Free Malware Removal Forum

[af03gr]

For the last few weeks I’ve been having great difficulty trying to access certain web pages (ie. Yahoo, flash heavy websites, etc). Moreover, certain downloads (including many anti-virus software downloads) are being blocked with the error message stating that there is a problem with the “windows internet extensions”.

I received assistance from one of your administrators who told me to use “combo-fix” which I did. It failed to solve the problem and I am no better than when I started. I’m running out of options, its been over two weeks now, and this is slowing down my work. Please, can someone provide me with some sort of plan to solve this issue. I am willing to try anything at this point on my Vista machine. If it helps I’m also getting Java warnings.

I have ZoneAlarm firewall, Comodo anti-virus, spybot search and destroy, adaware, as my system’s defenses. I also have logs from HJT 2.2, malwarebytes and combo-fix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:28 AM, on 10/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sys32VContoller] C:\Windows\mwmmgr32\mwmmgr32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O9 - Extra button: Extract Flash Video with Bytescout... - {BD791D63-778B-46CA-8425-8A31D2F19487} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resourc ... den-ca.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31D7E448-298C-47EE-A720-D8DB1F8544D3}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B64AEA-656F-4BFB-AC28-7E2539056CCF}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HD DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 9167 bytes

Malwarebytes' Anti-Malware 1.38
Database version: 2403
Windows 6.0.6001 Service Pack 1

10/07/2009 4:47:36 PM
mbam-log-2009-07-10 (16-47-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 204527
Time elapsed: 2 hour(s), 20 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\247880 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

omboFix 09-07-09.08 - Andrew 13/07/2009 22:18.1.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.2046.1666 [GMT -4:00]
Running from: F:\Combo-Fix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Security Suite Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-10 23:44 . 2009-07-14 01:44 -------- d-----w- C:\32788R22FWJFW.4.tmp
2009-07-10 23:23 . 2009-07-14 01:43 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-07-10 23:22 . 2009-07-14 01:43 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-07-10 23:22 . 2009-07-14 01:44 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-07-10 23:21 . 2009-07-14 01:44 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-07-10 23:15 . 2008-11-06 06:03 -------- d-----w- C:\SDFix
2009-07-10 15:19 . 2009-07-10 15:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2009-07-10 15:19 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 15:19 . 2009-07-10 15:19 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-10 15:19 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 15:19 . 2009-07-10 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 04:56 . 2009-07-10 04:56 -------- d-----w- c:\program files\Trend Micro
2009-07-10 04:29 . 2009-07-10 03:04 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 03:04 . 2009-07-10 03:04 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-10 03:02 . 2009-07-10 03:02 -------- dc-h--w- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-10 03:02 . 2009-07-10 03:04 -------- d-----w- c:\progra~2\Lavasoft
2009-07-10 03:02 . 2009-07-10 03:02 -------- d-----w- c:\program files\Lavasoft
2009-07-07 01:16 . 2009-07-07 01:14 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-07 00:52 . 2009-07-07 00:51 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-06 14:22 . 2009-07-14 02:09 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-07-06 02:26 . 2009-07-06 14:47 -------- d-----w- c:\progra~2\Comodo
2009-07-06 02:26 . 2009-07-06 02:26 183912 ----a-w- c:\windows\system32\guard32.dll
2009-07-06 02:26 . 2009-07-06 02:26 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-07-06 02:26 . 2009-07-06 02:26 128888 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-06 02:26 . 2009-07-06 02:26 -------- d-----w- c:\program files\COMODO
2009-07-06 02:12 . 2009-07-06 14:05 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-06 02:12 . 2009-07-06 02:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 00:39 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-06 00:39 . 2009-07-06 00:39 -------- d-----w- c:\program files\Avira
2009-07-06 00:39 . 2009-07-06 00:39 -------- d-----w- c:\progra~2\Avira
2009-07-03 03:34 . 2009-05-09 05:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-03 03:34 . 2009-05-09 05:50 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 03:28 . 2008-11-01 03:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-07-03 03:28 . 2008-03-08 04:21 1695744 ----a-w- c:\windows\system32\gameux.dll
2009-07-03 03:28 . 2008-11-01 01:21 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-15 02:37 . 2009-06-15 02:47 -------- d-----w- c:\program files\Wise Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 02:09 . 2008-03-29 23:15 349221 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-07-14 01:51 . 2008-03-29 23:21 2148248 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-14 01:51 . 2008-03-29 23:21 162159904 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-14 01:51 . 2009-07-14 02:09 70144 ----a-w- c:\windows\Internet Logs\xDBB0E9.tmp
2009-07-14 01:15 . 2009-07-14 01:17 3063296 ----a-w- c:\windows\Internet Logs\xDBC91B.tmp
2009-07-14 01:15 . 2009-07-14 01:17 46080 ----a-w- c:\windows\Internet Logs\xDBC41B.tmp
2009-07-13 02:07 . 2009-07-13 02:09 64000 ----a-w- c:\windows\Internet Logs\xDBB54C.tmp
2009-07-11 05:03 . 2009-07-11 23:12 237056 ----a-w- c:\windows\Internet Logs\xDBB913.tmp
2009-07-11 05:03 . 2009-07-11 23:12 3061248 ----a-w- c:\windows\Internet Logs\xDBBE13.tmp
2009-07-10 21:05 . 2009-07-10 21:06 1197568 ----a-w- c:\windows\Internet Logs\xDBD0E7.tmp
2009-07-07 01:14 . 2007-09-27 05:02 -------- d-----w- c:\program files\Java
2009-07-05 22:58 . 2008-09-15 21:26 12441634 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-07-03 04:09 . 2009-07-03 04:11 834560 ----a-w- c:\windows\Internet Logs\xDB66E1.tmp
2009-07-03 02:40 . 2008-05-26 01:32 -------- d-----w- c:\users\Andrew\AppData\Roaming\OpenOffice.org2
2009-06-25 22:19 . 2008-11-02 19:37 -------- d-----w- c:\program files\iTunes
2009-06-25 22:19 . 2008-11-02 19:34 -------- d-----w- c:\program files\Bonjour
2009-06-24 04:27 . 2008-03-30 19:50 -------- d-----w- c:\progra~2\CanonIJPLM
2009-06-16 03:26 . 2008-05-26 01:33 1 ----a-w- c:\users\Andrew\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-16 02:40 . 2009-06-16 02:41 130048 ----a-w- c:\windows\Internet Logs\xDBC5FE.tmp
2009-06-13 21:25 . 2009-06-14 14:24 359936 ----a-w- c:\windows\Internet Logs\xDBE86F.tmp
2009-06-13 21:25 . 2009-06-14 14:24 2902528 ----a-w- c:\windows\Internet Logs\xDBEEDC.tmp
2009-06-13 18:52 . 2009-06-13 18:40 -------- d-----w- c:\program files\Registry Easy
2009-06-12 03:23 . 2009-06-12 03:24 124928 ----a-w- c:\windows\Internet Logs\xDBB5FA.tmp
2009-06-01 11:27 . 2009-06-01 11:29 331264 ----a-w- c:\windows\Internet Logs\xDBB2DF.tmp
2009-05-11 21:27 . 2009-05-11 21:28 482304 ----a-w- c:\windows\Internet Logs\xDBAFD3.tmp
2008-03-14 22:26 . 2008-03-14 22:26 37375 ----a-w- c:\program files\openoffice.org-xsltfilter.cab
2008-03-14 22:26 . 2008-03-14 22:26 2489204 ----a-w- c:\program files\openoffice.org-writer.cab
2008-03-14 22:26 . 2008-03-14 22:26 207388 ----a-w- c:\program files\openoffice.org-testtool.cab
2008-03-14 22:26 . 2008-03-14 22:26 2504855 ----a-w- c:\program files\openoffice.org-pyuno.cab
2008-03-14 22:26 . 2008-03-14 22:26 51973 ----a-w- c:\program files\openoffice.org-onlineupdate.cab
2008-03-14 22:26 . 2008-03-14 22:26 1090334 ----a-w- c:\program files\openoffice.org-math.cab
2008-03-14 22:25 . 2008-03-14 22:25 118910 ----a-w- c:\program files\openoffice.org-javafilter.cab
2008-03-14 22:25 . 2008-03-14 22:25 1254017 ----a-w- c:\program files\openoffice.org-impress.cab
2008-03-14 22:25 . 2008-03-14 22:25 86870 ----a-w- c:\program files\openoffice.org-graphicfilter.cab
2008-03-14 22:25 . 2008-03-14 22:25 2769 ----a-w- c:\program files\openoffice.org-emailmerge.cab
2008-03-14 22:25 . 2008-03-14 22:25 919329 ----a-w- c:\program files\openoffice.org-draw.cab
2008-03-14 22:25 . 2008-03-14 22:25 2031954 ----a-w- c:\program files\openoffice.org-core09.cab
2008-03-14 22:25 . 2008-03-14 22:25 293054 ----a-w- c:\program files\openoffice.org-core08.cab
2008-03-14 22:25 . 2008-03-14 22:25 3842531 ----a-w- c:\program files\openoffice.org-core07.cab
2008-03-14 22:25 . 2008-03-14 22:25 28861971 ----a-w- c:\program files\openoffice.org-core06.cab
2008-03-14 22:21 . 2008-03-14 22:21 18636793 ----a-w- c:\program files\openoffice.org-core05.cab
2008-03-14 22:19 . 2008-03-14 22:19 16453751 ----a-w- c:\program files\openoffice.org-core04.cab
2008-03-14 22:18 . 2008-03-14 22:18 9118219 ----a-w- c:\program files\openoffice.org-core03.cab
2008-03-14 22:18 . 2008-03-14 22:18 3860200 ----a-w- c:\program files\openoffice.org-core02.cab
2008-03-14 22:18 . 2008-03-14 22:18 15102497 ----a-w- c:\program files\openoffice.org-core01.cab
2008-03-14 22:17 . 2008-03-14 22:17 4696905 ----a-w- c:\program files\openoffice.org-calc.cab
2008-03-14 22:17 . 2008-03-14 22:17 1802028 ----a-w- c:\program files\openoffice.org-base.cab
2008-03-14 22:17 . 2008-03-14 22:17 43005 ----a-w- c:\program files\openoffice.org-activex.cab
2008-03-14 22:17 . 2008-03-14 22:17 217 ----a-w- c:\program files\setup.ini
2008-03-14 22:17 . 2008-03-14 22:17 4372992 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2006-05-03 09:06 . 2008-07-21 22:59 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2008-07-21 22:59 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 . 2008-07-21 22:59 216064 --sh--r- c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 417792]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-06 1793808]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-10 520024]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-03 4702208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C5A116A5-7304-47EC-95C0-A9C66D751CB5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FBD13BA7-A8BC-4ECC-80F8-4903D05268ED}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{8937F841-6254-4BFB-B1D1-6AE5046B670D}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{8FCD3B7C-8F1C-48DC-816D-3E698652E389}"= UDP:c:\program files\Sierra Entertainment\Empire Earth III\EE3.exe:Empire Earth III
"{20E2F8B0-93DB-448E-AC46-2C2EDD7A3FBF}"= TCP:c:\program files\Sierra Entertainment\Empire Earth III\EE3.exe:Empire Earth III
"{382F8B7C-CC54-4859-9C9A-6B6ADBA2722C}"= UDP:c:\program files\Sierra Entertainment\Empire Earth III\EE3.exe:Empire Earth III
"{68C3F022-8089-4D58-A216-CDEBBDF9EC6D}"= TCP:c:\program files\Sierra Entertainment\Empire Earth III\EE3.exe:Empire Earth III
"{1E802304-86AC-4BA0-95D4-D1AF79C28BB6}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{92C70993-0685-4122-BF84-708A3E885C63}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1953578D-83B1-4D50-9870-219D430694CA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{60AB8B1D-BA2E-4D7E-AFBB-268E9FAEFBBC}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D08A62E6-F4C0-4A50-9157-635D50B34CCD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D05FDC27-0EEA-48CC-920E-74603DC976E7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/9/2009 11:04 PM 64160]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [7/5/2009 10:26 PM 128888]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/5/2009 8:39 PM 108289]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: {{BD791D63-778B-46CA-8425-8A31D2F19487}
TCP: {31D7E448-298C-47EE-A720-D8DB1F8544D3} = 156.154.70.22,156.154.71.22
TCP: {C8B64AEA-656F-4BFB-AC28-7E2539056CCF} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\xdtpj59l.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 22:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????g??V? ??? ??????8???p?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-14 22:24
ComboFix-quarantined-files.txt 2009-07-14 02:24
ComboFix2.txt 2009-07-12 16:04

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 243,187,593,216 bytes free

233 --- E O F --- 2008-09-15 22:16

[NonSuch]

I wish to correct your misconception that you were given instructions by one of our administrators to run ComboFix. That is not true. In fact, the instructions you were given to run ComboFix were given in your other topic that you posted at Geeks2Go:

http://www.geekstogo.com/forum/Trojan-B ... 5840ace472

You posted there, and you received a response there, to which you have not replied, doubtlessly because posting at multiple sites left you with some confusion as to who was giving you instructions.

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem. As for this topic, it will be closed as will any other topics that you start at this time in regards to this same problem. You should return to your topic at Geeks2Go.

This topic is now closed.

You can help support this site from this link :
Donations For Malware Removal