Free Malware Removal Forum

[dop1103]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:44, AM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LIN\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6061102
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nhojl] c:\program files\jqyzmmtaijw\hovde.exe hf
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3288614903
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: VAKFI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LIN\LOCALS~1\Temp\VAKFI.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5597 bytes

[km2357]

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

[dop1103]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:01, PM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\LIN\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=6061102
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3288614903
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCamSvc - Unknown owner - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: VAKFI - Unknown owner - C:\DOCUME~1\LIN\LOCALS~1\Temp\VAKFI.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6122 bytes

[km2357]

Step # 1:Remove one of your Anti Virus programs.

You are operating your computer with multiple Anti Virus programs running in memory at once:

AVG 8

Avast

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.


Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Step # 3: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click No.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log.
• Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

[dop1103]

DDS 1:

DDS (Ver_09-09-29.01) - NTFSx86
Run by LIN at 21:10:38.76 on Fri 10/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\LIN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\lin\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 3288614903
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages =

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lin\applic~1\mozilla\firefox\profiles\cxqle5in.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... rab&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XULRunner: {E8B6DC7F-662C-4F0B-9D91-47C4D1ADCBE7} - c:\documents and settings\lin\local settings\application data\{e8b6dc7f-662c-4f0b-9d91-47c4d1adcbe7}\
FF - HiddenExtension: XULRunner: {814CAAD9-D2A3-45B9-A86C-2B315ECDF4B0} - c:\documents and settings\administrator\local settings\application data\{814caad9-d2a3-45b9-a86c-2b315ecdf4b0}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-17 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-17 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-17 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-12 24652]
S0 auubahnh;auubahnh;c:\windows\system32\drivers\dtkghdjs.sys --> c:\windows\system32\drivers\dtkghdjs.sys [?]
S0 ilepfdje;ilepfdje;c:\windows\system32\drivers\gxrqyuzd.sys --> c:\windows\system32\drivers\gxrqyuzd.sys [?]
S0 uaxblnrd;uaxblnrd;c:\windows\system32\drivers\mczbxgge.sys --> c:\windows\system32\drivers\mczbxgge.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2f.tmp --> c:\windows\system32\2F.tmp [?]
S3 VAKFI;VAKFI;c:\docume~1\lin\locals~1\temp\vakfi.exe --> c:\docume~1\lin\locals~1\temp\VAKFI.exe [?]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-17 908056]

=============== Created Last 30 ================

2009-09-28 00:54 <DIR> --d----- c:\program files\Trend Micro
2009-09-25 03:15 <DIR> --d----- c:\program files\Sophos
2009-09-25 03:06 <DIR> --d----- c:\program files\Unlocker
2009-09-24 23:38 120 a------- c:\windows\Umagacir.dat
2009-09-08 19:29 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-25 01:59 1,888 a------- c:\windows\system32\tmp.reg
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-15 22:52 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 22:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2007-12-28 03:03 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-03 17:40 88 ---shr-- c:\windows\system32\A6432BE64A.sys
2007-08-03 17:40 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:11:45.51 ===============
Attach 2:

UNLESS SPECIFICALLY

INSTRUCTED, DO NOT POST THIS

LOG.
IF REQUESTED, ZIP IT UP & ATTACH

IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/10/2006 7:55:00 PM
System Uptime: 10/2/2009 9:05:29 PM (0

hours ago)

Motherboard: Dell Inc. | | 0XD720
Processor: Intel(R) Core(TM)2 CPU

T7200 @ 2.00GHz | Microprocessor |

997/166mhz

==== Disk Partitions

=========================

C: is FIXED (NTFS) - 68 GiB total,

26.707 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items

=============

==== System Restore Points

===================

No restore point in system.

==== Installed Programs

======================

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Advanced Video FX Utility
AIM 6
AOLIcon
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
Broadcom Management Programs
Compatibility Pack for the 2007 Office

system
Conexant HDA D110 MDC V.92 Modem
Creative WebCam Instant Driver

(1.01.02.0729)
Critical Update for Windows Media Player

11 (KB959772)
Dell Photo AIO Printer 922
Dell Support 3.2
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
DivX Codec
DivX Converter
DivX Version Checker
Documentation & Support Launcher
Download Updater (AOL LLC)
Games, Music, & Photos Launcher
GIMP 2.4.6
High Definition Audio Driver Package -

KB835221
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU

(KB948110)
Hotfix 2055 for SQL Server 2000 ENU

(KB960082)
Hotfix for Windows Media Format 11

SDK (KB929399)
Hotfix for Windows Media Player 10

(KB903157)
Hotfix for Windows Media Player 11

(KB939683)
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 6
Malwarebytes' Anti-Malware
MCU
Media Center Extender
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix

(KB928366)
Microsoft Compression Client Pack 1.0 for

Windows XP
Microsoft Office Outlook 2003 with

Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition

2003
Microsoft Plus! Digital Media Edition

Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server Desktop Engine

(MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework

Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update

kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update

kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable

- x86 9.0.30729.17
Microsoft Works
Modem Helper
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Network Stumbler 0.4.0 (remove only)
Nmap 4.85BETA10
OutlookAddinSetup
Picasa 3
QuickSet
QuickTime
Security Update for Windows Internet

Explorer 8 (KB969897)
Security Update for Windows Internet

Explorer 8 (KB971961)
Security Update for Windows Internet

Explorer 8 (KB972260)
Security Update for Windows Media

Player (KB911564)
Security Update for Windows Media

Player (KB952069)
Security Update for Windows Media

Player (KB968816)
Security Update for Windows Media

Player (KB973540)
Security Update for Windows Media

Player 10 (KB917734)
Security Update for Windows Media

Player 11 (KB936782)
Security Update for Windows Media

Player 11 (KB954154)
Security Update for Windows Media

Player 6.4 (KB925398)
Security Update for Windows XP

(KB923561)
Security Update for Windows XP

(KB923689)
Security Update for Windows XP

(KB938464-v2)
Security Update for Windows XP

(KB938464)
Security Update for Windows XP

(KB941569)
Security Update for Windows XP

(KB946648)
Security Update for Windows XP

(KB950759)
Security Update for Windows XP

(KB950760)
Security Update for Windows XP

(KB950762)
Security Update for Windows XP

(KB950974)
Security Update for Windows XP

(KB951066)
Security Update for Windows XP

(KB951376-v2)
Security Update for Windows XP

(KB951376)
Security Update for Windows XP

(KB951698)
Security Update for Windows XP

(KB951748)
Security Update for Windows XP

(KB952004)
Security Update for Windows XP

(KB952954)
Security Update for Windows XP

(KB953838)
Security Update for Windows XP

(KB953839)
Security Update for Windows XP

(KB954211)
Security Update for Windows XP

(KB954459)
Security Update for Windows XP

(KB954600)
Security Update for Windows XP

(KB955069)
Security Update for Windows XP

(KB956390)
Security Update for Windows XP

(KB956391)
Security Update for Windows XP

(KB956572)
Security Update for Windows XP

(KB956744)
Security Update for Windows XP

(KB956802)
Security Update for Windows XP

(KB956803)
Security Update for Windows XP

(KB956841)
Security Update for Windows XP

(KB956844)
Security Update for Windows XP

(KB957095)
Security Update for Windows XP

(KB957097)
Security Update for Windows XP

(KB958215)
Security Update for Windows XP

(KB958644)
Security Update for Windows XP

(KB958687)
Security Update for Windows XP

(KB958690)
Security Update for Windows XP

(KB959426)
Security Update for Windows XP

(KB960225)
Security Update for Windows XP

(KB960714)
Security Update for Windows XP

(KB960715)
Security Update for Windows XP

(KB960803)
Security Update for Windows XP

(KB960859)
Security Update for Windows XP

(KB961371)
Security Update for Windows XP

(KB961373)
Security Update for Windows XP

(KB961501)
Security Update for Windows XP

(KB963027)
Security Update for Windows XP

(KB968537)
Security Update for Windows XP

(KB969897)
Security Update for Windows XP

(KB969898)
Security Update for Windows XP

(KB970238)
Security Update for Windows XP

(KB971557)
Security Update for Windows XP

(KB971633)
Security Update for Windows XP

(KB971657)
Security Update for Windows XP

(KB973346)
Security Update for Windows XP

(KB973354)
Security Update for Windows XP

(KB973507)
Security Update for Windows XP

(KB973869)
Skype™ 3.6
Sonic Encoders
Sonic RecordNow Data
Sophos Anti-Rootkit 1.5.0
SPSS 13.0 for Windows Integrated

Student Version
SPSS Data Access Pack for Windows 4.0
Spybot - Search & Destroy
Stickies 6.0c
UltraVNC v1.0.2
Unlocker 1.8.6
Update for Windows Media Player 10

(KB910393)
Update for Windows Media Player 10

(KB913800)
Update for Windows Media Player 10

(KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media

Center Edition 2005
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
VLC media player 1.0.1
WebFldrs XP
Windows Genuine Advantage Notifications

(KB905474)
Windows Genuine Advantage Validation

Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Messenger
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See

EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005

KB905589
Windows XP Media Center Edition 2005

KB908246
Windows XP Media Center Edition 2005

KB925766
Windows XP Media Center Edition 2005

KB973768
Windows XP Service Pack 3
winpcap-nmap 4.02
WinRAR archiver

==== Event Viewer Messages From Past

Week ========

9/29/2009 4:59:31 PM, error: W32Time

[17] - Time Provider NtpClient: An error

occurred during DNS lookup of the

manually configured peer

'time.windows.com,0x1'. NtpClient will try

the DNS lookup again in 15 minutes. The

error was: A socket operation was

attempted to an unreachable host.

(0x80072751)
9/25/2009 5:44:29 PM, error: Service

Control Manager [7026] - The following

boot-start or system-start driver(s) failed to

load: AFD APPDRV AvgLdx86

AvgMfx86 AvgTdiX Fips intelppm IPSec

MRxSmb NetBIOS NetBT RasAcd Rdbss

Tcpip
9/25/2009 5:44:29 PM, error: Service

Control Manager [7001] - The TCP/IP

NetBIOS Helper service depends on the

AFD service which failed to start because

of the following error: A device attached to

the system is not functioning.
9/25/2009 5:44:29 PM, error: Service

Control Manager [7001] - The IPSEC

Services service depends on the IPSEC

driver service which failed to start because

of the following error: A device attached to

the system is not functioning.
9/25/2009 5:44:29 PM, error: Service

Control Manager [7001] - The DNS

Client service depends on the TCP/IP

Protocol Driver service which failed to start

because of the following error: A device

attached to the system is not functioning.
9/25/2009 5:44:29 PM, error: Service

Control Manager [7001] - The DHCP

Client service depends on the NetBios over

Tcpip service which failed to start because

of the following error: A device attached to

the system is not functioning.
9/25/2009 12:59:41 PM, error: Server

[2505] - The server could not bind to the

transport

\Device\NetBT_Tcpip_{102D8A09-3E52

-494A-90FB-A9C2B5B6E7B3} because

another computer on the network has the

same name. The server could not start.
9/25/2009 12:59:40 PM, error: NetBT

[4321] - The name "LJOHN :20"

could not be registered on the Interface

with IP address 129.46.7.176. The

machine with the IP address

129.46.50.150 did not allow the name to

be claimed by this machine.
9/25/2009 12:59:37 PM, error: NetBT

[4321] - The name "LJOHN :0"

could not be registered on the Interface

with IP address 129.46.7.176. The

machine with the IP address

129.46.50.150 did not allow the name to

be claimed by this machine.
9/25/2009 12:27:07 AM, error: Service

Control Manager [7034] - The VAKFI

service terminated unexpectedly. It has

done this 1 time(s).
9/25/2009 10:19:25 PM, error: Service

Control Manager [7031] - The Ad-Aware

2007 Service service terminated

unexpectedly. It has done this 2 time(s).

The following corrective action will be

taken in 10000 milliseconds: Restart the

service.
9/25/2009 10:19:10 PM, error: Service

Control Manager [7031] - The Ad-Aware

2007 Service service terminated

unexpectedly. It has done this 1 time(s).

The following corrective action will be

taken in 5000 milliseconds: Restart the

service.
9/25/2009 10:13:01 PM, error: DCOM

[10005] - DCOM got error "%1084"

attempting to start the service EventSystem

with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB

926AF}
9/25/2009 10:10:13 PM, error: DCOM

[10005] - DCOM got error "%1084"

attempting to start the service StiSvc with

arguments "" in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081

ED811}
9/25/2009 10:00:49 PM, error: DCOM

[10005] - DCOM got error "%1084"

attempting to start the service netman with

arguments "" in order to run the server:

{BA126AE5-2166-11D1-B1D0-00805F

C1270E}
9/25/2009 1:58:42 AM, error: Service

Control Manager [7026] - The following

boot-start or system-start driver(s) failed to

load: APPDRV AvgLdx86 AvgMfx86

Fips intelppm
9/25/2009 1:01:17 PM, error: Server

[2505] - The server could not bind to the

transport

\Device\NetBT_Tcpip_{B61C57A2-66F0

-454D-BE20-6F1CC6C1E884} because

another computer on the network has the

same name. The server could not start.
9/25/2009 1:01:17 PM, error: NetBT

[4321] - The name "LJOHN :20"

could not be registered on the Interface

with IP address 10.72.39.224. The

machine with the IP address 10.72.39.224

did not allow the name to be claimed by this

machine.
9/25/2009 1:01:17 PM, error: NetBT

[4321] - The name "LJOHN :0"

could not be registered on the Interface

with IP address 10.72.39.224. The

machine with the IP address 10.72.39.224

did not allow the name to be claimed by this

machine.
9/25/2009 1:01:13 PM, error: Dhcp

[1002] - The IP address lease

192.168.1.2 for the Network Card with

network address 0018F384D7E1 has been

denied by the DHCP server 0.0.0.0 (The

DHCP Server sent a DHCPNACK

message).

==== End Of File

===========================

[dop1103]

Gmer Log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 22:44:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LIN\LOCALS~1\Temp\axtdapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat AD2C0D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[km2357]

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[km2357]

dop1103? Do you still need help?

[Carolyn]

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.