Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

xp security 2011/ malware removal tool

This is a discussion on xp security 2011/ malware removal tool within the Resolved HJT Threads forums, part of the Tech Support Forum category. hello fellow tech heads i've had a day from hell trying to remove the above trojan. none of the things


 
 
Thread Tools Search this Thread
Old 05-17-2011, 04:12 AM   #1
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



hello fellow tech heads

i've had a day from hell trying to remove the above trojan. none of the things found on the net worked for me like booting into safe mode as the virus was still active and stopping things. blocking task manager so i took things into my own hands and downloaded rkill which was the only thing that i could acctually load in safemode, killed it ran malwarebytes got rid of it well i taught i did but then when i booted into windows my programs are still missing from the start menu, malwarebytes i just installed was not there so reinstalled it and still was not lising in my programs

win update thinks its turned off when its on

accidentally turned hidden files on and found some of my movies and files which are marked as hidden OMG what the.........

so i can use my computer as per normal now and for internet i have to go through windows explorer but i am still infected and not sure how to fix it now as i cannot remove avg as its saying that its missing some reg file and therefore cannot run combofix

help pls :)
dragon-lilly is offline  
Sponsored Links
Advertisement
 
Old 05-19-2011, 05:26 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Who instructed you to run ComboFix?

As you should have read here in Step 2 of our NEW INSTRUCTIONS thread:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

------------------------------------------------------

We first need to verify if there are any rootkits present and how they could affect our tools.

DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present and decide whether to deploy ComboFix.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-21-2011, 03:34 PM   #3
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Administrator at 7:36:11 on 2011-05-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.557 [GMT 10:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Smart Engine *Enabled/Updated* {3E868CE3-5346-4CEE-9D40-4689DE43910B}
FW: Smart Engine *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\prxtbSof0.dll
BHO: NOW!Imaging: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - c:\program files\dodo speed accelerator\components\NOWImaging.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Prefetch: {a66aa08a-9bf0-4e87-99e6-6972731d6b99} - c:\program files\dodo speed accelerator\Prefetch.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: Burn4Free Toolbar Helper: {d187a56b-a33f-4cbe-9d77-459fc0bae012} - c:\program files\burn4free toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Burn4Free Toolbar: {4f11acbb-393f-4c86-a214-ff3d0d155cc3} - c:\program files\burn4free toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\prxtbSof0.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\progra~1\dodosp~1\sliplsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\08s7hbz3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b693c2a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-3 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-3 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-3 243152]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2010-7-15 29411]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-17 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2010-7-15 126976]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-12-12 47640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-13 185640]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2010-7-15 779136]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2010-7-15 40960]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 947528]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-9-22 112640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-16 10:27:02 266240 ----a-w- c:\windows\uyodehibe.dll
2011-05-16 10:26:37 -------- d-----w- c:\documents and settings\all users\application data\jI06509AhOlC06509
2011-05-11 10:04:44 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-11 10:04:43 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-11 10:04:43 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-11 10:04:43 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-11 10:04:43 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-11 10:04:42 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-11 10:04:41 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-11 10:04:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-05-05 23:31:46 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-04-06 06:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 06:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 06:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD400BB-23JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85DB0D01]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x855ca85b; SUB DWORD [EBP-0x4], 0x855ca12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x863E1AB8]
3 CLASSPNP[0xF74D7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000061[0x8638BF18]
5 ACPI[0xF744E620] -> nt!IofCallDriver[0x804E37D5] -> [0x863DED98]
[0x86114790] -> IRP_MJ_CREATE -> 0x85DB0D01
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-23JHC0______________________06.01C06#5&25c65490&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85DB0AEA
user & kernel MBR OK
sectors 78156286 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:38:06.65 ===============


i could not zip these two as winzip was not comming up as an option

GMER 1.0.15.15627 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-22 08:14:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-23JHC0 rev.06.01C06
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\System32\drivers\afd.sys entry point in ".rsrc" section [0xEEC82C94]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FD000A
.text C:\WINDOWS\Explorer.EXE[400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
.text C:\WINDOWS\System32\svchost.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 001C000C
.text C:\WINDOWS\System32\svchost.exe[1232] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 024A000A
.text C:\WINDOWS\System32\svchost.exe[1232] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85DB0AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85DB0AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85DB0AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-23JHC0______________________06.01C06#5&25c65490&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x3C 0x54 0x34 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x3C 0x54 0x34 0x70 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\[email protected] RUN "C:\Documents and Settings\Administrator\Application Data\Real\Update\UpgradeHelper\RealPlayer\8.01\rnupgagent.exe" "/Install"
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\Progress
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\[email protected] 0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\Position
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\[email protected] 0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\UILayoutID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\XMLFileID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgClasses\000\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\[email protected] reclaimer
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\[email protected] 3.0.0.0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\BackupURL
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] /autoupgrade/RealPlayer/3rdParty/reclaimer_r61h9/win32/reclaimer_R61H9_3_0_0_0_en.rup
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\CatUILayoutID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\CatXMLFileID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\ClasID0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 005
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\Description
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] Upgrade Helper V2 3.0.0.0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\DisplayName
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] Player Upgrade Helper
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\DownloadSize
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 417124
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\HelpURL
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected]
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\Offset
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 303
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\Order
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 10000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\ProductID0
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 1002
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\ShowFlag
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 1
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\Space
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 848770
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\SpecPath
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] C:\Documents and Settings\Administrator\Application Data\Real\Update\temp\~Upg7\upgspec.inf
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\State
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 4
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\Type
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 1
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\UILayoutID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\UpgradeURL
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] https://seattle-dl.real.com/autoupgra...3_0_0_0_en.rup
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\XMLFileID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgComps\reclaimer\[email protected] 000
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\[email protected] REALPLAYER
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\DisplayName
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\[email protected]
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\ProdID
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\[email protected] 1002
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\Version
Reg HKLM\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\UpgProds\REALPLAYER\[email protected] 12.0.1.609

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\drivers\afd.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/2/2010 6:22:36 PM
System Uptime: 5/22/2011 7:27:33 AM (0 hours ago)
.
Motherboard: IBM | | IBM
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | WMT478/NWD | 2392/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 9.817 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP333: 5/16/2011 8:30:00 PM - System Checkpoint
RP334: 5/17/2011 3:45:10 PM - Removed AVG Free 9.0
RP335: 5/17/2011 3:47:10 PM - Removed AVG Free 9.0
RP336: 5/17/2011 5:20:33 PM - Removed AVG Free 9.0
RP337: 5/17/2011 5:24:43 PM - Removed AVG Free 9.0
RP338: 5/19/2011 11:53:11 AM - System Checkpoint
RP339: 5/21/2011 12:05:44 PM - Avg Update
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
AVS Update Manager 1.0
AVS Video Converter 6
AVS Video Converter 7
AVS4YOU Software Navigator 1.4
Bonjour
Burn4Free CD and DVD
Burn4Free Toolbar
Conduit Engine
D-Link DWA-125
DAEMON Tools Toolbar
DFX for Windows Media Player
DivX Setup
Dodo Speed Accelerator
Dodo Wireless Broadband
Glary Utilities 2.27.0.982
HandBrake 0.9.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
ImagXpress
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 22
LogMeIn
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.9.6
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 4.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Lite
Nero ControlCenter
Nero InCD-Reader
Nero Installer
Nero Online Upgrade
Nero StartSmart
neroxml
PowerISO
PriceGong 2.1.0
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Safari
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype Toolbars
Skype™ 5.1
Softonic-Eng7 Toolbar
SoundMAX
TeamViewer 5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
uTorrentBar Toolbar
VC80CRTRedist - 8.0.50727.4053
Veoh Web Player
VLC media player 1.1.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Xvid 1.2.2 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
5/21/2011 11:48:29 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/21/2011 11:48:29 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/21/2011 1:33:23 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
5/21/2011 1:33:23 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Real\RealPlayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
5/21/2011 1:33:23 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/17/2011 3:31:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
5/17/2011 2:04:02 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
5/17/2011 2:02:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/17/2011 11:27:30 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TeamViewer 5 service to connect.
5/17/2011 11:27:30 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free E-mail Scanner service to connect.
5/17/2011 11:27:30 AM, error: Service Control Manager [7000] - The TeamViewer 5 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 11:27:30 AM, error: Service Control Manager [7000] - The AVG Free E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:37:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/17/2011 1:33:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm OMCI SCDEmu
5/17/2011 1:29:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
5/17/2011 1:29:19 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:28:20 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
5/17/2011 1:28:20 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free WatchDog service to connect.
5/17/2011 1:28:20 PM, error: Service Control Manager [7001] - The AVG Free E-mail Scanner service depends on the AVG Free WatchDog service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:28:20 PM, error: Service Control Manager [7000] - The AVG Free WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The TeamViewer 5 service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The LogMeIn Maintenance Service service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The D_Link_DWA-125_WPS Service service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The D_Link_DWA-125 Service service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
5/17/2011 1:28:19 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
5/17/2011 1:28:19 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/17/2011 1:28:19 PM, error: Service Control Manager [7022] - The AVG Free E-mail Scanner service hung on starting.
5/17/2011 1:28:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service to connect.
5/17/2011 1:28:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
5/17/2011 1:28:19 PM, error: Service Control Manager [7000] - The LMIGuardianSvc service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:28:19 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/17/2011 1:28:19 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LMIGuardianSvc with arguments "" in order to run the server: {D4258A22-CF85-489D-83AE-49FCD0DFAD29}
5/17/2011 1:28:19 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
5/16/2011 8:29:58 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000000E' while processing the file 'change.log' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
.
==== End Of File ===========================
dragon-lilly is offline  
Sponsored Links
Advertisement
 
Old 05-21-2011, 05:23 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello dragon-lilly. Delete ComboFix.exe from your desktop and any other location.

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download DeFogger and save it to your desktop.
  • Double-click DeFogger to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

------------------------------------------------------

You will have to uninstall AVG in order to run ComboFix, as AVG targets ComboFix's embedded files and prevents ComboFix from running.

Uninstall AVG via Add or Remove Programs in your Control Panel, then reboot.

If ComboFix still detects AVG after uninstalling AVG and rebooting, try removing AVG remnants with AppRemover:

Please download AppRemover and Save it to your Desktop.
  • Double-click AppRemover.exe and follow the prompt to run it then click 'Next'.
  • Vista/Win7 users, right-click and choose 'Run as administrator'.
  • Under 'Select Removal Type' select 'Cleanup a Failed Uninstall' then click 'Next'.
  • Once the scan is complete, follow the on-screen instructions to remove remnants of AVG.
  • Reboot your computer if not prompted already.
------------------------------------------------------

If ComboFix still detects AVG, stop and let me know.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download details: Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-21-2011, 07:38 PM   #5
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



hey chemist

nice nik name :) thx so much for helping me i appreciate it very much

i have downloaded deffoger as instructed and followed steps but it did not ask me to reboot so i did it myself, i hope that was ok

i am unable to remove avg from add/remove programs

it gives me an error

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.

:(

i taught maybe i try using the appremover but the link goes to page not found :(

awaiting further instructions :)
dragon-lilly is offline  
Old 05-21-2011, 07:54 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome.

Sorry. Try this link:

Uninstall & Remove McAfee, Symantec, Norton, AVG, Avast & More Antivirus and Security Applications and Programs

Instead of 'Cleanup a Failed Uninstall'. choose 'Remove Security Application'.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-22-2011, 07:47 PM   #7
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



ComboFix 11-05-21.03 - Administrator 05/23/2011 10:13:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.739 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix_N.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\2gweorjqjutp92vjy9gake
c:\documents and settings\Administrator\Application Data\Adobe\plugs
c:\documents and settings\Administrator\Application Data\Adobe\plugs\mmc27656765.txt
c:\documents and settings\Administrator\Application Data\Adobe\shed
c:\documents and settings\Administrator\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\Application Data\Smart Engine
c:\documents and settings\Administrator\Application Data\Smart Engine\cookies.sqlite
c:\documents and settings\Administrator\Start Menu\Smart Engine.lnk
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 00:00 . 2008-08-14 10:34 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-05-23 00:00 . 2008-08-14 10:34 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-05-16 10:27 . 2011-05-16 10:27 266240 ----a-w- c:\windows\uyodehibe.dll
2011-05-16 10:26 . 2011-05-17 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\jI06509AhOlC06509
2011-05-11 10:04 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-11 10:04 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-11 10:04 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-11 10:04 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-11 10:04 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-11 10:04 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-11 10:04 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-11 10:04 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 06:20 . 2011-04-06 06:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 06:20 . 2011-04-06 06:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 06:20 . 2011-04-06 06:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-14 16:26 . 2011-05-11 10:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2010-01-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-28 06:00 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Softonic-Eng7\prxtbSof0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2010-02-13 09:14 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2010-02-13 815104]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\prxtbSof0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2010-02-13 815104]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\prxtbSof0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-03 274608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 03:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dodo Speed Accelerator.lnk]
backup=c:\windows\pss\Dodo Speed Accelerator.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 13:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2005-02-28 10:53 53248 ----a-r- c:\windows\VM_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 19:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link D-Link DWA-125]
2009-10-19 09:03 995328 ----a-w- c:\program files\D-Link\DWA-125 revA\AirGCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-11-01 22:59 126976 ----a-r- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-11-01 23:03 155648 ----a-r- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 01:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 07:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-03 05:44 15028104 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream]
2010-06-30 12:32 344064 ----a-w- c:\program files\Dodo Speed Accelerator\slipcore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-07-06 14:01 2634048 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2009-10-19 08:39 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [7/15/2010 7:06 PM 29411]
R2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [7/15/2010 7:06 PM 126976]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/13/2010 12:57 AM 185640]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [7/15/2010 7:06 PM 40960]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [9/22/2010 8:17 PM 112640]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/5/2010 4:30 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
.
2011-04-09 c:\windows\Tasks\File Helper.job
- c:\program files\File Helper\1.1.0.10\FileHelper.exe [2010-02-05 08:25]
.
2011-05-23 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-13 01:21]
.
2011-05-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-1563985344-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 01:33]
.
2011-05-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-1563985344-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 01:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
LSP: c:\progra~1\DODOSP~1\sliplsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\08s7hbz3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b693c2a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll
BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\tbuTo1.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\uTorrentBar\tbuTo1.dll
Notify-avgrsstarter - (no file)
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-uTorrentBar Toolbar - c:\progra~1\UTORRE~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-23 10:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1563985344-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,8b,1a,77,73,28,b9,4a,9e,20,93,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,13,cf,fe,6b,f8,c7,41,a0,1d,25,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-23 10:39:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 00:39
ComboFix2.txt 2010-05-15 21:10
.
Pre-Run: 10,798,460,928 bytes free
Post-Run: 10,929,500,160 bytes free
.
- - End Of File - - F74A88F33986C408CECC578389EDBB06
dragon-lilly is offline  
Old 05-22-2011, 08:10 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, dragon-lilly.

Please go to: VirusTotal
  • Click the Browse button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\windows\uyodehibe.dll

  • Click Open then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already submitted: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------

Do you have access to another XP machine with SP3 installed? Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-22-2011, 08:56 PM   #9
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



VirusTotal - Free Online Virus, Malware and URL Scanner

yes i have another xp sp3 machine :)
dragon-lilly is offline  
Old 05-23-2011, 05:24 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, dragon-lilly.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\documents and settings\All Users\Application Data\jI06509AhOlC06509" > log.txt
notepad log.txt
del %0
Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------

On your other XP SP3 machine, navigate to this file:

c:\windows\system32\sfcfiles.dll

Copy the file to a USB drive then copy the file to the Local Disk(C:) on the affected computer.

Let me know when you have accomplished that. Thanks.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-23-2011, 01:08 PM   #11
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



hi chemist

here are the contents of the peek.bat file

@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\documents and settings\All Users\Application Data\jI06509AhOlC06509" > log.txt
notepad log.txt
del %0

i have copied c:\windows\system32\sfcfiles.dll onto this machine from the other to the same location. its asked me to replace existing file so i did. right?

also i should mention that the list of my programs are back in the start menu but most of them are empty and firefox is completely gone
dragon-lilly is offline  
Old 05-23-2011, 01:51 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, dragon-lilly.

Please download this file and run it.

Are your programs back now?

------------------------------------------------------

If you copied the file to this folder, then yes, correct:

c:\windows\system32

------------------------------------------------------

It appears you copy/pasted the contents of the peek.bat file, while I wanted you to double-click peek.bat and let it run, which will produce a log.txt file. That's what I need to see the contents of, the log.txt file it generates.

Please do this again:

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\documents and settings\All Users\Application Data\jI06509AhOlC06509" > log.txt
notepad log.txt
del %0
Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-23-2011, 03:07 PM   #13
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



oh sorry i have done as you asked but when i copied it, it mustn't have wrked for some reason , here it is now :)

Volume in drive C has no label.
Volume Serial Number is C0E0-4F06
Directory of c:\documents and settings\All Users\Application Data\jI06509AhOlC06509
05/17/2011 02:02 PM <DIR> .
05/17/2011 02:02 PM <DIR> ..
05/17/2011 01:24 PM 192 jI06509AhOlC06509
1 File(s) 192 bytes
Total Files Listed:
1 File(s) 192 bytes
2 Dir(s) 9,495,453,696 bytes free


the programs aren't back, i am unable to post a pic as i do not appear to have paint either, i tried to find it by running file name "paint" is this right?

when i'm in start - all programs - accessories - system tools - all that is listing there is IE (no add ons)
dragon-lilly is offline  
Old 05-23-2011, 03:14 PM   #14
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



i could try adding it via add/remove win components but i will wait for your reply :)
dragon-lilly is offline  
Old 05-23-2011, 03:20 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, dragon-lilly. Try mspaint, but no need for a screenshot. Let's see what happens after running ComboFix again.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
https://www.techsupportforum.com/forums/f50/xp-security-2011-malware-removal-tool-574366.html#post3277912

Collect::
c:\windows\uyodehibe.dll

Folder::
c:\documents and settings\All Users\Application Data\jI06509AhOlC06509

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
"DisableNotifications"=dword:00000000
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-23-2011, 03:25 PM   #16
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



I don't have any antivirus on this machine yet and yesterday it's done a win update on it's own
dragon-lilly is offline  
Old 05-23-2011, 03:41 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Follow the last instructions and we'll install an antivirus afterward.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-23-2011, 04:04 PM   #18
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



ComboFix 11-05-23.02 - Administrator 05/24/2011 8:35.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.674 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix_N.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
file zipped: c:\windows\uyodehibe.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\All Users\Application Data\jI06509AhOlC06509
c:\documents and settings\All Users\Application Data\jI06509AhOlC06509\jI06509AhOlC06509
c:\windows\uyodehibe.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 22:30 . 2011-05-23 22:32 -------- d-----w- C:\ComboFix_N
2011-05-23 20:04 . 2008-04-14 00:12 1614848 ----a-w- c:\windows\system32\sfcfiles.dll
2011-05-23 09:16 . 2008-04-13 19:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-05-23 05:25 . 2011-02-22 23:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-05-23 00:00 . 2008-10-16 15:07 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-05-23 00:00 . 2008-10-16 15:07 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-05-11 10:04 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-11 10:04 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-11 10:04 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-11 10:04 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-11 10:04 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-11 10:04 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-11 10:04 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-11 10:04 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 06:20 . 2011-04-06 06:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 06:20 . 2011-04-06 06:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 06:20 . 2011-04-06 06:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2010-02-02 08:17 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-13 19:42 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-13 15:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-13 19:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2008-04-13 19:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-13 19:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-14 16:26 . 2011-05-11 10:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-28 06:00 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Softonic-Eng7\prxtbSof0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2010-02-13 09:14 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2010-02-13 815104]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\prxtbSof0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll" [2010-02-13 815104]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\prxtbSof0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-03 274608]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 03:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dodo Speed Accelerator.lnk]
backup=c:\windows\pss\Dodo Speed Accelerator.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 13:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2005-02-28 10:53 53248 ----a-r- c:\windows\VM_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 19:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link D-Link DWA-125]
2009-10-19 09:03 995328 ----a-w- c:\program files\D-Link\DWA-125 revA\AirGCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-01 06:39 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-11-01 22:59 126976 ----a-r- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-11-01 23:03 155648 ----a-r- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 01:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 07:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-03 05:44 15028104 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream]
2010-06-30 12:32 344064 ----a-w- c:\program files\Dodo Speed Accelerator\slipcore.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-07-06 14:01 2634048 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2009-10-19 08:39 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [7/15/2010 7:06 PM 29411]
R2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [7/15/2010 7:06 PM 126976]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [7/15/2010 7:06 PM 40960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/13/2010 12:57 AM 185640]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [9/22/2010 8:17 PM 112640]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/5/2010 4:30 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
.
2011-04-09 c:\windows\Tasks\File Helper.job
- c:\program files\File Helper\1.1.0.10\FileHelper.exe [2010-02-05 08:25]
.
2011-05-23 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-13 01:21]
.
2011-05-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-1563985344-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 01:33]
.
2011-05-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-1563985344-1606980848-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 01:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
LSP: c:\progra~1\DODOSP~1\sliplsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\08s7hbz3.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b693c2a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-24 08:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1563985344-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,8b,1a,77,73,28,b9,4a,9e,20,93,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,13,cf,fe,6b,f8,c7,41,a0,1d,25,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2068)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-24 08:54:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 22:54
ComboFix2.txt 2011-05-23 00:39
ComboFix3.txt 2010-05-15 21:10
.
Pre-Run: 9,451,102,208 bytes free
Post-Run: 9,505,030,144 bytes free
.
- - End Of File - - 7E080554529C395B97DC021886E0B951
Upload was successful
dragon-lilly is offline  
Old 05-23-2011, 05:18 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, dragon-lilly. Thanks for submitting the file. Please tell us how your system is behaving. Same problem with programs?

If you were planning on installing AVG again, you'll have to wait until we uninstall ComboFix.

For now, try AntiVir's Avira, a good, free antivirus:

Avira AntiVir Personal - Free Antivirus

Double-click avira_antivir_personal_en.exe and follow the prompts to install it.

Update Avira and run a full system scan.

At the end of the scan, click 'Apply now', then 'Report' and post the log in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-24-2011, 02:38 AM   #20
Registered Member
 
Join Date: May 2011
Location: australia
Posts: 24
OS: xp sp3



the programs are still missing in action and firefox is completely gone

here is output of avira


Avira AntiVir Personal
Report file date: Tuesday, May 24, 2011 15:41
Scanning for 2756946 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : NASE
Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/1/2011 07:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2011 07:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 4/1/2011 07:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 14:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 06:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 06:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 05:33:22
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 05:33:22
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 05:33:23
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 05:33:23
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 05:33:24
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 05:33:24
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 05:33:24
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 05:33:25
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 05:33:25
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 05:33:26
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 05:33:31
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 05:33:36
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 05:33:40
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 05:33:44
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 05:33:48
VBASE018.VDF : 7.11.6.237 156160 Bytes 4/22/2011 05:33:52
VBASE019.VDF : 7.11.7.45 427520 Bytes 4/27/2011 05:34:02
VBASE020.VDF : 7.11.7.64 192000 Bytes 4/28/2011 05:34:09
VBASE021.VDF : 7.11.7.97 182272 Bytes 5/2/2011 05:34:13
VBASE022.VDF : 7.11.7.127 467968 Bytes 5/4/2011 05:34:26
VBASE023.VDF : 7.11.7.183 185856 Bytes 5/9/2011 05:34:31
VBASE024.VDF : 7.11.7.218 133120 Bytes 5/11/2011 05:34:35
VBASE025.VDF : 7.11.7.234 139776 Bytes 5/11/2011 05:34:38
VBASE026.VDF : 7.11.8.16 147456 Bytes 5/13/2011 05:34:42
VBASE027.VDF : 7.11.8.46 169472 Bytes 5/17/2011 05:34:47
VBASE028.VDF : 7.11.8.109 181760 Bytes 5/24/2011 05:34:51
VBASE029.VDF : 7.11.8.110 2048 Bytes 5/24/2011 05:34:52
VBASE030.VDF : 7.11.8.111 2048 Bytes 5/24/2011 05:34:52
VBASE031.VDF : 7.11.8.114 18432 Bytes 5/24/2011 05:34:53
Engineversion : 8.2.4.242
AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 06:15:27
AESCRIPT.DLL : 8.1.3.64 1606011 Bytes 5/24/2011 05:36:08
AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 06:15:27
AESBX.DLL : 8.1.3.2 254324 Bytes 3/28/2011 06:15:26
AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 02:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 5/24/2011 05:35:58
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 5/24/2011 05:35:50
AEHEUR.DLL : 8.1.2.119 3481976 Bytes 5/24/2011 05:35:48
AEHELP.DLL : 8.1.17.2 246135 Bytes 5/24/2011 05:35:09
AEGEN.DLL : 8.1.5.6 401780 Bytes 5/24/2011 05:35:06
AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 06:15:19
AECORE.DLL : 8.1.20.5 196983 Bytes 5/24/2011 05:35:01
AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 06:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 06:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 4/1/2011 07:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 5/24/2011 05:36:10
AVREG.DLL : 10.0.3.2 53096 Bytes 4/1/2011 07:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/1/2011 07:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 4/1/2011 07:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/1/2011 07:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 05:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 06:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 06:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/1/2011 07:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 06:15:52
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, I:, J:, K:, L:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, May 24, 2011 15:41
Starting search for hidden objects.
c:\windows\system32\ntmsdata\ntmsjrnl
c:\windows\system32\ntmsdata\ntmsjrnl
[NOTE] The file is not visible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.
c:\program files\logmein\x86\lmiguardiansvc.exe
c:\program files\logmein\x86\lmiguardiansvc.exe
[NOTE] The process is not visible.
c:\program files\logmein\x86\lmiguardiansvc.exe
The scan of running processes will be started
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '104' Module(s) have been scanned
Scan process 'avgnt.exe' - '50' Module(s) have been scanned
Scan process 'sched.exe' - '53' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'iexplore.exe' - '119' Module(s) have been scanned
Scan process 'iexplore.exe' - '118' Module(s) have been scanned
Scan process 'iexplore.exe' - '71' Module(s) have been scanned
Scan process 'iPodService.exe' - '29' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '71' Module(s) have been scanned
Scan process 'LogMeInSystray.exe' - '49' Module(s) have been scanned
Scan process 'realsched.exe' - '28' Module(s) have been scanned
Scan process 'TeamViewer.exe' - '83' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '85' Module(s) have been scanned
Scan process 'RaMaint.exe' - '45' Module(s) have been scanned
Scan process 'LMIGuardianSvc.exe' - '29' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'ANIWConnService.exe' - '16' Module(s) have been scanned
Scan process 'ANIWZCSdS.exe' - '42' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '36' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '48' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '102' Module(s) have been scanned
Scan process 'spoolsv.exe' - '55' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '169' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '36' Module(s) have been scanned
Scan process 'winlogon.exe' - '74' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'I:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!
Boot sector 'K:\'
[INFO] No virus was found!
Boot sector 'L:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '1712' files ).

Starting the file scan:
Begin scan in 'C:\'
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\11\16818dcb-25357e36
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\30d181d3-1ccb1777
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5a2969e0-74d71254
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.SN exploit
--> yahoo/ConfMgr.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.SN exploit
--> yahoo/InfoCtrl.class
[DETECTION] Contains recognition pattern of the JAVA/Pesc.H Java virus
--> yahoo/PlayMgr.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.QV exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\40\7e9aea8-531ecc71
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\7f5814ee-67a0758e
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
--> bpac/a.class
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\293c1cc5-6495790c
[DETECTION] Is the TR/Crypt.XPACK.Gen5 Trojan
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\11754f35-31e78582
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Mesdeh.D Java virus
--> a6a7a760c0e
[DETECTION] Contains recognition pattern of the JAVA/Mesdeh.D Java virus
--> a.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0094.F.8 exploit
--> aa79d1019d8.class
[DETECTION] Contains recognition pattern of the JAVA/C-2008-5353.VN Java virus
--> a4cb9b1a8a5.class
[DETECTION] Contains recognition pattern of the JAVA/Mesdeh.F Java virus
--> a66d578f084.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.EZ Java virus
--> ab16db71cdc.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FH Java virus
--> ab5601d4848.class
[DETECTION] Contains recognition pattern of the JAVA/C-2008-5353.VW Java virus
--> ae28546890f.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FJ Java virus
--> af439f03798.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.FK Java virus
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\5a674435-31011c22
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.AL.1 Java virus
--> JavaUpdateApplication.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.AL.1 Java virus
--> JavaUpdateManager.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.AN Java virus
C:\Documents and Settings\Administrator\My Documents\Downloads\Nero 9 Reloaded.rar
[0] Archive type: RAR
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Nero-9 Reloaded\Keymaker\General-CleanTool.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
--> Nero-9 Reloaded\Keymaker\Keygen.Nero.9.4.26.0 v5.55.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-05-24_08.35.37.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Downloader.Gen Trojan
--> uyodehibe.dll
[DETECTION] Is the TR/Downloader.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\uyodehibe.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir_
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP333\A0079940.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP341\A0081495.sys
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP343\A0082374.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
Begin scan in 'I:\' <spare gig>
Begin scan in 'J:\' <iće's drive>
Begin scan in 'K:\' <lilly's drive>
K:\music grouped\Shared limewire\Nero Burning Rom v6.3 Ultra Edition (Incl Mpeg2 Dvd &Svcd & Mp3-Mp3Pro & Wma Plugins Repack By Shauwny)3.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Agent.HABR Trojan
--> Nero Burning ROM v6.3/Keygen.exe
[DETECTION] Is the TR/Agent.HABR Trojan
K:\My Documents 1\Lilly's Documents\Restore\JPG\!ACQ2MOY_553+W,WJQEG4Z[1].jpg
[0] Archive type: CAB (Microsoft)
--> package_description.xml
[WARNING] The file could not be read!
K:\My Documents 1\Lilly's Documents\Restore\JPG\honeymoon part 2 025.jpg
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
K:\utorrent apps\Adobe_Acrobat_Professional_8.1.2_+KEYGEN__WORKING_NO_VIRUS_NO_PASSWORD_NOT_FAKE.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Agent.53760.O Trojan
--> keygen.exe
[DETECTION] Is the TR/Agent.53760.O Trojan
Begin scan in 'L:\' <movies and patrik's drive>
Beginning disinfection:
K:\utorrent apps\Adobe_Acrobat_Professional_8.1.2_+KEYGEN__WORKING_NO_VIRUS_NO_PASSWORD_NOT_FAKE.zip
[DETECTION] Is the TR/Agent.53760.O Trojan
[NOTE] The file was moved to the quarantine directory under the name '44c8dca4.qua'.
K:\My Documents 1\Lilly's Documents\Restore\JPG\honeymoon part 2 025.jpg
[DETECTION] Contains recognition pattern of the HTML/Silly.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '5c5cf39a.qua'.
K:\music grouped\Shared limewire\Nero Burning Rom v6.3 Ultra Edition (Incl Mpeg2 Dvd &Svcd & Mp3-Mp3Pro & Wma Plugins Repack By Shauwny)3.zip
[DETECTION] Is the TR/Agent.HABR Trojan
[NOTE] The file was moved to the quarantine directory under the name '0e07a968.qua'.
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP343\A0082374.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to the quarantine directory under the name '6876e680.qua'.
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP341\A0081495.sys
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '2df2cbbe.qua'.
C:\System Volume Information\_restore{449429DF-55CC-414C-9BA8-C7FA48B47D32}\RP333\A0079940.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '52e9f9df.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1e0ad5d5.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir_
[DETECTION] Is the TR/Rootkit.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '627d95fe.qua'.
C:\Qoobox\Quarantine\C\WINDOWS\uyodehibe.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to the quarantine directory under the name '4f52bac6.qua'.
C:\Qoobox\Quarantine\[4]-Submit_2011-05-24_08.35.37.zip
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '56488117.qua'.
C:\Documents and Settings\Administrator\My Documents\Downloads\Nero 9 Reloaded.rar
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3a61ad19.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\5a674435-31011c22
[DETECTION] Contains recognition pattern of the JAVA/Agent.AN Java virus
[NOTE] The file was moved to the quarantine directory under the name '4b84956b.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\53\11754f35-31e78582
[DETECTION] Contains recognition pattern of the JAVA/Agent.FK Java virus
[NOTE] The file was moved to the quarantine directory under the name '459da5dc.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\293c1cc5-6495790c
[DETECTION] Is the TR/Crypt.XPACK.Gen5 Trojan
[NOTE] The file was moved to the quarantine directory under the name '00a8dc86.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\7f5814ee-67a0758e
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[NOTE] The file was moved to the quarantine directory under the name '09bdd87f.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\40\7e9aea8-531ecc71
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[NOTE] The file was moved to the quarantine directory under the name '51f8c111.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5a2969e0-74d71254
[DETECTION] Contains recognition pattern of the EXP/CVE-2008-5353.QV exploit
[NOTE] The file was moved to the quarantine directory under the name '7d15b8e1.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\30d181d3-1ccb1777
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[NOTE] The file was moved to the quarantine directory under the name '43d9d84a.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\11\16818dcb-25357e36
[DETECTION] Contains recognition pattern of the JAVA/OpenConnect.CF Java virus
[NOTE] The file was moved to the quarantine directory under the name '20fbf323.qua'.

End of the scan: Tuesday, May 24, 2011 19:23
Used time: 3:24:58 Hour(s)
The scan has been done completely.
9385 Scanned directories
372168 Files were scanned
31 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
19 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
372137 Files not concerned
2179 Archives were scanned
1 Warnings
22 Notes
302654 Objects were scanned with rootkit scan
4 Hidden objects were found
dragon-lilly is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
new issues with an old XP machine. Is it a virus McAfee can't find and clean?
For the past 2 months something is not right with our home computer, and I donít know what. I run McAfee, but the scan does not seem to run, takes days to finish and sometimes only says 1200 files scanned with no virus detected. When I run task manager says CPU usage is 100%. IE hangs up or...
tony_g Virus/Trojan/Spyware Help 20 05-26-2011 08:01 AM
"XP Security 2011" Virus
I am having some serious problems. I believe I have some sort of virus. This XP SECURITY 2011 keeps popping up trying to make me buy their program. It seems to have disabled my Internet and also my task manager. Anyone have a solution here? Thanks in advance.
BigHock Windows XP Support 6 05-14-2011 12:23 PM
Virus keeps redirecting google and bing to other sites.
After opening a "bad" site two days ago, a virus/malware keeps redirecting google and Bing searches to other sites. The Google page comes up but then when you click on a link, it redirects you to a page you don't want. Also keep getting a script error that concides with a "site visited" going to...
tommylow97 Resolved HJT Threads 65 04-13-2011 08:03 PM
Malware
Hi, my laptop got hijacked. When I power my laptop it will bootup and then I will get a security alert that says, "Virus Alert! Application can't be started! The file mpcmdrun.exe is damaged. Do you want to activate your antivirus software now? If you press yes, then it will open Internet...
dv82u Resolved HJT Threads 14 03-18-2011 11:46 PM
Random popups and site redirecting virus
Hello, I'm new to the forum and my problem is that I'm being redirected to unwanted sites like Tazinga or Binkx. I'm running Windows XP and my laptop is about 7 years old. Any help would be great! Here are the Hijack specc UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED,...
Hexamus Inactive Malware Help Topics 2 01-11-2011 07:15 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:02 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts