Free Malware Removal Forum

[muuli]

Hi,

Combofix log isn't complete... Please check if you find complete log. Open Combofix.txt and press Ctrl + A, all the text will change blue, then copy(Ctrl + C)/paste(Ctrl + V) all the text in your next reply.

[muuli]

Hello!

Do you still need help?

It has been three days since my last post.

Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!

[motoaaron]

Hey, sorry about that. I wasn't gettin the page 2. Um, all that log was copied and pasted. Do I need to do it all a gain? I mean run it and see if it gets a better log? Thanks.

[muuli]

Hi,

Yes, please run combofix again.

[motoaaron]

Since it's been a while combofix asking me if I want to run it with limited access. Do I need to download again? If so, do I have to fix up that restart panel thing again? Also, what about Comodo Safesurf. I can't figure out how to turn it off. I turn off the firewall, but I don't know about this thing - safesurf. Is there anything else in AVG that I turn off besides the resident shield? When I trun off Spybot there is a check box above the one I'm supposed to uncheck. It's for blocking bad downloads from IE. Should I take that off too? thanz

[muuli]

Hi,

Since it's been a while combofix asking me if I want to run it with limited access. Do I need to download again?

You can download it again if you can't run it otherwise...

If so, do I have to fix up that restart panel thing again?

I think you mean recovery console... So you don't need to install it again.

Also, what about Comodo Safesurf. I can't figure out how to turn it off. I turn off the firewall, but I don't know about this thing - safesurf.

You don't need to turn off comodo safesurf...

Is there anything else in AVG that I turn off besides the resident shield?

I think no...

When I trun off Spybot there is a check box above the one I'm supposed to uncheck. It's for blocking bad downloads from IE. Should I take that off too? thanz

No, you don't need to turn off it.

[motoaaron]

OK, well, it ran different than last time. Safe Surf kept popping up during the scan. I x'ed it once and it popped up again, then it went away by itself and then popped up again. I got a screen shot and I'm going to try to attach it someway to this. The screen shot shows an Access denied message and temp access denied message from combofix with the *^&) safesurf screen on top of it.

edit: I looked over the logs and wanted to get rid of the myspace im. I went to Program files/Myspace and it is empty. My hidden files are shown, too. I don't know what's up with that.

Here is the log:

ComboFix 08-11-22.02 - Aaron Morgan 2008-11-23 13:14:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.742 [GMT -6:00]
Running from: c:\documents and settings\Aaron Morgan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Mozilla Firefox\plugins\npclntax.dll
C:\setup.exe
c:\windows\system32\TDSSwupe.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_VFILT
-------\Service_TDSSserv
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.

2008-11-12 12:50 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 12:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 13:53 . 2008-11-10 13:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-05 01:27 . 2008-11-05 01:30 250 --a------ c:\windows\gmer.ini
2008-10-30 21:12 . 2008-10-30 21:12 <DIR> d-------- C:\Rustbfix
2008-10-28 21:07 . 2008-10-28 21:07 2,720 --a------ c:\windows\system32\tmp.reg
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-28 21:03 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-28 21:03 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-28 21:03 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-28 21:03 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-28 21:02 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-28 21:02 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-28 21:02 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-28 21:01 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-28 21:00 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe
2008-10-24 00:58 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 19:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-22 02:48 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Move Networks
2008-11-20 03:03 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\OpenOffice.org2
2008-11-19 18:12 99,216 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-19 18:12 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-11-19 18:12 143,096 ----a-w c:\windows\system32\guard32.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 08:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-22 08:15 --------- d-----w c:\program files\SpywareBlaster
2008-10-21 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-21 22:59 249,592 ----a-w c:\windows\system32\cssdll32.dll
2008-10-21 22:59 --------- d-----w c:\program files\COMODO
2008-10-21 22:59 --------- d-----w c:\program files\AskSBar
2008-10-21 22:58 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Comodo
2008-10-21 22:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-17 01:25 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 01:25 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 21:29 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\LimeWire
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 05:02 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-09-28 05:02 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-24 19:19 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-08-24 00:14 2,086 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-06-16 23:10 744 ----a-w c:\documents and settings\Aaron Morgan\Application Data\filterclsid.dat
2006-04-01 17:52 1 ----a-w c:\documents and settings\Aaron Morgan\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-10-21 278264]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"AtiPTA"="atiptaxx.exe" [2005-11-22 c:\windows\system32\atiptaxx.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RioMSC"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ETDED.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11654:TCP"= 11654:TCP:BitComet 11654 TCP
"11654:UDP"= 11654:UDP:BitComet 11654 UDP
"8403:TCP"= 8403:TCP:BitComet 8403 TCP
"8403:UDP"= 8403:UDP:BitComet 8403 UDP
"13659:TCP"= 13659:TCP:BitComet 13659 TCP
"13659:UDP"= 13659:UDP:BitComet 13659 UDP
"26511:TCP"= 26511:TCP:BitComet 26511 TCP
"26511:UDP"= 26511:UDP:BitComet 26511 UDP
"8772:TCP"= 8772:TCP:BitComet 8772 TCP
"8772:UDP"= 8772:UDP:BitComet 8772 UDP

R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [2005-11-13 9088]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-24 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-21 99216]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-21 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-24 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-24 76040]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-06-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
SafeBoot-TDSSxxou.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\
FF -: plugin - c:\documents and settings\Aaron Morgan\Application Data\Mozilla\Firefox\Profiles\om7weq7w.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 13:16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WgaLogon.dll
.
Completion time: 2008-11-23 13:19:00
ComboFix-quarantined-files.txt 2008-11-23 19:17:42

Pre-Run: 63,254,388,736 bytes free
Post-Run: 63,276,883,968 bytes free

190 --- E O F --- 2008-11-13 01:25:30

oh, and I think you wanted a hjt log too, so let me run that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:48, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7863 bytes

[muuli]

Hi,

Step 1

Disable Teatimer...

1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
5. On the left hand side, click on Tools.
6. Check (tick) this box if it is not yet ticked: Resident.
7. You will notice that Resident is now added under Tools. Click on Resident.
8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
9. Exit Spybot Search & Destroy.
10. Restart your computer for the changes to take effect.

Step 2

Please remove via Add or Remove Programs (press Start -> Controlpanel -> Add or Remove Programs):
Ask Toolbar
COMODO SafeSurf

Step 3

Open HijackThis, press Do a system scan only, checkmark following entries, if found:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
Close all other windows including browser and press Fix checked.

Step 4

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all

File::
c:\windows\system32\cssdll32.dll

Folder::
c:\program files\AskSBar
c:\documents and settings\Aaron Morgan\Application Data\LimeWire
C:\Program Files\COMODO\SafeSurf

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Step 5

Now, please run Gmer again... It should be on the desktop.

1. Double click on gmer.exe to run it.
2. It will start scanning. Please be patient.
3. Select Rootkit/Malware tab.
4. On your right, check (tick) all the boxes and click Scan.
5. This will start a deep scan. Please be patient.
6. Click on Save... to save a log to a convenient location.
7. Click OK to exit.
8. Post that log in your next reply.

Step 6

Please post a fresh HijackThis log, Combofix log and Gmer log.

[motoaaron]

OK, I'm in the process...Tea Timer isn't quite like you said. don't know if it matters. When I right clicked the icon in the tray and unchecked resident, it did not gray out. Then when I opened the program and went to tools and clicked resident...it was already there, nothing changed. I unchecked resident tea timer and restarted. That's where I'm at right now. Before I started this, the computer hung up two or three times and we had to restart two ro three times today. It's going very slow. Previous to this, it had been going fast. I'm off to do step 2 now. I'll be back posting notes if needed. Thanks for the help.

Step 3
Only this one was there to "Fix checked"
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Step 4
I had to turn off the firewall to let Combo fix work, and I'm not sure it is working...may have to do that again. (I'm posting this on another computer.) OK, I had to drag the .txt file onto combofix again and it started this time. It deleted tons of limewire files. How were those still on there? I deleted them when you said. you can see from hjk file. Does this mean that someone reinstalled it or were they always there? Was the Ask toolbar the bad guy or just something broken? I'm waiting on the combofix log now.

I have the combofix text file, but AVG is running again. It has been popping up and scanning at weird times and it won't stop when you right click and tell it to stop all scans. I continue to have two AVG things in the tray. The combo fix log says that a user-mapped section open something and it can't do something. Is that because I didn't turn off the Resident part of AVG? I'm waiting on the scanned computer to open up firefox sow I can paste the log.

ComboFix 08-11-22.02 - Aaron Morgan 2008-11-24 22:27:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.736 [GMT -6:00]
Running from: c:\documents and settings\Aaron Morgan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron Morgan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\cssdll32.dll
.
/wow section - STAGE 32A
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.
The requested operation cannot be performed on a file with a user-mapped section open.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Aaron Morgan\Application Data\LimeWire
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\410splashfree.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\410splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\412splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\414splashfree.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\active.mojito
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\data.ser
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\filters.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\gnutella.net
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\installation.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\library.dat
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\limewire.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\mojito.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\passive.mojito
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\pub1.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\public.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\questions.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\responses.cache
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\secureMessage.key
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\simpp.xml
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\spam.dat
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\tables.props
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\black_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\search.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\classic_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewire_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\splash.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\splashpro.png
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme.lwtp
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\01_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\02_star.gif
c:\documents and settings\Aaron Morgan\Application Data\LimeWire\themes\other_theme\03_star.gif
c:\program files\COMODO\SafeSurf
c:\windows\system32\cssdll32.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-24 22:14 . 2008-10-21 16:59 262,144 --a------ c:\program files\Uninstall Ask Toolbar.dll
2008-11-17 14:04 . 2008-11-17 14:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-12 12:50 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 12:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-05 01:27 . 2008-11-05 01:30 250 --a------ c:\windows\gmer.ini
2008-10-30 21:12 . 2008-10-30 21:12 <DIR> d-------- C:\Rustbfix
2008-10-28 21:07 . 2008-10-28 21:07 2,720 --a------ c:\windows\system32\tmp.reg
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-28 21:03 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-28 21:03 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-28 21:03 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-28 21:03 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-28 21:02 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-28 21:02 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-28 21:02 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-28 21:01 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-28 21:00 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 04:28 --------- d-----w c:\program files\COMODO
2008-11-24 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-24 03:13 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\OpenOffice.org2
2008-11-22 02:48 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Move Networks
2008-11-19 18:12 99,216 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-19 18:12 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-11-19 18:12 143,096 ----a-w c:\windows\system32\guard32.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 08:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-22 08:15 --------- d-----w c:\program files\SpywareBlaster
2008-10-21 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-21 22:58 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Comodo
2008-10-21 22:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-17 01:25 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 01:25 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 05:02 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-09-28 05:02 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-16 23:10 744 ----a-w c:\documents and settings\Aaron Morgan\Application Data\filterclsid.dat
2006-04-01 17:52 1 ----a-w c:\documents and settings\Aaron Morgan\SI.bin
2008-08-24 22:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-23_13.17.08.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-25 04:15:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"AtiPTA"="atiptaxx.exe" [2005-11-22 c:\windows\system32\atiptaxx.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RioMSC"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ETDED.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11654:TCP"= 11654:TCP:BitComet 11654 TCP
"11654:UDP"= 11654:UDP:BitComet 11654 UDP
"8403:TCP"= 8403:TCP:BitComet 8403 TCP
"8403:UDP"= 8403:UDP:BitComet 8403 UDP
"13659:TCP"= 13659:TCP:BitComet 13659 TCP
"13659:UDP"= 13659:UDP:BitComet 13659 UDP
"26511:TCP"= 26511:TCP:BitComet 26511 TCP
"26511:UDP"= 26511:UDP:BitComet 26511 UDP
"8772:TCP"= 8772:TCP:BitComet 8772 TCP
"8772:UDP"= 8772:UDP:BitComet 8772 UDP

R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [2005-11-13 9088]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-24 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-21 99216]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-21 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-24 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-24 76040]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fd74298-d5eb-11dc-9e6e-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7107e34-0e5e-11da-9551-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbc9c-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - J:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbcab-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - F:\install.EXE id= ver=1.0.0.0

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-06-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 22:30:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WgaLogon.dll
.
Completion time: 2008-11-24 22:33:08
ComboFix-quarantined-files.txt 2008-11-25 04:31:50
ComboFix2.txt 2008-11-23 19:19:03

Pre-Run: 63,137,042,432 bytes free
Post-Run: 63,126,941,696 bytes free

399 --- E O F --- 2008-11-13 01:25:30


Alright I'm moving to the next step.
Gmer - I turned off the firewall before I scanned. Here's the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-24 22:53:05
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xBAFEB7B6]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF7520818]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xBAFEAD16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xBAFEB372]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xBAFEBF80]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF7514A20]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xBAFEAA70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xBAFECC70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xBAFEB99C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xBAFEA646]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xBAFEBBEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xBAFEBD9A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xBAFEA4F8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75152A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7520910]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xBAFEC8F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xBAFEAF5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xBAFEB5AA]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF7520794]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xBAFEA228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xBAFEB1EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xBAFEA3A0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75152C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF7520866]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xBAFEC346]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xBAFEAB8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xBAFEC6AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xBAFECAA0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF75200B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xBAFEC146]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xBAFEAEF6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xBAFEB0E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xBAFEA93A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xBAFEA808]

INT 0x62 ? 88B6CBF8
INT 0x63 ? 888D1F00
INT 0x73 ? 888D1F00
INT 0x82 ? 88B6CBF8
INT 0x83 ? 888D1F00

---- Kernel code sections - GMER 1.0.14 ----

? spat.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F72738AC 5 Bytes JMP 888D14E0
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 88BDB2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F758293C] spat.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7582990] spat.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 888D15E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7562D92] spat.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F737D950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F737D990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F737D710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F737D770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 88BD71F8
Device \FileSystem\Udfs \UdfsCdRom 885CB500
Device \FileSystem\Udfs \UdfsCdRom 88819E90
Device \FileSystem\Udfs \UdfsDisk 885CB500
Device \FileSystem\Udfs \UdfsDisk 88819E90

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 888D31F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 88BD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 88BD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 88BD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 88BD91F8
Device \Driver\usbohci \Device\USBPDO-1 888D31F8
Device \Driver\usbehci \Device\USBPDO-2 888DE1F8
Device \Driver\cmdHlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 88B6D1F8
Device \Driver\Cdrom \Device\CdRom0 887E0170
Device \FileSystem\Rdbss \Device\FsWrap 886C1820
Device \Driver\Cdrom \Device\CdRom1 887E0170
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 887E0278
Device \Driver\atapi \Device\Ide\IdePort0 887E0278
Device \Driver\atapi \Device\Ide\IdePort1 887E0278
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 887E0278
Device \Driver\NetBT \Device\NetBt_Wins_Export 883721F8
Device \Driver\NetBT \Device\NetbiosSmb 883721F8
Device \FileSystem\Srv \Device\LanmanServer 88551D30

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 888D31F8
Device \Driver\usbohci \Device\USBFDO-1 888D31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 883531F8
Device \Driver\cmdHlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbehci \Device\USBFDO-2 888DE1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 883531F8
Device \FileSystem\Npfs \Device\NamedPipe 8873C5F0
Device \Driver\Ftdisk \Device\FtControl 88B6D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE720297-240C-48AA-A46A-657689230769} 883721F8
Device \FileSystem\Msfs \Device\Mailslot 8873C9C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 885381B8
Device \Driver\d347prt \Device\Scsi\d347prt1 885381B8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8873DB68
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8873DB68
Device \FileSystem\Cdfs \Cdfs 885AA500
Device \FileSystem\Cdfs \Cdfs 8881A078

---- Modules - GMER 1.0.14 ----

Module _________ F7477000-F748F000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x33 0x53 0xB8 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 46235088
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -743653309

---- EOF - GMER 1.0.14 ----

What is CATCHME ??? Is that someone screwing around with my computer?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:04:13, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7046 bytes


OK, I think I did it all. I think I will highlight my notes to separate from the logs. Thanks for all the help.

[muuli]

Hi,

It deleted tons of limewire files. How were those still on there? I deleted them when you said. you can see from hjk file. Does this mean that someone reinstalled it or were they always there?

When you removes some programs from Add or Remove Programs as can be possible that folder is still in the computer...

Was the Ask toolbar the bad guy or just something broken? I'm waiting on the combofix log now.

It's not a good toolbar... link

Is that because I didn't turn off the Resident part of AVG?

I'm not sure, but I think no...

What is CATCHME ??? Is that someone screwing around with my computer?

It is part of combofix...

Step 1

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"=-

File::
c:\program files\Uninstall Ask Toolbar.dll

Folder::
c:\program files\MySpace

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Step 2

Please scan you computer with Malwarebytes' Anti-Malware.

• Open Malwarebytes' Anti-Malware.
• On the Update tab:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 3

Please post a fresh HijackThis log, Combofix log and Malwarebytes' Anti-Malware log.

[motoaaron]

I think (but what do I know?) that I see a pattern. AVG is not scheduled to scan now, but when I run Combofix, AVG starts scanning. You can see it in the screen shot. When I right click on the one with the white spot in the middle, it says Continue all scans and Stop all scans.. I click on Stop, but it doesn't stop. I have to restart. Should I do that or should I just ignore it? There were access denied messages, and you can see those in the screenshot, too, along with the unused icon thingie that popped up as soon as combofix started scanning. Here is the log:

ComboFix 08-11-22.02 - Aaron Morgan 2008-11-25 16:53:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.608 [GMT -6:00]
Running from: c:\documents and settings\Aaron Morgan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron Morgan\Desktop\cfscript.txt
* Created a new restore point

FILE ::
c:\program files\Uninstall Ask Toolbar.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MySpace

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-17 14:04 . 2008-11-17 14:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-12 12:50 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 12:48 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-05 01:27 . 2008-11-24 22:41 250 --a------ c:\windows\gmer.ini
2008-10-30 21:12 . 2008-10-30 21:12 <DIR> d-------- C:\Rustbfix
2008-10-28 21:07 . 2008-10-28 21:07 2,720 --a------ c:\windows\system32\tmp.reg
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-28 21:04 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-28 21:03 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-28 21:03 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-28 21:03 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-28 21:03 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-28 21:02 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-28 21:02 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-28 21:02 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-28 21:01 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-28 21:00 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-25 04:28 --------- d-----w c:\program files\COMODO
2008-11-24 03:13 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\OpenOffice.org2
2008-11-22 02:48 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Move Networks
2008-11-19 18:12 99,216 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-19 18:12 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-11-19 18:12 143,096 ----a-w c:\windows\system32\guard32.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 08:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-22 08:15 --------- d-----w c:\program files\SpywareBlaster
2008-10-21 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-21 22:58 --------- d-----w c:\documents and settings\Aaron Morgan\Application Data\Comodo
2008-10-21 22:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-17 01:25 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 01:25 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 05:02 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-09-28 05:02 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-16 23:10 744 ----a-w c:\documents and settings\Aaron Morgan\Application Data\filterclsid.dat
2006-04-01 17:52 1 ----a-w c:\documents and settings\Aaron Morgan\SI.bin
2008-08-24 22:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-19 1796856]
"AtiPTA"="atiptaxx.exe" [2005-11-22 c:\windows\system32\atiptaxx.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ETDED.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11654:TCP"= 11654:TCP:BitComet 11654 TCP
"11654:UDP"= 11654:UDP:BitComet 11654 UDP
"8403:TCP"= 8403:TCP:BitComet 8403 TCP
"8403:UDP"= 8403:UDP:BitComet 8403 UDP
"13659:TCP"= 13659:TCP:BitComet 13659 TCP
"13659:UDP"= 13659:UDP:BitComet 13659 UDP
"26511:TCP"= 26511:TCP:BitComet 26511 TCP
"26511:UDP"= 26511:UDP:BitComet 26511 UDP
"8772:TCP"= 8772:TCP:BitComet 8772 TCP
"8772:UDP"= 8772:UDP:BitComet 8772 UDP

R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [2005-11-13 9088]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-24 97928]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-21 99216]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-21 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-24 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-24 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-24 76040]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 14336]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fd74298-d5eb-11dc-9e6e-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7107e34-0e5e-11da-9551-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbc9c-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - J:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c94dbcab-0fff-11dd-9e97-000d87496c17}]
\Shell\AutoRun\command - F:\install.EXE id= ver=1.0.0.0
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-06-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 16:56:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WgaLogon.dll
.
Completion time: 2008-11-25 16:58:59
ComboFix-quarantined-files.txt 2008-11-25 22:57:42
ComboFix2.txt 2008-11-25 04:33:09
ComboFix3.txt 2008-11-23 19:19:03

Pre-Run: 63,166,447,616 bytes free
Post-Run: 63,150,927,872 bytes free

169 --- E O F --- 2008-11-13 01:25:30

OK, on to the next step.

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 3

11/25/2008 7:04:19 PM
mbam-log-2008-11-25 (19-04-19).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 180681
Time elapsed: 1 hour(s), 42 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:20, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6974 bytes

[muuli]

Hi,

Should I do that or should I just ignore it?

I'm not sure...

But how your computer running now?

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply and a fresh HijackThis log.

[motoaaron]

I don't see this:

# When the downloads have finished, click on Settings.
# Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

until I click on My computer. Then it's too late because the scan already started. I don't know what the settings are, but it has caught 1 threat and 2 infected objects just 7 minutes or so into the scan. If I did it wrong, I will do it again.

OK, it took 2 hrs to scan and then I fumbled. I clicked settings and then the log wouldn't come up or I couldn't figure out how to get back to it. Here is the HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54:29, on 11/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\motoaaron.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7058 bytes


And here is a cancelled version of Kaspersky. Do you want me to do it again? It alerted on the same number of things, so I'm guessing it was the same 2 "infected" objects. Thanks for the help.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 29, 2008 20:22:01
Records in database: 1428083
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 25167
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:35:01


File name / Threat name / Threats count
C:\Documents and Settings\Aaron Morgan\DESKTOP\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Aaron Morgan\DESKTOP\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The scan was stopped by the user.

As for how the computer is running, it seems like it's back to normal now. I haven't had anymore of the AVG issues either. I really appreciate your help.

[muuli]

Hi,

Yes, please scan the computer again with Kaspersky Online Scanner. I need to see the results from a completed scan to see that there is nothing left lurking on the computer so please be patient and let the scan finish. Then post the results.

[motoaaron]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 30, 2008 23:01:23
Records in database: 1428745
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 133759
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:22:34


File name / Threat name / Threats count
C:\Documents and Settings\Aaron Morgan\DESKTOP\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Aaron Morgan\DESKTOP\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.