Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Reoccurence of CVT.xxxx.exe / Worm/koobface.k

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » October 31st, 2009, 3:19 pm

Hi there, AVG keeps reporting this attatck, CTV.(1234eg),exe it just keeps comming back, Please help or advise,
Regards.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:33 PM, on 2009-10-31
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray .exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
C:\WINDOWS\System32\igfxtray .exe
C:\WINDOWS\System32\igfxpers .exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray .exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\hkcmd .exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
C:\PROGRA~1\AVG\AVG8\avgtray .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon .exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.koower.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: egreetings Toolbar - {9df9b682-9c18-4a01-bac3-a265ca7cd866} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\DOMAVE~1\LOCALS~1\Temp\a .exe
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [PopRock] C:\DOCUME~1\DOMAVE~1\LOCALS~1\Temp\a .exe (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [AdobeBridge] (User '?')
O4 - S-1-5-21-1869830678-2676309887-4175131795-1005 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm399YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/d ... ontrol.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4304515531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2058940800
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.mybt.bt.com/dana-cached/set ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.0\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 15792 bytes
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm
Advertisement
Register to Remove

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 2nd, 2009, 11:51 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 3 Days Will Result In Your Topic Being Closed!!
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 2nd, 2009, 11:56 am

STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from:

Link 1
Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


STEP 2


Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.



Next Reply

Please reply with:
  • DDS.txt
  • Attach.txt
  • Gmer log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 4th, 2009, 6:40 am

3 files as requested
Many thanks
You do not have the required permissions to view the files attached to this post.
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 4th, 2009, 11:12 am

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selectedbutton.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes Antimalware log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 4th, 2009, 2:34 pm

Hi,

All done a requested file is attached
AVG still finds the bug :cry:

thanks
You do not have the required permissions to view the files attached to this post.
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 4th, 2009, 2:53 pm

Hello!

In your Malwarebytes antimalware log it says NO action taken, PLEASE follow my instructions exactly how to run malwarebytes Antimalware from my last post. Also DO NOT attach logs, copy and paste them for me to see.

When you have posted Malwarebytes Antimalware log also post new HijackThis log.

Thank you.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 4th, 2009, 6:53 pm

Hello,

Strange as I did this part..

.Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
.Make sure that everything is checked, and click Remove Selected. - was about 150 odd items infected - deleted them all.

At work now for the night will do asap tomorrow.(5th)
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 5th, 2009, 9:19 am

Hello again,

Ok I think the reson that it showed 'no action' was that I posted logs before I deletd the infected files..Doh! however I reran scan and it sort of confirms this as there were no files to delete, also ran 'Hijack this' but as my previous repley, it's a persistant little bug-ger!


Malwarebytes' Anti-Malware 1.41
Database version: 3099
Windows 5.1.2600 Service Pack 3

2009-11-05 13:11:30
mbam-log-2009-11-05 (13-11-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196067
Time elapsed: 59 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------------------------END---------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:38 PM, on 2009-11-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray .exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray .exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\DOMAVE~1\LOCALS~1\Temp\a .exe
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [PopRock] C:\DOCUME~1\DOMAVE~1\LOCALS~1\Temp\a .exe (User '?')
O4 - HKUS\S-1-5-21-1869830678-2676309887-4175131795-1005\..\Run: [AdobeBridge] (User '?')
O4 - S-1-5-21-1869830678-2676309887-4175131795-1005 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4304515531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2058940800
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.mybt.bt.com/dana-cached/set ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.0\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 14141 bytes

---------------------------
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 5th, 2009, 12:04 pm

Hello!

Good job. Lets continue.

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

  • You must download it to and run it from your Desktop
  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Double click on ComboFix.exe and follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 5th, 2009, 1:29 pm

helloooo..

ComboFix 09-11-04.05 - Dom Avery 2009-11-05 17:04.3.1 - NTFSx86
Running from: c:\documents and settings\Dom Avery\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dom Avery\Local Settings\Temp\Rar$EX04.937\Broadcom\drivers\_desktop.ini
c:\windows\CeEKey .INI
c:\windows\CePMTray .INI
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:11 . 2009-11-05 16:11 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-05 16:11 . 2006-10-19 09:42 303616 ------w- c:\windows\system32\drivers\BLKWGNv7.SYS
2009-11-05 16:11 . 2002-10-02 09:57 13532 ----a-w- c:\windows\system32\drivers\SjyPkt.sys
2009-11-05 16:11 . 2009-11-05 16:11 -------- d-----w- c:\program files\Belkin
2009-11-05 10:11 . 2001-08-17 12:11 26568 -c--a-w- c:\windows\system32\dllcache\bcm4e5.sys
2009-11-05 10:11 . 2001-08-17 12:11 26568 ----a-w- c:\windows\system32\drivers\BCM4E5.SYS
2009-11-05 08:56 . 2009-11-05 08:56 -------- d-----w- c:\program files\BUFFALO
2009-11-05 08:52 . 2004-01-08 11:32 9600 ----a-r- c:\windows\system32\BUFADPT.SYS
2009-11-04 19:11 . 2001-08-17 12:11 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-04 19:11 . 2001-08-17 12:11 96640 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-04 19:00 . 2005-09-28 22:00 176128 ------w- c:\windows\system32\bcmwlu00.exe
2009-11-04 17:02 . 2009-11-04 17:02 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Malwarebytes
2009-11-04 17:02 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 17:02 . 2009-11-04 18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 17:02 . 2009-11-04 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 17:02 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- C:\dell
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- C:\IBMTOOLS
2009-11-02 14:57 . 2009-11-01 22:10 30208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-01 17:36 . 2003-05-29 15:27 155648 ----a-w- c:\windows\system32\igfxres.dll
2009-11-01 17:32 . 2009-11-01 17:32 -------- d-----w- c:\program files\Unibrain
2009-11-01 17:12 . 2009-08-26 15:04 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-11-01 17:12 . 2009-11-01 17:12 -------- d-----w- C:\Intel
2009-11-01 16:58 . 2009-11-01 16:58 -------- d-----w- c:\windows\Downloaded Installations
2009-11-01 16:57 . 2009-11-01 16:57 -------- d-----w- c:\program files\Intel Desktop Board
2009-10-31 23:14 . 2009-10-31 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-10-31 23:14 . 2009-10-31 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-10-31 23:14 . 2009-10-31 23:14 -------- d-----w- c:\documents and settings\Dom Avery\Local Settings\Application Data\PC_Drivers_Headquarters
2009-10-31 23:13 . 2009-10-31 23:13 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-10-31 23:05 . 2009-10-31 23:05 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Uniblue
2009-10-31 19:08 . 2009-10-31 19:08 -------- d-----w- c:\program files\Trend Micro
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-10-30 20:43 . 2009-10-30 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2009-10-30 16:38 . 2009-10-30 16:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-30 16:36 . 2009-10-30 16:38 38208 ----a-w- c:\documents and settings\Dom Avery\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-27 19:26 . 2009-10-27 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-27 19:08 . 2009-10-27 19:08 -------- d-----w- c:\program files\Adobe Media Player
2009-10-27 18:55 . 2009-10-27 18:55 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-20 19:04 . 2009-10-20 19:04 54960 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 17:17 . 2006-02-07 07:40 30208 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-05 17:17 . 2006-02-07 07:36 30208 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-05 17:17 . 2006-02-07 07:39 30208 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-05 17:16 . 2008-07-05 12:02 -------- d-----w- c:\program files\lg_fwupdate
2009-11-05 17:16 . 2003-08-27 10:27 -------- d-----w- c:\program files\EzButton
2009-11-05 17:16 . 2009-08-11 14:55 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-05 16:11 . 2003-08-27 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-05 09:45 . 2003-08-27 10:15 -------- d-----w- c:\program files\Apoint2K
2009-10-30 16:47 . 2009-09-30 10:34 -------- d-----w- c:\program files\Yahoo!
2009-10-30 11:14 . 2008-07-07 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-28 19:26 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-10-27 19:50 . 2008-06-26 07:52 64456 ----a-w- c:\documents and settings\Dom Avery\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 19:16 . 2008-06-30 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-24 10:19 . 2009-09-04 11:04 548176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-05 22:05 . 2009-10-05 22:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 22:05 . 2003-08-28 08:06 -------- d-----w- c:\program files\Java
2009-10-05 22:03 . 2009-10-05 22:03 152576 ----a-w- c:\documents and settings\Dom Avery\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-01 07:30 . 2009-09-28 15:05 -------- d-----w- c:\program files\360Share Pro
2009-09-30 10:35 . 2009-09-30 10:35 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Yahoo!
2009-09-30 10:35 . 2009-09-30 10:34 -------- d-----w- c:\program files\7-Zip
2009-09-28 19:46 . 2009-09-28 17:39 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\LimeWire
2009-09-28 17:35 . 2009-09-28 17:35 -------- d-----w- c:\program files\Common Files\Java
2009-09-26 08:07 . 2009-09-26 08:07 5806 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_4ae13d6c.exe
2009-09-26 08:07 . 2009-09-26 08:07 5806 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_18be6784.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_69525f90.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_2cd672ae.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_294823.exe
2009-09-26 08:06 . 2009-09-26 08:06 -------- d-----w- c:\program files\Alan Hadley
2009-09-20 13:30 . 2009-09-20 13:30 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Unity
2009-09-20 12:39 . 2009-09-20 12:39 -------- d-----w- c:\program files\Unity
2009-09-18 10:51 . 2008-08-08 10:44 -------- d-----w- c:\program files\Canon
2009-09-15 16:35 . 2008-10-16 09:06 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Apple Computer
2009-09-15 16:33 . 2008-10-16 09:06 -------- d-----w- c:\program files\iTunes
2009-09-15 15:33 . 2009-09-15 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 15:33 . 2009-09-15 15:33 -------- d-----w- c:\program files\iPod
2009-09-15 15:31 . 2009-09-15 15:31 -------- d-----w- c:\program files\Bonjour
2009-09-15 15:31 . 2008-07-12 20:26 -------- d-----w- c:\program files\QuickTime
2009-09-15 15:29 . 2008-10-16 09:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 20:24 . 2008-08-28 14:01 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\U3
2009-09-11 20:10 . 2009-09-11 20:10 -------- d-----w- c:\program files\Flash Movie Player
2009-09-11 19:14 . 2009-09-11 19:14 -------- d-----w- c:\program files\GNS3
2009-09-11 19:14 . 2009-09-11 19:14 -------- d-----w- c:\program files\WinPcap
2009-09-10 21:50 . 2009-06-10 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-08 20:43 . 2009-09-08 20:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-03 10:45 . 2009-10-28 16:23 43872 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-03 10:45 . 2009-10-28 16:23 129520 ------w- c:\windows\system32\pxafs.dll
2009-09-03 10:45 . 2009-10-28 16:23 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-03 10:45 . 2009-10-28 16:23 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-03 10:45 . 2009-10-28 16:23 120568 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-03 10:45 . 2009-10-28 16:23 118256 ------w- c:\windows\system32\pxinsi64.exe
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 10:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-09 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-11-05 30208]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2009-11-05 30208]
"CPLDBL10"="c:\program files\EzButton\CPLDBL10.EXE" [2009-11-05 30208]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-11-05 30208]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-11-05 30208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-07-05 249856]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-11-05 30208]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2009-11-05 30208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2009-11-05 30208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe" [2009-11-05 30208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-10-28 611712]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-11-05 30208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-11-05 30208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2009-11-05 30208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Dom Avery\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - c:\program files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe [2009-11-5 1556480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-07 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-07 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-07 108552]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\3.0\AGCoreService.exe [2009-08-27 40960]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-07-07 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-07-07 1370488]
R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [2008-06-24 19840]
R2 DPortIO;Dritek Port I/O Driver;c:\windows\system32\drivers\DPORTIO.SYS [2001-04-12 3674]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-07-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-07-27 36352]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-07 29208]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;c:\windows\system32\drivers\BLKWGNv7.SYS [2009-11-05 303616]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-11-05 13532]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-07-27 77056]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-07 29208]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2009-11-05 26568]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2008-06-24 300928]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1869830678-2676309887-4175131795-1005Core1ca5b96a3c627d8.job
- c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 18:48]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1869830678-2676309887-4175131795-1005UA.job
- c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 18:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 17:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\hkcmd .exe 77824 bytes executable
c:\windows\system32\igfxpers .exe 118784 bytes executable
c:\windows\system32\igfxtray .exe 94208 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1869830678-2676309887-4175131795-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%*}*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1869830678-2676309887-4175131795-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%*}*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f2,23,fa,53,f5,0b,f8,41,7b,aa,a4,5a,71,d6,30,b0,8b,b7,f3,8b,bd,
e6,b7,f5,25,8d,2f,49,f9,22,2f,e2,9e,50,d6,90,b1,4a,55,91,b0,94,f3,b6,dd,2f,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f2,23,fa,53,f5,0b,f8,41,7b,aa,a4,5a,71,d6,30,b0,8b,b7,f3,8b,bd,
e6,b7,f5,25,8d,2f,49,f9,22,2f,e2,9e,50,d6,90,b1,4a,55,91,b0,94,f3,b6,dd,2f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\Power Management\CeEPwrSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Apoint2K\Apoint .exe
c:\program files\TOSHIBA\Power Management\CePMTray .exe
c:\program files\TOSHIBA\TouchPad\TPTray .exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\program files\TOSHIBA\E-KEY\CeEKey .exe
c:\program files\Apoint2K\Apntex.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 17:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 17:22
ComboFix2.txt 2008-08-17 12:37
ComboFix3.txt 2008-08-17 12:24

Pre-Run: 40,682,176,512 bytes free
Post-Run: 40,559,501,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn


----------------------------end----------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:22 PM, on 2009-11-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\TOSHIBA\Power Management\CePMTray .exe
C:\Program Files\TOSHIBA\TouchPad\TPTray .exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4304515531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2058940800
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.mybt.bt.com/dana-cached/set ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.0\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 13135 bytes
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 6th, 2009, 1:00 pm

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Folder::
c:\documents and settings\Dom Avery\Application Data\LimeWire

Registry::
[-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll


  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    Image
  • Refering to the picture below, drag CFScript into ComboFix.exe

    Image
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



ATF-Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selectedbutton.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.

  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.




Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • ComboFix log (found at C:\Combofix.txt)
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 7th, 2009, 7:19 pm

ComboFix 09-11-05.05 - Dom Avery 2009-11-06 23:27.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2014.1464 [GMT 0:00]
Running from: c:\documents and settings\Dom Avery\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dom Avery\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dom Avery\Application Data\LimeWire
c:\documents and settings\Dom Avery\Application Data\LimeWire\413splashfree.png
c:\documents and settings\Dom Avery\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Dom Avery\Application Data\LimeWire\data.ser
c:\documents and settings\Dom Avery\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Dom Avery\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Dom Avery\Application Data\LimeWire\filters.props
c:\documents and settings\Dom Avery\Application Data\LimeWire\gnutella.net
c:\documents and settings\Dom Avery\Application Data\LimeWire\installation.props
c:\documents and settings\Dom Avery\Application Data\LimeWire\library.dat
c:\documents and settings\Dom Avery\Application Data\LimeWire\limewire.props
c:\documents and settings\Dom Avery\Application Data\LimeWire\pub1.key
c:\documents and settings\Dom Avery\Application Data\LimeWire\public.key
c:\documents and settings\Dom Avery\Application Data\LimeWire\questions.props
c:\documents and settings\Dom Avery\Application Data\LimeWire\responses.cache
c:\documents and settings\Dom Avery\Application Data\LimeWire\secureMessage.key
c:\documents and settings\Dom Avery\Application Data\LimeWire\simpp.xml
c:\documents and settings\Dom Avery\Application Data\LimeWire\spam.dat
c:\documents and settings\Dom Avery\Application Data\LimeWire\tables.props
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme.lwtp
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\01_star.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\02_star.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\03_star.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\04_star.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\05_star.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\360share_banner.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button1.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button1_press.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button2.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button2_press.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button3.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button3_press.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button4.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button4_press.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button5.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\button5_press.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\chat.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\dir_closed.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\dir_open.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\forward_dn.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\forward_up.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\kill.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\kill_on.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\lime.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\limeicon.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\logo.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\notsearching.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\pause_dn.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\pause_up.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\play_dn.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\play_up.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\question.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\rewind_dn.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\rewind_up.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\search.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\searching.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\splash.png
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\splashpro.png
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\stop_dn.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\stop_up.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\theme.txt
c:\documents and settings\Dom Avery\Application Data\LimeWire\themes\360SharePro_theme\warning.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\version.key
c:\documents and settings\Dom Avery\Application Data\LimeWire\version.xml
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Dom Avery\Application Data\LimeWire\xml\schemas\video.xsd
c:\windows\CePMTray .INI
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 23:27 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-06 23:27 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-06 11:05 . 2009-11-06 11:05 -------- d-----w- C:\_OTMoveIt
2009-11-06 09:26 . 2009-10-21 15:11 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-05 21:20 . 2005-09-28 22:00 65536 ------w- c:\windows\system32\WLTRYSVC.EXE
2009-11-05 21:20 . 2005-09-28 22:00 86016 ------w- c:\windows\system32\wltrynt.dll
2009-11-05 21:20 . 2005-09-28 22:00 819303 ------w- c:\windows\system32\wltray.EXE
2009-11-05 21:20 . 2005-09-28 22:00 294912 ------w- c:\windows\system32\BCMLogon.dll
2009-11-05 21:20 . 2005-09-28 22:00 192512 ------w- c:\windows\system32\AegisI5.exe
2009-11-05 21:20 . 2005-09-28 22:00 122981 ------w- c:\windows\system32\preflib.dll
2009-11-05 21:20 . 2005-09-28 22:00 954474 ------w- c:\windows\system32\BCMWLTRY.EXE
2009-11-05 21:20 . 2005-09-28 22:00 1396831 ------w- c:\windows\system32\AegisE5.dll
2009-11-05 21:16 . 2005-09-28 22:00 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2009-11-05 20:47 . 2009-11-05 20:47 81920 ----a-w- c:\documents and settings\Dom Avery\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\connecthook.dll
2009-11-05 20:47 . 2009-11-05 20:47 190976 ----a-w- c:\documents and settings\Dom Avery\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\connectsprd.dll
2009-11-05 20:47 . 2009-11-05 20:47 4183224 ----a-w- c:\documents and settings\Dom Avery\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\acaddin.exe
2009-11-05 16:11 . 2009-11-05 16:11 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-05 16:11 . 2006-10-19 09:42 303616 ------w- c:\windows\system32\drivers\BLKWGNv7.SYS
2009-11-05 16:11 . 2002-10-02 09:57 13532 ----a-w- c:\windows\system32\drivers\SjyPkt.sys
2009-11-05 16:11 . 2009-11-05 16:11 -------- d-----w- c:\program files\Belkin
2009-11-05 10:11 . 2001-08-17 12:11 26568 -c--a-w- c:\windows\system32\dllcache\bcm4e5.sys
2009-11-05 10:11 . 2001-08-17 12:11 26568 ----a-w- c:\windows\system32\drivers\BCM4E5.SYS
2009-11-05 08:56 . 2009-11-05 08:56 -------- d-----w- c:\program files\BUFFALO
2009-11-05 08:52 . 2004-01-08 11:32 9600 ----a-r- c:\windows\system32\BUFADPT.SYS
2009-11-04 19:11 . 2001-08-17 12:11 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-11-04 19:11 . 2001-08-17 12:11 96640 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2009-11-04 19:00 . 2005-09-28 22:00 176128 ------w- c:\windows\system32\bcmwlu00.exe
2009-11-04 17:02 . 2009-11-04 17:02 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Malwarebytes
2009-11-04 17:02 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 17:02 . 2009-11-04 18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 17:02 . 2009-11-04 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 17:02 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 14:14 . 2009-11-03 14:14 -------- d-----w- C:\dell
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- C:\IBMTOOLS
2009-11-02 14:57 . 2009-11-01 22:10 30208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-01 17:36 . 2003-05-29 15:27 155648 ----a-w- c:\windows\system32\igfxres.dll
2009-11-01 17:32 . 2009-11-01 17:32 -------- d-----w- c:\program files\Unibrain
2009-11-01 17:12 . 2009-08-26 15:04 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-11-01 17:12 . 2009-11-01 17:12 -------- d-----w- C:\Intel
2009-11-01 16:58 . 2009-11-01 16:58 -------- d-----w- c:\windows\Downloaded Installations
2009-11-01 16:57 . 2009-11-01 16:57 -------- d-----w- c:\program files\Intel Desktop Board
2009-10-31 23:14 . 2009-11-05 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-10-31 23:14 . 2009-10-31 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-10-31 23:14 . 2009-10-31 23:14 -------- d-----w- c:\documents and settings\Dom Avery\Local Settings\Application Data\PC_Drivers_Headquarters
2009-10-31 23:13 . 2009-10-31 23:13 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-10-31 23:05 . 2009-10-31 23:05 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Uniblue
2009-10-31 19:08 . 2009-10-31 19:08 -------- d-----w- c:\program files\Trend Micro
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-10-30 20:43 . 2009-10-30 20:43 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-10-30 20:43 . 2009-10-30 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2009-10-30 16:38 . 2009-10-30 16:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-30 16:36 . 2009-10-30 16:38 38208 ----a-w- c:\documents and settings\Dom Avery\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-27 19:26 . 2009-10-27 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-27 19:08 . 2009-10-27 19:08 -------- d-----w- c:\program files\Adobe Media Player
2009-10-27 18:55 . 2009-10-27 18:55 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-20 19:04 . 2009-10-20 19:04 54960 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 23:38 . 2006-02-07 07:40 30208 ----a-w- c:\windows\system32\igfxpers.exe
2009-11-06 23:38 . 2006-02-07 07:36 30208 ----a-w- c:\windows\system32\hkcmd.exe
2009-11-06 23:38 . 2006-02-07 07:39 30208 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-06 23:38 . 2008-07-05 12:02 -------- d-----w- c:\program files\lg_fwupdate
2009-11-06 23:38 . 2003-08-27 10:27 -------- d-----w- c:\program files\EzButton
2009-11-06 23:38 . 2009-08-11 14:55 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-06 12:22 . 2006-02-07 07:40 30208 ----a-w- c:\windows\system32\igfxpers .exe
2009-11-06 12:22 . 2006-02-07 07:36 30208 ----a-w- c:\windows\system32\hkcmd .exe
2009-11-06 12:22 . 2006-02-07 07:39 30208 ----a-w- c:\windows\system32\igfxtray .exe
2009-11-06 12:21 . 2003-08-27 10:15 -------- d-----w- c:\program files\Apoint2K
2009-11-05 16:11 . 2003-08-27 09:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 16:47 . 2009-09-30 10:34 -------- d-----w- c:\program files\Yahoo!
2009-10-30 11:14 . 2008-07-07 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-28 19:26 . 2008-08-14 07:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-10-27 19:50 . 2008-06-26 07:52 64456 ----a-w- c:\documents and settings\Dom Avery\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 19:16 . 2008-06-30 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-24 10:19 . 2009-09-04 11:04 548176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-05 22:05 . 2009-10-05 22:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 22:05 . 2003-08-28 08:06 -------- d-----w- c:\program files\Java
2009-10-05 22:03 . 2009-10-05 22:03 152576 ----a-w- c:\documents and settings\Dom Avery\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-01 07:30 . 2009-09-28 15:05 -------- d-----w- c:\program files\360Share Pro
2009-09-30 10:35 . 2009-09-30 10:35 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Yahoo!
2009-09-30 10:35 . 2009-09-30 10:34 -------- d-----w- c:\program files\7-Zip
2009-09-28 17:35 . 2009-09-28 17:35 -------- d-----w- c:\program files\Common Files\Java
2009-09-26 08:07 . 2009-09-26 08:07 5806 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_4ae13d6c.exe
2009-09-26 08:07 . 2009-09-26 08:07 5806 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_18be6784.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_69525f90.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_2cd672ae.exe
2009-09-26 08:07 . 2009-09-26 08:07 1078 ----a-r- c:\documents and settings\Dom Avery\Application Data\Microsoft\Installer\{8E41D2A5-C0DD-4139-8C7A-2F0E1F20ED24}\_294823.exe
2009-09-26 08:06 . 2009-09-26 08:06 -------- d-----w- c:\program files\Alan Hadley
2009-09-20 13:30 . 2009-09-20 13:30 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Unity
2009-09-20 12:39 . 2009-09-20 12:39 -------- d-----w- c:\program files\Unity
2009-09-18 10:51 . 2008-08-08 10:44 -------- d-----w- c:\program files\Canon
2009-09-15 16:35 . 2008-10-16 09:06 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\Apple Computer
2009-09-15 16:33 . 2008-10-16 09:06 -------- d-----w- c:\program files\iTunes
2009-09-15 15:33 . 2009-09-15 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 15:33 . 2009-09-15 15:33 -------- d-----w- c:\program files\iPod
2009-09-15 15:31 . 2009-09-15 15:31 -------- d-----w- c:\program files\Bonjour
2009-09-15 15:31 . 2008-07-12 20:26 -------- d-----w- c:\program files\QuickTime
2009-09-15 15:29 . 2008-10-16 09:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 20:24 . 2008-08-28 14:01 -------- d-----w- c:\documents and settings\Dom Avery\Application Data\U3
2009-09-11 20:10 . 2009-09-11 20:10 -------- d-----w- c:\program files\Flash Movie Player
2009-09-11 19:14 . 2009-09-11 19:14 -------- d-----w- c:\program files\GNS3
2009-09-11 19:14 . 2009-09-11 19:14 -------- d-----w- c:\program files\WinPcap
2009-09-10 21:50 . 2009-06-10 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-08 20:43 . 2009-09-08 20:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-03 10:45 . 2009-10-28 16:23 43872 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-03 10:45 . 2009-10-28 16:23 129520 ------w- c:\windows\system32\pxafs.dll
2009-09-03 10:45 . 2009-10-28 16:23 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-03 10:45 . 2009-10-28 16:23 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-03 10:45 . 2009-10-28 16:23 120568 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-03 10:45 . 2009-10-28 16:23 118256 ------w- c:\windows\system32\pxinsi64.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 10:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-09 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\wltray" [X]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-11-06 30208]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2009-11-06 30208]
"CPLDBL10"="c:\program files\EzButton\CPLDBL10.EXE" [2009-11-06 30208]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2009-11-06 30208]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2009-11-06 30208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-07-05 249856]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-11-06 30208]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2009-11-06 30208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2009-11-06 30208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe" [2009-11-06 30208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-10-28 611712]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-11-06 30208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2009-11-06 30208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2009-11-06 30208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"combofix"="c:\combofix\CF28258.exe" [2009-11-06 389120]

c:\documents and settings\Dom Avery\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Notebook Card Client Utility.lnk - c:\program files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe [2009-11-5 1556480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-07-07 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-07 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-07 108552]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\3.0\AGCoreService.exe [2009-08-27 40960]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-07-07 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-07-07 1370488]
R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [2008-06-24 19840]
R2 DPortIO;Dritek Port I/O Driver;c:\windows\system32\drivers\DPORTIO.SYS [2001-04-12 3674]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-07-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-07-27 36352]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-07-07 29208]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-07-27 77056]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-07-07 29208]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [2009-11-05 26568]
S3 Belkin701F;Belkin Wireless G Notebook Card Service v7;c:\windows\system32\drivers\BLKWGNv7.SYS [2009-11-05 303616]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2008-06-24 376320]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-11-05 13532]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1869830678-2676309887-4175131795-1005Core1ca5b96a3c627d8.job
- c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 18:48]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1869830678-2676309887-4175131795-1005UA.job
- c:\documents and settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 18:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 23:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\igfxpers .exe 30208 bytes executable
c:\windows\system32\igfxtray .exe 30208 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1869830678-2676309887-4175131795-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%*}*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1869830678-2676309887-4175131795-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%*}*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:f2,23,fa,53,f5,0b,f8,41,7b,aa,a4,5a,71,d6,30,b0,8b,b7,f3,8b,bd,
e6,b7,f5,25,8d,2f,49,f9,22,2f,e2,9e,50,d6,90,b1,4a,55,91,b0,94,f3,b6,dd,2f,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:f2,23,fa,53,f5,0b,f8,41,7b,aa,a4,5a,71,d6,30,b0,8b,b7,f3,8b,bd,
e6,b7,f5,25,8d,2f,49,f9,22,2f,e2,9e,50,d6,90,b1,4a,55,91,b0,94,f3,b6,dd,2f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\Power Management\CeEPwrSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\Apoint .exe
c:\program files\TOSHIBA\Power Management\CePMTray .exe
c:\program files\TOSHIBA\E-KEY\CeEKey .exe
c:\program files\TOSHIBA\TouchPad\TPTray .exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\windows\system32\wltray.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-06 23:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 23:44

Pre-Run: 54,109,061,120 bytes free
Post-Run: 54,078,136,320 bytes free

- - End Of File - - 7FA7D336070EA9095C05D6D1AF54D052


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, November 7, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 06, 2009 23:42:39
Records in database: 3164747
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 89587
Threats found: 2
Infected objects found: 144
Suspicious objects found: 2
Scan duration: 03:20:06


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgtray.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Identities\{7470F4B7-395D-4A57-827A-D0B01E4847B5}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Program Files\Adobe\acrotray .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Apoint2K\Apoint.exe/C:\Program Files\Apoint2K\Apoint.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Canon\Canon IJ Network Scan Utility\cnmnsut.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Common Files\Ahead\Lib\nerocheck.exe161 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Common Files\LightScribe\lightscribecontrolpanel .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\incd.exe104 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\incd.exe110 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\incd.exe112 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\incd.exe164 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\incd.exe171 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\Nero\Nero 7\InCD\nbhgui.exe163 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\TOSHIBA\E-KEY\ceekey.exe154 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\TOSHIBA\E-KEY\ceekey.exe199 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\TOSHIBA\Power Management\cepmtray.exe193 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\TOSHIBA\TouchPad\tptray.exe157 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Program Files\TOSHIBA\TouchPad\tptray.exe203 Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe.vir Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxpers .exe.vir Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe.vir Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051896.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051897.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051898.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051899.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051900.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051901.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051902.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0051903.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052887.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052888.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052889.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052890.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052891.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052893.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052894.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052895.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052896.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052897.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052898.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052918.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052920.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052921.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052922.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052923.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052924.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052925.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052926.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052927.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052928.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052930.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052967.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052969.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052970.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052971.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052972.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052973.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052975.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052976.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052978.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052979.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP253\A0052980.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053133.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053135.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053136.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053137.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053138.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053139.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053140.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053141.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053285.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053286.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053287.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053303.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053304.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053305.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053306.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053307.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053308.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053309.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053316.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053459.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053460.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053461.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053462.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053463.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053464.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053465.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053466.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053467.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053468.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0053470.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054456.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054459.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054460.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054461.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054462.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054463.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054464.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054465.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054466.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054467.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054469.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054489.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054490.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054491.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054511.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054514.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054516.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054517.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054520.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054521.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054522.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054523.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\System Volume Information\_restore{1B16EE2E-9342-4425-8B41-1D61C85150F7}\RP254\A0054660.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\hkcmd .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\igfxpers .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\igfxtray .exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\hkcmd.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\igfxpers.exe Infected: Trojan-Downloader.Win32.Small.anxi 1
C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\igfxtray.exe Infected: Trojan-Downloader.Win32.Small.anxi 1

Selected area has been scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:33 PM, on 2009-11-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray .exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey .exe
C:\Program Files\TOSHIBA\TouchPad\TPTray .exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui .exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\wltray
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4304515531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2058940800
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.mybt.bt.com/dana-cached/set ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.0\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12975 bytes
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby Bio-Hazard » November 9th, 2009, 6:29 am

Hello!

I would like to run another online scan.

ATF-Cleaner

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selectedbutton.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • ESET Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Reoccurence of CVT.xxxx.exe / Worm/koobface.k

Unread postby domavery » November 9th, 2009, 9:11 am

C:\Program Files\Common Files\Ahead\Lib\nerocheck.exe161 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\incd.exe104 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\incd.exe110 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\incd.exe112 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\incd.exe164 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\incd.exe171 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\Nero\Nero 7\InCD\nbhgui.exe163 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\TOSHIBA\E-KEY\ceekey.exe154 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\TOSHIBA\E-KEY\ceekey.exe199 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\TOSHIBA\Power Management\cepmtray.exe193 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\TOSHIBA\TouchPad\tptray.exe157 Win32/TrojanDownloader.Unruy.AA trojan
C:\Program Files\TOSHIBA\TouchPad\tptray.exe203 Win32/TrojanDownloader.Unruy.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe.vir Win32/TrojanDownloader.Unruy.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxpers .exe.vir Win32/TrojanDownloader.Unruy.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe.vir Win32/TrojanDownloader.Unruy.AA trojan

-----------------------end-----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:28 PM, on 2009-11-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.0\AGCoreService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\wltray
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dom Avery\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless G Notebook Card Client Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4304515531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2058940800
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdeskt ... reQual.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.mybt.bt.com/dana-cached/set ... tupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.0\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12808 bytes


Monitoring for errors...
domavery
Regular Member
 
Posts: 19
Joined: October 31st, 2009, 3:11 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware