Free Malware Removal Forum

[miazer0]

hey!
recently ive been having a lot of problems with my computer (windows xp)
it started with a spyware guard 2009 popup and some fake scan and infection.
i've read some forums on bleepingcomputer and elsewhere and tried to remove the program manually.
i believe i have sucessfully removed it, but other problems started to arise.
These problems include things like:

-getting random popups and advertisements while use mozilla
-getting redirected from links on google to other websites
-extreme lag when i try to open anything

I ran malwarebytes anti-malware, and it seems to have stabilized my computer
so that i can actually use mozilla to seek help.
but it says "no action taken" for all of the infections it has detected

-another problem is that i cant open my C:\ drive from "my computer".

i scanned my computer using ad-aware, malwarebytes, avast, and
-i keep seeing this reoccuring virus, called vundo, virtumonde.

below is my hijackthis log, any help or suggests is appreciated. Andrew.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:51 PM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\AndrewLui\Application Data\alehg.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: gemqsh.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7225 bytes

[muppy03]

Hello and welcome to the Malware Removal Forums

I will be assisting you with your Malware issues.

IMPORTANT

• Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
• Continue to respond to this thread until I give you the All Clean!
• If you have any questions or are unsure in anyway, please let me know. I will try my best to help you!
• Please reply to this thread. Do not start a new topic.
• As I am still in training, everything that I post to you, must be checked by one of the teachers. Therefore, there may be a slight delay between posts.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

[miazer0]

Hello,

here's my uninstall list

ABC (remove only)
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bonjour
Cabri 3D Plug-in 2.1.2
CDisplay 1.8
Cinema Craft Encoder SP Version 2.50
ConvertXtoDVD 2.2.3.258h
Dell Photo AIO Printer 922
Digital Line Detect
DivX Content Uploader
DivX Web Player
Free Music Zilla
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 3
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MoRUN.net Sticker
Moyea FLV to Video Converter version 1.0.1.29
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Lite 7.9.6.0
Nero 8 Micro 8.2.8.0
NJStar Chinese WP
Panda ActiveScan 2.0
Picasa 2
PowerDVD 5.3
PowerISO
QuickTime
RealPlayer
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Skype™ 3.2
SoundMAX
Symantec AntiVirus
TI Connect 1.6
Total Video Player 1.03
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Veoh Web Player Beta
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver

[muppy03]

Hi miazer0,

Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs running in memory at once:

• Symantec/Norton
• Avast
  

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

Download DDS

Download to your desktop DDS from one of the links below:

Link1
Link2
Link3

• Double click the tool to run it.
• A black Screen will open, just read the contents and do nothing.
• When the tool finishes it will open 2 reports.
• Copy/paste both reports back here and remove DDS from your desktop.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• If you need help to disable your protection programs see here.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-

• DDS log
• Combofix.txt
• New HJT log

[miazer0]

Hello muppy03,

I just wanna thank you everything so far,
everything seems to be running smoothly
and im able to relax a bit and not stress over this computer issue,
thanks

DDS (Ver_09-01-19.01) - NTFSx86
Run by AndrewLui at 22:24:49.42 on Sat 01/31/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.496 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\AndrewLui\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [kamsoft] c:\windows\system32\ckvo.exe
uRun: [Aim6]
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: gemqsh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: hook dll rising: {bb4c402f-882a-4526-8c08-51278ea437c1} - c:\windows\system32\afmain0.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew~1\applic~1\mozilla\firefox\profiles\jgcrerzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\andrewlui\application data\mozilla\firefox\profiles\jgcrerzy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\cabri\cabri 3d plug-in 2.1\bin\npcabri3d.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-26 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\naveng.sys [2009-1-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\navex15.sys [2009-1-26 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-27 1805040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-1 24652]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-27 115952]

=============== Created Last 30 ================

2009-01-26 06:40 <DIR> --d----- c:\windows\system32\scripting
2009-01-26 06:40 <DIR> --d----- c:\windows\l2schemas
2009-01-26 06:40 <DIR> --d----- c:\windows\system32\en
2009-01-26 06:40 <DIR> --d----- c:\windows\system32\bits
2009-01-26 06:38 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-26 06:36 <DIR> --d----- c:\windows\network diagnostic
2009-01-26 06:32 <DIR> --d----- c:\windows\EHome
2009-01-25 13:21 <DIR> --d----- c:\docume~1\andrew~1\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 13:01 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 00:07 812,344 a------- C:\HJTInstall.exe
2009-01-25 00:04 2,737,808 a------- C:\mbam-setup.exe
2009-01-23 17:20 1,434,951 ---sh--- c:\windows\system32\tlamilba.ini
2009-01-23 01:41 1,434,951 ---sh--- c:\windows\system32\wjofrkry.ini
2009-01-21 22:13 876 a------- c:\windows\NJSTAR.INI
2009-01-21 19:59 441 a------- c:\windows\system32\TDSSmtve.dat
2009-01-21 19:57 1,434,951 ---sh--- c:\windows\system32\wveayeii.ini
2009-01-21 15:03 1,434,951 ---sh--- c:\windows\system32\pfiljnsf.ini
2009-01-20 17:50 1,433,033 ---sh--- c:\windows\system32\usqiotdx.ini
2009-01-20 15:39 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 15:38 <DIR> --d----- c:\program files\Panda Security
2009-01-20 15:29 182 ---shr-- C:\autorun.inf
2009-01-20 03:33 1,407,393 ---sh--- c:\windows\system32\vwkvoook.ini
2009-01-20 01:59 69,120 a------- c:\windows\AhnRpta.exe

==================== Find3M ====================

2009-01-26 06:41 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-11 23:56 410,976 a------- c:\windows\system32\deploytk.dll
2008-05-29 15:29 0 a--sh--- c:\docume~1\andrew~1\applic~1\00483f119a3513945e3146dec55affac1c3b87359b.dat
2008-01-22 10:16 87,608 a------- c:\docume~1\andrew~1\applic~1\inst.exe
2008-01-22 10:16 47,360 a------- c:\docume~1\andrew~1\applic~1\pcouffin.sys

============= FINISH: 22:25:02.10 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-19.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/9/2007 1:15:56 AM
System Uptime: 1/31/2009 10:17:07 PM (0 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 72 GiB total, 13.172 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10416D21&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10416D21&0&08F0
Service:

==== System Restore Points ===================

RP1: 1/25/2009 7:25:18 AM - System Checkpoint
RP2: 1/26/2009 6:26:34 AM - Software Distribution Service 3.0
RP3: 1/27/2009 12:59:39 AM - Software Distribution Service 3.0
RP4: 1/28/2009 11:29:39 AM - System Checkpoint
RP5: 1/29/2009 3:14:17 PM - System Checkpoint
RP6: 1/30/2009 4:14:12 PM - System Checkpoint
RP7: 1/31/2009 9:08:31 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
ABC (remove only)
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
Apple Mobile Device Support
Apple Software Update
Avi2Dvd 0.4.5 beta
AviSynth 2.5
Bonjour
Cabri 3D Plug-in 2.1.2
CDisplay 1.8
Cinema Craft Encoder SP Version 2.50
ConvertXtoDVD 2.2.3.258h
Dell Photo AIO Printer 922
Digital Line Detect
DivX Content Uploader
DivX Web Player
Free Music Zilla
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 3
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MoRUN.net Sticker
Moyea FLV to Video Converter version 1.0.1.29
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero 7 Lite 7.9.6.0
Nero 8 Micro 8.2.8.0
NJStar Chinese WP
Panda ActiveScan 2.0
Picasa 2
PowerDVD 5.3
PowerISO
QuickTime
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Skype™ 3.2
SoundMAX
Symantec AntiVirus
TI Connect 1.6
Total Video Player 1.03
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Veoh Web Player Beta
VeohTV BETA
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
Warcraft III: All Products
WebFldrs XP
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

1/25/2009 3:04:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/25/2009 2:55:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss SAVRT SAVRTPEL SCDEmu SYMTDI Tcpip
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:55:58 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/25/2009 2:05:37 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/25/2009 2:05:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
1/25/2009 2:05:37 AM, error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
1/25/2009 1:38:49 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.
1/25/2009 1:36:47 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Print Spooler service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/25/2009 1:35:49 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:35:47 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:34:40 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:31:51 AM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:31:27 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:31:24 AM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:31:18 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:31:13 AM, error: Service Control Manager [7034] - The Symantec AntiVirus Definition Watcher service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:25:37 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:24:54 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:22:48 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/25/2009 1:22:46 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 1:22:43 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2009 12:48:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/25/2009 12:29:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/24/2009 11:31:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm pavboot SAVRT SAVRTPEL SCDEmu SYMTDI
1/24/2009 7:22:23 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
1/24/2009 7:22:23 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
1/24/2009 7:22:23 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
1/24/2009 7:14:31 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/24/2009 7:13:21 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 2 time(s).
1/24/2009 7:13:12 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
1/24/2009 7:11:59 PM, error: Service Control Manager [7034] - The Symantec AntiVirus service terminated unexpectedly. It has done this 3 time(s).
1/24/2009 7:10:09 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/24/2009 7:04:01 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
1/24/2009 7:02:21 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
1/24/2009 12:20:39 PM, error: Service Control Manager [7034] - The Symantec SPBBCSvc service terminated unexpectedly. It has done this 1 time(s).
1/24/2009 12:16:38 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
1/25/2009 11:59:00 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
1/25/2009 11:59:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
1/25/2009 11:59:39 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/25/2009 12:52:45 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
1/25/2009 12:57:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP eeCtrl Fips intelppm pavboot SAVRT SAVRTPEL SCDEmu SYMTDI
1/25/2009 1:19:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

==== End Of File ===========================


ComboFix 09-01-31.01 - AndrewLui 2009-01-31 22:33:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.458 [GMT -5:00]
Running from: c:\documents and settings\AndrewLui\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\docume~1\ANDREW~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ANDREW~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\AndrewLui\Application Data\inst.exe
c:\documents and settings\AndrewLui\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\system32\pfiljnsf.ini
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\tlamilba.ini
c:\windows\system32\usqiotdx.ini
c:\windows\system32\vwkvoook.ini
c:\windows\system32\wjofrkry.ini
c:\windows\system32\wveayeii.ini
c:\windows\Tasks\kvtcwhnt.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\scripting
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\en
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\bits
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\l2schemas
2009-01-26 06:38 . 2009-01-26 06:40 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-26 06:32 . 2009-01-26 06:32 <DIR> d-------- c:\windows\EHome
2009-01-25 13:21 . 2009-01-25 13:21 <DIR> d-------- c:\documents and settings\AndrewLui\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 13:02 . 2009-01-25 13:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:02 . 2009-01-25 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:01 . 2009-01-25 13:01 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 03:43 . 2009-01-25 03:43 <DIR> d-------- c:\program files\Alwil Software
2009-01-25 00:07 . 2009-01-25 00:07 812,344 --a------ C:\HJTInstall.exe
2009-01-25 00:04 . 2009-01-25 00:04 2,737,808 --a------ C:\mbam-setup.exe
2009-01-21 22:13 . 2009-01-21 22:13 876 --a------ c:\windows\NJSTAR.INI
2009-01-20 15:39 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-20 15:38 . 2009-01-20 15:38 <DIR> d-------- c:\program files\Panda Security
2009-01-20 01:59 . 2004-08-12 09:02 69,120 --a------ c:\windows\AhnRpta.exe
2009-01-05 11:41 . 2009-01-05 11:41 <DIR> d-------- c:\program files\Common Files\Java
2009-01-04 15:59 . 2009-01-04 16:01 <DIR> d-------- c:\documents and settings\Anthony\Application Data\ImgBurn
2009-01-04 15:54 . 2009-01-04 15:54 <DIR> d-------- c:\program files\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 03:37 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-31 01:27 --------- d-----w c:\documents and settings\AndrewLui\Application Data\Move Networks
2009-01-19 04:05 --------- d-----w c:\program files\Free Music Zilla
2009-01-18 05:10 --------- d-----w c:\program files\Warcraft III
2009-01-06 03:14 --------- d-----w c:\documents and settings\Victoria\Application Data\Skype
2009-01-05 16:42 --------- d-----w c:\program files\Java
2008-12-29 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 17:44 --------- d-----w c:\program files\Lavasoft
2008-12-29 17:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-25 17:18 --------- d-----w c:\documents and settings\AndrewLui\Application Data\uTorrent
2008-12-14 08:06 --------- d-----w c:\program files\Veoh Networks
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 17:12 --------- d-----w c:\program files\AIM6
2008-12-07 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-07 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-07 17:10 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-05-29 20:29 0 --sha-w c:\documents and settings\AndrewLui\Application Data\00483f119a3513945e3146dec55affac1c3b87359b.dat
2008-01-22 15:16 47,360 ----a-w c:\documents and settings\AndrewLui\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gemqsh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-24 19:14 53408 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 20:19 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-11-03 17:45 3522296 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\Victoria\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-26 99376]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-01 24652]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-05-27 115952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\uvsqfgwd.cmd
\Shell\open\Command - C:\uvsqfgwd.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1623d730-e727-11db-8740-e6b9c398ce98}]
\Shell\AutoRun\command - F:\2fiji.com
\Shell\explore\Command - F:\2fiji.com
\Shell\open\Command - F:\2fiji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91b61d48-9269-11dc-89ee-0011117f6aff}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
ShellExecuteHooks-{BB4C402F-882A-4526-8C08-51278EA437C1} - c:\windows\system32\afmain0.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Cabri\Cabri 3D Plug-in 2.1\bin\npcabri3d.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 22:39:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
.
**************************************************************************
.
Completion time: 2009-01-31 22:42:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 03:42:01

Pre-Run: 14,038,814,720 bytes free
Post-Run: 17,509,158,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

213 --- E O F --- 2009-01-27 06:00:12


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:28 PM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: gemqsh.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6896 bytes

[muppy03]

Hi miazerO

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Run a new HJT scan when finished and post the log back here,so we can continue cleaning your pc.

You also have Free Music Zilla currently installed. I will have to check the status of this program as if it is classed as a P2P it will also have to be uninstalled before we continue.

[miazer0]

Hello,

i uninstalled it, but before i did, on the add/remove program list
i noticed that utorrent was classified as frequently used (2/1/09) but i havent used it in
a really long time.

well heres my hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:01 AM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: gemqsh.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6864 bytes

[muppy03]

Hi Miazer0

IMPORTANT
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let me know what you decide

Please Note

If you should choose to Reformat and Reinstall you need to clean out files that are located on your F: Drive (this could be a USB stick or some other kind of external drive), if not done you will reinfect your machine.
The following files need to go:-

F:\2fiji.com
C:\uvsqfgwd.cmd

[miazer0]

Hello,

i've decided that i do not wish to reformat my computer,
however in july or june i will be out of school and i will have the time
to reformat w/o worrying about losing anything vital to my academics.

I wish to clean my computer manually w/o reformatting,
however, the files you have listed,

F:\2fiji.com
C:\uvsqfgwd.cmd

are not to be found.
i do not have any F drive attached, nor do i remember having one when i scanned.
and the other .cmd file cannot be found.

when i searched "fiji" in my computer i came up with files named "fiji" from java, and apple,
however, both files seem to be related to timezones and cities, im not sure if they can be of harm.

is there any other way i can clean these trojan backdoors?

btw did you find out whether or not "Free Music Zilla" is safe?

[miazer0]

Hello,

I have just checked several of my USB connected storage devices
and i found one auto run file that was associated with "2fiji.com"
so i deleted that.

can you explain or link me to where i can find out more about
dangerous files on USB drives (i scanned this file using symantec and it didnt pose a threat).

[muppy03]

Hi miazer0

have just checked several of my USB connected storage devices
and i found one auto run file that was associated with "2fiji.com"
so i deleted that.
can you explain or link me to where i can find out more about
dangerous files on USB drives (i scanned this file using symantec and it didnt pose a threat).

Unfortunately there is no one particular place that would list all dangerous files. USB drives, like PC hard drives can become infected through what is downloaded on them, and/ or transferred from one to another. You can read about 2fiji.com Here

Please insert the infected USB in the computer before you continue with cleaning it.

btw did you find out whether or not "Free Music Zilla" is safe?

'Free Music Zilla' is ok to have at this stage and not classed as a P2P. Please take Note Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares

To continue with the cleaning:-

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  Folder::
  c:\documents and settings\AndrewLui\Application Data\uTorrent
  
  File::
  c:\windows\AhnRpta.exe
  c:\documents and settings\AndrewLui\Application Data\00483f119a3513945e3146dec55affac1c3b87359b.dat
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "UserFaultCheck"="c:\windows\system32\dumprep 0 -u"=- 
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
  "appinit_dlls"=""
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:0000000
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1623d730-e727-11db-8740-e6b9c398ce98}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91b61d48-9269-11dc-89ee-0011117f6aff}]
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "c:\Program Files\uTorrent\uTorrent.exe"=-
  "c:\\Program Files\\ABC\\abc.exe"=-
  

  
  
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

GMER

• Download GMER by GMER from one of the links below:
  Link1
  Link2
• Unzip it to a folder on your desktop
• Double click on gmer.exe to launch GMER
• If asked, allow the gmer.sys driver load
• If it warns you about rootkit activity and asks if you want to run scan, click OK
• If you don't get a warning then
  
  
  
  • Click the rootkit tab
  • Click Scan
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerrk.txt
• Click on the >>> tab
• This will open up the rest of the tabs for you
• Click on the Autostart tab
• Click on Scan
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerautos.txt
• Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

FindFile

Download FindFile by Atribune

• Extract the contents to your Desktop
• Double click on FileFind.exe to open the program.
• Enter ckvo.exe into the File: box.
• Click on the Search button.
• After a while, if any files are found, a list of file locations will appear in the List of Files: box.
• Click on the Export button.
• This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.
• Repeat the above for alehg.exe

Please reply with:-

• Combofix log
• Gmer log (gmerautos.txt)
• Filefind log(export.txt)
• New HJT log

[miazer0]

Hello,

I could not attatch the USB drive b/c
i've lent it out to a friend, but i did delete the (autorun file and i reformated the usb drive)

both find file searches returned empty handed as well


ComboFix 09-01-31.01 - AndrewLui 2009-02-05 15:46:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.468 [GMT -5:00]
Running from: c:\documents and settings\AndrewLui\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AndrewLui\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\AndrewLui\Application Data\00483f119a3513945e3146dec55affac1c3b87359b.dat
c:\windows\AhnRpta.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\AndrewLui\Application Data\00483f119a3513945e3146dec55affac1c3b87359b.dat
c:\windows\AhnRpta.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-05 11:27 . 2009-02-05 11:27 46,640 --a------ c:\windows\system32\msln.exe
2009-02-04 17:13 . 2009-02-04 17:13 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-04 17:13 . 2009-02-04 17:13 1,409 --a------ c:\windows\QTFont.for
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\scripting
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\en
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\bits
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\l2schemas
2009-01-26 06:38 . 2009-01-26 06:40 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-26 06:32 . 2009-01-26 06:32 <DIR> d-------- c:\windows\EHome
2009-01-25 13:21 . 2009-01-25 13:21 <DIR> d-------- c:\documents and settings\AndrewLui\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 13:02 . 2009-01-25 13:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:02 . 2009-01-25 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:01 . 2009-01-25 13:01 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 00:07 . 2009-01-25 00:07 812,344 --a------ C:\HJTInstall.exe
2009-01-25 00:04 . 2009-01-25 00:04 2,737,808 --a------ C:\mbam-setup.exe
2009-01-21 22:13 . 2009-01-21 22:13 876 --a------ c:\windows\NJSTAR.INI
2009-01-20 15:39 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-20 15:38 . 2009-01-20 15:38 <DIR> d-------- c:\program files\Panda Security
2009-01-05 11:41 . 2009-01-05 11:41 <DIR> d-------- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 20:43 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-01 22:08 --------- d-----w c:\program files\Free Music Zilla
2009-01-31 01:27 --------- d-----w c:\documents and settings\AndrewLui\Application Data\Move Networks
2009-01-18 05:10 --------- d-----w c:\program files\Warcraft III
2009-01-06 03:14 --------- d-----w c:\documents and settings\Victoria\Application Data\Skype
2009-01-05 16:42 --------- d-----w c:\program files\Java
2009-01-04 21:01 --------- d-----w c:\documents and settings\Anthony\Application Data\ImgBurn
2009-01-04 20:54 --------- d-----w c:\program files\ImgBurn
2008-12-29 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 17:44 --------- d-----w c:\program files\Lavasoft
2008-12-29 17:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 08:06 --------- d-----w c:\program files\Veoh Networks
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 17:12 --------- d-----w c:\program files\AIM6
2008-12-07 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-07 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-07 17:10 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-12 04:56 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-01-22 15:16 47,360 ----a-w c:\documents and settings\AndrewLui\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_22.41.18.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 16:24:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-24 19:14 53408 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 20:19 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-11-03 17:45 3522296 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\Victoria\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 28544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-26 99376]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-01 24652]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-05-27 115952]
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Cabri\Cabri 3D Plug-in 2.1\bin\npcabri3d.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 15:48:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-02-05 15:50:05
ComboFix-quarantined-files.txt 2009-02-05 20:50:03

Pre-Run: 19,699,007,488 bytes free
Post-Run: 19,728,515,072 bytes free

174 --- E O F --- 2009-01-27 06:00:12



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-05 16:38:47
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 86D70108 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA8E6F300]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8E6FCB0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA8E6FA50]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8E6FF10]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmxst.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\Ole1Class@ SoundRec
Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\ProgID@ SoundRec
Reg HKLM\SOFTWARE\Classes\CLSID\{0A432577-9DC9-40AE-AA46-6411124A4C8E}\TreatAs@ {00020C01-0000-0000-C000-000000000046}

---- EOF - GMER 1.0.14 ----



GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2009-02-05 16:41:55
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck msln autocheck autochk * lsdelete /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
igfxcui@DLLName = igfxdev.dll
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
ccEvtMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DefWatch@ = "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Symantec AntiVirus@ = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
Viewpoint Manager Service@ = "C:\Program Files\Viewpoint\Common\ViewpointService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@vptrayC:\PROGRA~1\SYMANT~1\VPTray.exe = C:\PROGRA~1\SYMANT~1\VPTray.exe
@UserFaultCheck%systemroot%\system32\dumprep 0 -u = %systemroot%\system32\dumprep 0 -u
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"
@SoundMAXPnPC:\Program Files\Analog Devices\Core\smax4pnp.exe = C:\Program Files\Analog Devices\Core\smax4pnp.exe
@PHIME2002ASyncC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@MSPY2002C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
@IMJPMIG8.1"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@Dell Photo AIO Printer 922"C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" = "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02} /*TIShelEx Shell Extension*/C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll = C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
@{0561EC90-CE54-4f0c-9C55-E226110A740C} /*Haali Column Provider*/C:\Program Files\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll = C:\Program Files\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll
@{E4D8441D-F89C-4b5c-90AC-A857E1768F1F} /*Haali Matroska Thumbnail Exctractor*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre6\bin\ssv.dll = C:\Program Files\Java\jre6\bin\ssv.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll
@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redi ... ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

---- EOF - GMER 1.0.14 ----



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:47 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6895 bytes

[muppy03]

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Once selected close all windows except HJT an click on Fix Checked


CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all

 File::
 c:\windows\system32\msln.exe
C:\WINDOWS\system32\drivers\TDSSmxst.sys

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:0000000

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

Please reply with:-

Combofix.txt
Kaspersky report
New HJT log

[miazer0]

Hello,

i ran the scans and here are the log files

ComboFix 09-02-08.01 - AndrewLui 2009-02-08 16:39:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.490 [GMT -5:00]
Running from: c:\documents and settings\AndrewLui\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\AndrewLui\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\TDSSmxst.sys
c:\windows\system32\msln.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-06 19:00 . 2009-01-18 16:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-06 18:03 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-06 17:59 . 2009-02-06 17:59 <DIR> d-------- c:\program files\Lavasoft
2009-02-06 17:59 . 2009-02-06 17:59 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-05 16:29 . 2009-02-05 16:29 250 --a------ c:\windows\gmer.ini
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\scripting
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\en
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\system32\bits
2009-01-26 06:40 . 2009-01-26 06:40 <DIR> d-------- c:\windows\l2schemas
2009-01-26 06:38 . 2009-01-26 06:40 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-26 06:32 . 2009-01-26 06:32 <DIR> d-------- c:\windows\EHome
2009-01-25 13:21 . 2009-01-25 13:21 <DIR> d-------- c:\documents and settings\AndrewLui\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 13:02 . 2009-01-25 13:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:02 . 2009-01-25 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:01 . 2009-01-25 13:01 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 00:07 . 2009-01-25 00:07 812,344 --a------ C:\HJTInstall.exe
2009-01-25 00:04 . 2009-01-25 00:04 2,737,808 --a------ C:\mbam-setup.exe
2009-01-21 22:13 . 2009-02-05 18:35 876 --a------ c:\windows\NJSTAR.INI
2009-01-20 15:39 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-20 15:38 . 2009-01-20 15:38 <DIR> d-------- c:\program files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 21:37 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-06 22:59 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-06 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-01 22:08 --------- d-----w c:\program files\Free Music Zilla
2009-01-31 01:27 --------- d-----w c:\documents and settings\AndrewLui\Application Data\Move Networks
2009-01-18 05:10 --------- d-----w c:\program files\Warcraft III
2009-01-06 03:14 --------- d-----w c:\documents and settings\Victoria\Application Data\Skype
2009-01-05 16:42 --------- d-----w c:\program files\Java
2009-01-05 16:41 --------- d-----w c:\program files\Common Files\Java
2009-01-04 21:01 --------- d-----w c:\documents and settings\Anthony\Application Data\ImgBurn
2009-01-04 20:54 --------- d-----w c:\program files\ImgBurn
2008-12-14 08:06 --------- d-----w c:\program files\Veoh Networks
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-12 04:56 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-01-22 15:16 47,360 ----a-w c:\documents and settings\AndrewLui\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-31_22.41.18.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 21:29:36 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2000-08-31 13:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-02-05 21:29:36 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-18 21:30:13 64,160 -c--a-w c:\windows\system32\DRVSTORE\lbd_D996E5CC178082520D5C11260A28955C8455FD4A\Lbd.sys
+ 2009-02-08 16:29:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_720.dat
+ 2008-07-29 13:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 08:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 13:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 08:54:12 312,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 13:05:08 875,520 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 13:05:08 1,180,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2008-07-29 13:05:12 5,937,144 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 13:05:12 5,982,720 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 13:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 13:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-24 19:14 53408 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 20:19 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-11-03 17:45 3522296 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Documents and Settings\\Victoria\\Local Settings\\Application Data\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-06 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 28544]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-01 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-26 99376]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-05-27 115952]
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\AndrewLui\Application Data\Mozilla\Firefox\Profiles\jgcrerzy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Cabri\Cabri 3D Plug-in 2.1\bin\npcabri3d.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 16:41:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-02-08 16:43:29
ComboFix-quarantined-files.txt 2009-02-08 21:43:27

Pre-Run: 19,347,259,392 bytes free
Post-Run: 19,488,542,720 bytes free

202 --- E O F --- 2009-01-27 06:00:12



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 22:19:03
Records in database: 1770834
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 61817
Threat name: 3
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 06:04:13


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B00000\46BBD876.VBN Infected: Exploit.Win32.IMG-WMF.v 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B00001\46BBD8DB.VBN Infected: Exploit.Win32.IMG-WMF.v 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\033C0000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06780000\46FF00D8.VBN Infected: Exploit.Win32.IMG-WMF.v 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06CC0000\46DFEFB9.VBN Infected: Exploit.Win32.IMG-WMF.v 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0000\4B7E4DAA.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0001\4B7E4DD2.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0002\4B7E529D.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A5C0003\4B7E52FC.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D480000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D480002.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E440000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E440001\4F7F40F5.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E440002\4F7F411B.VBN Infected: Trojan.Win32.Monder.arem 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FD80000.VBN Infected: Virus.Win32.Hidrag.a 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:40 PM, on 2/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKUS\S-1-5-21-1645522239-1979792683-725345543-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Wendy')
O4 - HKUS\S-1-5-21-1645522239-1979792683-725345543-1008\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Wendy')
O4 - HKUS\S-1-5-21-1645522239-1979792683-725345543-1008\..\Run: [Aim6] (User 'Wendy')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7632 bytes

[muppy03]

Hi Miazer0

How’s the computer running? Any problems? If you have any questions please feel free to ask.

I see by your Uninstall List that you have Malwarebytes' Anti-Malware installed on your computer.

Please do a Malwarebytes' Anti-Malware scan using these settings:

· Open Malwarebytes' Anti-Malware
· Select the Update tab
· Click Check for Updates
· After the update have been completed, Select the Scanner tab.
· Make sure the "Perform full scan" option is selected.
· Then click on the Scan button.
· If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
· The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
· When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
· Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

· Click on the Show Results button to see a list of any malware that was found.
· Make sure that everything is checked, and click Remove Selected.
· When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
· The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
· The log can also be found here:

· C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

· Copy and paste the contents of that report in your next reply and exit MBAM.