-9000-41CF13C3610F} - No File
TB: qalkfxor: {8be3a45c-46d2-407e-8a70-878d0828634d} -
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {97F32659-2957-DE6E-6FA4-EC24F7C7CEF0} - No File
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
SEH: {60D2E6AF-F47E-45B8-917F-DE66D9C379B8} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGxWqrr
Firefox::
FF - ProfilePath - c:\docume~1\jared\applic~1\mozilla\firefox\profiles\rfcjzjrh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www2.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q=
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
----------
Your Java is out of date.
Older versions have vulnerabilities that malicious sites can use to infect your system.
First install the new Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close all browser windows before beginning the install.
Remove the old version(s)
Download JavaRa (http://prm753.bchea.org/JavaRa.zip)
- Unzip the file and open the JavaRa.exe
- Click Remove Older Versions
- JavaRa will search for and remove any outdated version of Java and remove any that are found.
- Click Additional Tasks
- Place a check next to Remove Useless JRE Files and click Go
- Exit JavaRa
- Delete the JavaRa files from the Desktop
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
-
Wow Amazing! Thank you very much! i dont have the error message anymore. am i off the hook? CF log below.
ComboFix 09-06-09.06 - Jared 06/11/2009 9:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1590 [GMT 8:00]
Running from: c:\documents and settings\Jared\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jared\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\messenger\msmsgs.exe
c:\program files\Need2Find
c:\program files\Need2Find\bar\Cache\00255494
c:\windows\system32\rrqWxGgh.ini
c:\windows\system32\rrqWxGgh.ini2
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-11 00:47 . 2009-06-11 00:47 -------- d-----w- c:\program files\Java
2009-06-10 04:39 . 2009-06-10 04:39 -------- d-----w- c:\program files\Trend Micro
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\documents and settings\Jared\Application Data\Malwarebytes
2009-06-09 17:49 . 2009-05-26 05:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 17:49 . 2009-05-26 05:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 16:53 . 2009-06-11 00:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 16:52 . 2009-06-09 16:52 152576 ----a-w- c:\documents and settings\Jared\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-09 16:24 . 2009-06-09 17:45 117760 ----a-w- c:\documents and settings\Jared\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\documents and settings\Jared\Application Data\SUPERAntiSpyware.com
2009-06-09 15:52 . 2009-06-09 15:52 -------- d-----w- c:\program files\CCleaner
2009-06-09 01:26 . 2009-06-09 01:26 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-09 01:22 . 2009-06-09 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Uniblue
2009-06-09 01:07 . 2009-06-09 01:21 -------- d-----w- c:\program files\Uniblue
2009-06-09 00:44 . 2009-06-09 01:22 -------- d-----w- c:\documents and settings\Jared\Application Data\Uniblue
2009-06-09 00:43 . 2009-03-13 15:05 2567647 -c----w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
2009-06-09 00:43 . 2009-06-09 00:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-29 07:44 . 2009-05-29 07:44 -------- d-----w- c:\program files\MSECache
2009-05-28 14:55 . 2009-06-08 14:30 -------- d-----w- c:\documents and settings\Jared\Local Settings\Application Data\S2
2009-05-28 14:52 . 2009-05-28 14:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-28 14:52 . 2009-05-28 14:52 -------- d--h--r- c:\documents and settings\Jared\Application Data\SecuROM
2009-05-28 14:45 . 2009-05-28 14:45 -------- d-----w- c:\program files\Ubisoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 16:22 . 2007-09-11 08:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 15:31 . 2008-01-23 13:45 -------- d-----w- c:\program files\GameHouse
2009-06-09 02:20 . 2007-12-23 05:30 -------- d-----w- c:\program files\YouTube Downloader
2009-06-09 01:17 . 2008-09-28 19:06 -------- d-----w- c:\documents and settings\Jared\Application Data\uTorrent
2009-06-08 12:41 . 2007-09-07 08:12 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-08 04:42 . 2009-04-04 16:21 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-08 04:00 . 2009-04-03 01:03 -------- d-----w- c:\documents and settings\Jared\Application Data\FMZilla
2009-05-29 07:45 . 2008-08-31 13:04 65600 ----a-w- c:\documents and settings\Jared\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 13:17 . 2008-10-24 02:22 -------- d-----w- c:\documents and settings\Jared\Application Data\LimeWire
2009-05-21 23:42 . 2008-12-16 01:03 -------- d-----w- c:\documents and settings\Jared\Application Data\AVGTOOLBAR
2009-05-17 08:39 . 2009-05-10 07:43 -------- d-----w- c:\program files\Garena
2009-05-10 06:29 . 2009-05-10 06:29 -------- d-----w- c:\documents and settings\Jared\Application Data\InstallShield
2009-05-09 01:54 . 2008-12-16 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 01:54 . 2008-12-16 01:03 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 01:54 . 2008-12-16 01:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 01:54 . 2008-12-16 01:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 05:49 . 2008-11-08 06:22 -------- d-----w- c:\documents and settings\Jared\Application Data\Skype
2007-10-25 03:28 . 2007-10-25 03:28 18895728 ----a-w- c:\program files\Install_Messenger.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-02-16 07:44 1882136 ----a-w- c:\program files\ToggleEN\tbTogg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-06-26 2165272]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-07-23 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 68856]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-09 01:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Alcmtr"=ALCMTR.EXE
"QuickFix"=c:\program files\QuickFix\QuickFix.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"6999:TCP"= 6999:TCP:Blizzard Downloader: 6999
"6990:TCP"= 6990:TCP:Blizzard Downloader: 6990
"6885:TCP"= 6885:TCP:Blizzard Downloader: 6885
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"443:TCP"= 443:TCP:https
"21:TCP"= 21:TCP:ftp
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/16/2008 9:03 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/16/2008 9:03 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/16/2008 9:03 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/16/2008 9:03 AM 298776]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [9/7/2007 2:26 PM 38656]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635618}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\msnmgnr.exe
.
Contents of the 'Scheduled Tasks' folder
2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:57]
2009-06-09 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2009-06-09 01:42]
2009-06-09 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2009-06-09 01:42]
2009-06-09 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-09 01:14]
2009-06-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-07 14:18]
.
- - - - ORPHANS REMOVED - - - -
Notify-xxyXOhFX - xxyXOhFX.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://fmz.qiwa.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jared\Application Data\Mozilla\Firefox\Profiles\rfcjzjrh.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: keyword.enabled - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 09:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1547161642-1637723038-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,6d,cf,8a,bc,c6,12,a1,65,fd,49,de,73,33,23,08,b0,ba,36,dd,0b,cc,85,
e8,09,5a,97,46,ab,6e,9d,d4,0d,a6,98,eb,a6,7a,22,eb,50,e7,00,14,15,c5,8e,11,\
"??"=hex:dc,bc,25,01,99,f9,4d,24,96,0e,32,50,c4,b1,f9,22
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\ProgID]
@DACL=(02 0000)
@="dc_ads.ads.1"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\Programmable]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\TypeLib]
@DACL=(02 0000)
@="{E94C3AF8-D32C-4389-AC9A-BE17471EDC42}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\VersionIndependentProgID]
@DACL=(02 0000)
@="dc_ads.ads"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(1476)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\VDOTool\TBPanelExt.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\nvshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-11 9:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 01:29
Pre-Run: 128,982,495,232 bytes free
Post-Run: 129,051,725,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
233 --- E O F --- 2009-06-09 03:00
-
Not there yet...
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
DDS::
FF - user.js: browser.search.defaultenginename - Yoog Search
Firefox::
FF - user.js: browser.search.defaultenginename - Yoog Search
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635618}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"iTunesHelper"=-
"KernelFaultCheck"=-
"Alcmtr"=-
"QuickFix"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
the next CF log below.
ComboFix 09-06-09.06 - Jared 06/11/2009 10:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT 8:00]
Running from: c:\documents and settings\Jared\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jared\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-11 00:47 . 2009-06-11 00:47 -------- d-----w- c:\program files\Java
2009-06-10 04:39 . 2009-06-10 04:39 -------- d-----w- c:\program files\Trend Micro
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\documents and settings\Jared\Application Data\Malwarebytes
2009-06-09 17:49 . 2009-05-26 05:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 17:49 . 2009-05-26 05:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 17:49 . 2009-06-09 17:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 16:53 . 2009-06-11 00:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 16:52 . 2009-06-09 16:52 152576 ----a-w- c:\documents and settings\Jared\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-09 16:24 . 2009-06-09 17:45 117760 ----a-w- c:\documents and settings\Jared\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-09 16:22 . 2009-06-09 16:22 -------- d-----w- c:\documents and settings\Jared\Application Data\SUPERAntiSpyware.com
2009-06-09 15:52 . 2009-06-09 15:52 -------- d-----w- c:\program files\CCleaner
2009-06-09 01:26 . 2009-06-09 01:26 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-09 01:22 . 2009-06-09 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Uniblue
2009-06-09 01:07 . 2009-06-09 01:21 -------- d-----w- c:\program files\Uniblue
2009-06-09 00:44 . 2009-06-09 01:22 -------- d-----w- c:\documents and settings\Jared\Application Data\Uniblue
2009-06-09 00:43 . 2009-03-13 15:05 2567647 -c----w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
2009-06-09 00:43 . 2009-06-09 00:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-29 07:44 . 2009-05-29 07:44 -------- d-----w- c:\program files\MSECache
2009-05-28 14:55 . 2009-06-08 14:30 -------- d-----w- c:\documents and settings\Jared\Local Settings\Application Data\S2
2009-05-28 14:52 . 2009-05-28 14:52 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-28 14:52 . 2009-05-28 14:52 -------- d--h--r- c:\documents and settings\Jared\Application Data\SecuROM
2009-05-28 14:45 . 2009-05-28 14:45 -------- d-----w- c:\program files\Ubisoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 16:22 . 2007-09-11 08:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 15:31 . 2008-01-23 13:45 -------- d-----w- c:\program files\GameHouse
2009-06-09 02:20 . 2007-12-23 05:30 -------- d-----w- c:\program files\YouTube Downloader
2009-06-09 01:17 . 2008-09-28 19:06 -------- d-----w- c:\documents and settings\Jared\Application Data\uTorrent
2009-06-08 12:41 . 2007-09-07 08:12 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-08 04:42 . 2009-04-04 16:21 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-08 04:00 . 2009-04-03 01:03 -------- d-----w- c:\documents and settings\Jared\Application Data\FMZilla
2009-05-29 07:45 . 2008-08-31 13:04 65600 ----a-w- c:\documents and settings\Jared\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 13:17 . 2008-10-24 02:22 -------- d-----w- c:\documents and settings\Jared\Application Data\LimeWire
2009-05-21 23:42 . 2008-12-16 01:03 -------- d-----w- c:\documents and settings\Jared\Application Data\AVGTOOLBAR
2009-05-17 08:39 . 2009-05-10 07:43 -------- d-----w- c:\program files\Garena
2009-05-10 06:29 . 2009-05-10 06:29 -------- d-----w- c:\documents and settings\Jared\Application Data\InstallShield
2009-05-09 01:54 . 2008-12-16 01:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 01:54 . 2008-12-16 01:03 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 01:54 . 2008-12-16 01:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 01:54 . 2008-12-16 01:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 05:49 . 2008-11-08 06:22 -------- d-----w- c:\documents and settings\Jared\Application Data\Skype
2007-10-25 03:28 . 2007-10-25 03:28 18895728 ----a-w- c:\program files\Install_Messenger.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-11_01.27.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-11 02:20 . 2009-06-11 02:20 16384 c:\windows\temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2009-02-16 07:44 1882136 ----a-w- c:\program files\ToggleEN\tbTogg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-09 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 68856]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-09 01:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Alcmtr"=ALCMTR.EXE
"QuickFix"=c:\program files\QuickFix\QuickFix.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"6999:TCP"= 6999:TCP:Blizzard Downloader: 6999
"6990:TCP"= 6990:TCP:Blizzard Downloader: 6990
"6885:TCP"= 6885:TCP:Blizzard Downloader: 6885
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"443:TCP"= 443:TCP:https
"21:TCP"= 21:TCP:ftp
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/16/2008 9:03 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/16/2008 9:03 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/16/2008 9:03 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/16/2008 9:03 AM 298776]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [9/7/2007 2:26 PM 38656]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:57]
2009-06-09 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2009-06-09 01:42]
2009-06-09 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2009-06-09 01:42]
2009-06-09 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-06-09 01:14]
2009-06-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-07 14:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://fmz.qiwa.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jared\Application Data\Mozilla\Firefox\Profiles\rfcjzjrh.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: keyword.enabled - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 10:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1547161642-1637723038-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,6d,cf,8a,bc,c6,12,a1,65,fd,49,de,73,33,23,08,b0,ba,36,dd,0b,cc,85,
e8,09,5a,97,46,ab,6e,9d,d4,0d,a6,98,eb,a6,7a,22,eb,50,e7,00,14,15,c5,8e,11,\
"??"=hex:dc,bc,25,01,99,f9,4d,24,96,0e,32,50,c4,b1,f9,22
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\ProgID]
@DACL=(02 0000)
@="dc_ads.ads.1"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\Programmable]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\TypeLib]
@DACL=(02 0000)
@="{E94C3AF8-D32C-4389-AC9A-BE17471EDC42}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{733716E1-76D2-4003-AC39-845281C0EF85}\VersionIndependentProgID]
@DACL=(02 0000)
@="dc_ads.ads"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2009-06-11 10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 02:26
ComboFix2.txt 2009-06-11 01:29
Pre-Run: 129,100,296,192 bytes free
Post-Run: 129,081,024,512 bytes free
212 --- E O F --- 2009-06-09 03:00
-
This one file is being stubborn.
Download Registry Search by Bobbi Flekman (http://www.bleepingcomputer.com/files/regsearch.php)
(see the link titled RegSearch Download Link)
- Extract the files from Regsearch.zip into a folder.
- Doubleclick regsearch.exe to start the program.
- Enter Yoog in the top area of the form and then click "OK".
- Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
- Add the contents of the Notepad file to your next reply.
-
regsearch log below.
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 6/11/2009 11:29:19 AM for strings:
; 'yoog'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_USERS\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
"URL"="http://www2.yoog.com/search.php?q={searchTerms}"
"DisplayName"="Yoog Search"
; End Of The Log.
-
Go to Start > Run and type notepad.exe then click OK
Copy and paste the below into Notepad and save as fixme.reg to Your Desktop
REGEDIT4
[-HKEY_USERS\S-1-5-21-1547161642-1637723038-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.
Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.
Delete the fixme.reg from the Desktop.
-
registry entry was successful.
-
How is the computer running now?
.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Download
ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your Desktop.
Alternate download link (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Note: Vista users must use Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm)
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
-
Thanks again Evilfantasy. Great great help u did and I appreciate it. My pc is fine now.
-
Your welcome. Safe surfing... (|
-
too bad no one is helping me.. :'(