Jacee help with HJT Log Please
-
![]()
ok i dont want to show how much of an idiot i am and appear not to able to follow instructions, but there was no disclaimer that appeared nor anywhere i could select any option 2 but i did let it run its course and it was uninstalled, downloaded a new and scanned here are both logs.
p.s. i do have my torrent client running on start up, of course i can stop it from starting up and do another scan.
ComboFix 09-04-25.A3 - Carson 04/25/2009 21:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.93 [GMT -7:00]
Running from: c:\documents and settings\Carson\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Carson\LOCALS~1\Temp\swt-win32-3430.dll
c:\documents and settings\Carson\Local Settings\temp\swt-win32-3430.dll
c:\windows\system32\Pncrt.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\Carson\Application Data\Malwarebytes
2009-04-25 22:05 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 22:05 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 22:02 . 2009-04-25 22:02 -------- d-----w c:\program files\Alwil Software
2009-04-23 07:10 . 2004-08-04 12:00 28288 -c--a-w c:\windows\system32\dllcache\xjis.nls
2009-04-23 07:08 . 2004-08-04 12:00 4096 -c--a-w c:\windows\system32\dllcache\rpcref.dll
2009-04-23 07:07 . 2004-08-04 12:00 22016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll
2009-04-23 07:06 . 2004-08-04 12:00 39936 -c--a-w c:\windows\system32\dllcache\hostmib.dll
2009-04-23 07:05 . 2004-08-04 12:00 66082 -c--a-w c:\windows\system32\dllcache\c_20838.nls
2009-04-23 07:04 . 2003-03-24 23:52 188494 -c--a-w c:\windows\system32\dllcache\fpcount.exe
2009-04-23 07:02 . 2009-04-23 07:02 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\nwc.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-21 00:54 . 2009-04-21 00:54 615 ----a-w c:\windows\system32\6wkBX8Q.vbs
2009-04-18 21:52 . 2006-09-29 18:26 176165 ----a-w c:\windows\system32\drv23260.dll
2009-04-18 21:52 . 2006-09-29 18:25 208935 ----a-w c:\windows\system32\drv33260.dll
2009-04-18 21:52 . 2006-09-29 18:24 217127 ----a-w c:\windows\system32\drv43260.dll
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\vso
2009-04-18 09:04 . 2009-04-20 04:00 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Corel
2009-04-18 09:03 . 2009-04-20 04:06 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-18 09:03 . 2009-04-20 03:51 88 --sha-r c:\windows\system32\480696C863.sys
2009-04-18 09:02 . 2009-04-18 09:03 -------- d-----w c:\documents and settings\Carson\Application Data\Corel
2009-04-18 09:01 . 2009-04-18 09:01 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-04-18 08:55 . 2009-04-18 08:57 -------- d-----w c:\program files\Common Files\Corel
2009-04-18 08:43 . 2009-04-18 08:43 -------- d-----w c:\documents and settings\Carson\Application Data\InstallShield
2009-04-15 19:57 . 2009-04-15 19:57 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-15 19:57 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\skypePM
2009-04-15 19:54 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\Skype
2009-04-15 19:54 . 2009-04-15 19:54 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----r c:\program files\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 02:33 . 2009-04-06 02:33 -------- d-----w c:\program files\VSTplugins
2009-04-06 02:32 . 2009-04-06 02:32 -------- d-----w c:\documents and settings\Carson\Application Data\Publish Providers
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Sony
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Application Data\Sony
2009-04-06 00:56 . 2009-04-06 02:29 34 ----a-w c:\windows\cdplayer.ini
2009-04-02 23:40 . 2009-04-02 23:40 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-01 22:54 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-20 00:03 -------- d-----w c:\program files\Google
2009-04-01 22:54 . 2009-04-18 21:50 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Google
2009-03-31 04:19 . 2009-03-31 04:19 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\WinAVI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 05:03 . 2009-02-11 06:56 -------- d-----w c:\documents and settings\Carson\Application Data\Azureus
2009-04-26 03:14 . 2009-02-20 00:14 -------- d-----w c:\program files\Trojan Remover
2009-04-25 19:22 . 2009-02-11 08:27 -------- d-----w c:\documents and settings\Carson\Application Data\Vso
2009-04-25 08:31 . 2009-03-04 21:53 -------- d-----w c:\documents and settings\All Users\Application Data\Vso
2009-04-25 07:10 . 2009-02-11 06:41 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-04-24 09:04 . 2009-03-13 09:34 -------- d-----w c:\documents and settings\Carson\Application Data\Any Video Converter Professional
2009-04-23 07:40 . 2009-02-11 06:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 07:00 . 2009-02-11 06:12 22720 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 01:23 . 2009-04-23 01:24 2075136 ----a-w c:\windows\Internet Logs\xDB10.tmp
2009-04-22 22:22 . 2009-02-25 02:02 -------- d-----w c:\documents and settings\Carson\Application Data\LimeWire
2009-04-20 08:57 . 2009-02-25 02:00 -------- d-----w c:\program files\Java
2009-04-18 21:44 . 2009-04-18 21:46 68608 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-04-18 21:44 . 2009-04-18 21:46 3340800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-04-18 21:35 . 2009-04-18 21:37 3335680 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-18 21:35 . 2009-04-18 21:37 2895872 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-15 20:33 . 2009-03-21 06:05 268 ---ha-w C:\sqmdata18.sqm
2009-04-15 20:33 . 2009-03-21 06:05 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata16.sqm
2009-04-11 17:02 . 2009-03-18 21:20 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-11 17:02 . 2009-03-18 21:20 232 ---ha-w C:\sqmdata15.sqm
2009-04-11 00:49 . 2009-03-18 21:08 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-11 00:49 . 2009-03-18 21:08 232 ---ha-w C:\sqmdata14.sqm
2009-04-11 00:46 . 2009-03-18 21:06 232 ---ha-w C:\sqmdata13.sqm
2009-04-11 00:46 . 2009-03-18 21:06 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-09 03:18 . 2009-03-18 17:34 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-09 03:18 . 2009-03-18 17:34 232 ---ha-w C:\sqmdata12.sqm
2009-04-09 03:13 . 2009-03-18 17:32 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-09 03:13 . 2009-03-18 17:32 232 ---ha-w C:\sqmdata11.sqm
2009-04-09 03:08 . 2009-03-17 14:04 232 ---ha-w C:\sqmdata10.sqm
2009-04-09 03:08 . 2009-03-17 14:04 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-05 04:00 . 2009-03-17 14:01 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-05 04:00 . 2009-03-17 14:01 232 ---ha-w C:\sqmdata09.sqm
2009-04-04 21:55 . 2009-03-17 14:00 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-04 21:55 . 2009-03-17 14:00 232 ---ha-w C:\sqmdata08.sqm
2009-04-03 07:54 . 2009-04-03 07:56 3200000 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-03 07:54 . 2009-04-03 07:56 2880000 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:34 . 2009-03-17 00:37 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-30 18:34 . 2009-03-17 00:37 232 ---ha-w C:\sqmdata07.sqm
2009-03-30 18:30 . 2009-03-17 00:36 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-30 18:30 . 2009-03-17 00:36 232 ---ha-w C:\sqmdata06.sqm
2009-03-30 18:25 . 2009-03-15 19:16 232 ---ha-w C:\sqmdata05.sqm
2009-03-30 18:25 . 2009-03-15 19:16 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-30 01:52 . 2009-03-30 01:52 2243609 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-29 09:23 . 2009-02-26 11:04 -------- d-----w c:\documents and settings\Carson\Application Data\dvdcss
2009-03-27 22:16 . 2009-03-14 15:48 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-27 22:16 . 2009-03-14 15:48 232 ---ha-w C:\sqmdata04.sqm
2009-03-27 18:38 . 2009-03-13 15:14 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-27 18:38 . 2009-03-13 15:14 232 ---ha-w C:\sqmdata03.sqm
2009-03-25 04:46 . 2009-03-25 04:46 -------- d-----w c:\documents and settings\Carson\Application Data\TypingMaster7
2009-03-25 04:44 . 2009-03-25 04:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 06:49 . 2009-03-11 17:58 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-24 06:49 . 2009-03-11 17:58 232 ---ha-w C:\sqmdata02.sqm
2009-03-24 06:44 . 2009-03-10 05:04 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-24 06:44 . 2009-03-10 05:04 232 ---ha-w C:\sqmdata01.sqm
2009-03-23 21:12 . 2009-03-23 21:12 135037 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_13_04_54_small.dmp.zip
2009-03-23 04:45 . 2009-02-11 07:48 -------- d-----w c:\documents and settings\Carson\Application Data\Roxio
2009-03-22 17:41 . 2009-02-23 19:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-22 17:41 . 2009-02-23 19:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 06:28 . 2009-03-21 06:28 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-21 06:28 . 2009-03-21 06:28 232 ---ha-w C:\sqmdata19.sqm
2009-03-10 06:40 . 2009-03-10 06:40 -------- d-----w c:\documents and settings\Carson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-09 12:19 . 2009-02-25 02:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 06:19 . 2009-02-11 07:00 27712 ----a-w c:\documents and settings\Carson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-05 00:55 . 2009-03-05 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\documents and settings\Carson\Application Data\pcouffin.sys
2009-03-01 06:16 . 2009-03-01 06:16 -------- d-----w c:\documents and settings\Carson\Application Data\ACD Systems
2009-03-01 06:13 . 2009-03-01 06:12 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 06:12 . 2009-03-01 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-28 19:14 . 2009-02-11 06:16 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 12:38 . 2009-02-28 12:41 2703872 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-28 12:35 . 2009-02-28 12:41 1259008 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-23 00:21 . 2009-02-23 00:23 2853888 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-02-20 09:03 . 2009-02-20 09:06 2837504 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-02-20 09:03 . 2009-02-20 09:06 1031168 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2802688 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2981888 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-17 23:27 . 2009-02-17 23:27 129024 ----a-w c:\windows\system32\pvubrcbb.dll
2009-02-16 16:52 . 2009-02-16 16:59 1424384 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-02-16 16:51 . 2009-02-16 17:00 684544 ----a-w c:\windows\Internet Logs\xDB5.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Azureus Vuze.lnk - e:\program files\Azureus\Azureus.exe [2008-12-13 254976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\iassam32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate1c9b31cd9abb7d3;Google Update Service (gupdate1c9b31cd9abb7d3);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 133104]
R3 laguna;laguna;c:\windows\system32\DRIVERS\cl546xm.sys [2001-08-17 248064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-11 337800]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
--- Other Services/Drivers In Memory ---
*Deregistered* - vsmon
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2160b7f0-2fac-11de-a2ba-00b0d0925717}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cefb84d9-0626-11de-a290-00b0d0925717}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
\Shell\Open\command - g:\resycled\boot.com g:
.
Contents of the 'Scheduled Tasks' folder
2009-04-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Carson\Application Data\Mozilla\Firefox\Profiles\4xisy04g.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 22:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-04-26 22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 05:07
ComboFix2.txt 2009-04-25 07:06
Pre-Run: 4,778,323,968 bytes free
Post-Run: 4,794,515,456 bytes free
240
hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:21 PM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Azureus\Azureus.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4684 bytes
-
-
The worst part is MBAM wont even run if the computer is badly infected. I would recommend try a smitfraudfix scan.
-
![]()
Akkk! Keygens, cracks and trojans ..... oh my! 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:
File::
c:\windows\system32\6wkBX8Q.vbs
c:\windows\system32\480696C863.sys
c:\windows\system32\ezsidmv.dat
c:\windows\system32\pvubrcbb.dll
c:\windows\System32\iassam32.dll
Folder::
g:\resycled
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cefb84d9-0626-11de-a290-00b0d0925717}]
Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Or
Disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.
Please post that log.
-
-
![]()
ok
ComboFix 09-04-25.A3 - Carson 04/26/2009 20:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.203 [GMT -7:00]
Running from: c:\documents and settings\Carson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carson\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090426-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\480696C863.sys
c:\windows\system32\6wkBX8Q.vbs
c:\windows\system32\ezsidmv.dat
c:\windows\System32\iassam32.dll
c:\windows\system32\pvubrcbb.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\480696C863.sys
c:\windows\system32\6wkBX8Q.vbs
c:\windows\system32\ezsidmv.dat
c:\windows\system32\pvubrcbb.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\Carson\Application Data\Malwarebytes
2009-04-25 22:05 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 22:05 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 22:02 . 2009-04-25 22:02 -------- d-----w c:\program files\Alwil Software
2009-04-23 07:10 . 2004-08-04 12:00 28288 -c--a-w c:\windows\system32\dllcache\xjis.nls
2009-04-23 07:08 . 2004-08-04 12:00 4096 -c--a-w c:\windows\system32\dllcache\rpcref.dll
2009-04-23 07:07 . 2004-08-04 12:00 22016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll
2009-04-23 07:06 . 2004-08-04 12:00 39936 -c--a-w c:\windows\system32\dllcache\hostmib.dll
2009-04-23 07:05 . 2004-08-04 12:00 66082 -c--a-w c:\windows\system32\dllcache\c_20838.nls
2009-04-23 07:04 . 2003-03-24 23:52 188494 -c--a-w c:\windows\system32\dllcache\fpcount.exe
2009-04-23 07:02 . 2009-04-23 07:02 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\nwc.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-18 21:52 . 2006-09-29 18:26 176165 ----a-w c:\windows\system32\drv23260.dll
2009-04-18 21:52 . 2006-09-29 18:25 208935 ----a-w c:\windows\system32\drv33260.dll
2009-04-18 21:52 . 2006-09-29 18:24 217127 ----a-w c:\windows\system32\drv43260.dll
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\vso
2009-04-18 09:04 . 2009-04-20 04:00 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Corel
2009-04-18 09:03 . 2009-04-20 04:06 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-18 09:02 . 2009-04-18 09:03 -------- d-----w c:\documents and settings\Carson\Application Data\Corel
2009-04-18 09:01 . 2009-04-18 09:01 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-04-18 08:55 . 2009-04-18 08:57 -------- d-----w c:\program files\Common Files\Corel
2009-04-18 08:43 . 2009-04-18 08:43 -------- d-----w c:\documents and settings\Carson\Application Data\InstallShield
2009-04-15 19:57 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\skypePM
2009-04-15 19:54 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\Skype
2009-04-15 19:54 . 2009-04-15 19:54 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----r c:\program files\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 02:33 . 2009-04-06 02:33 -------- d-----w c:\program files\VSTplugins
2009-04-06 02:32 . 2009-04-06 02:32 -------- d-----w c:\documents and settings\Carson\Application Data\Publish Providers
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Sony
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Application Data\Sony
2009-04-06 00:56 . 2009-04-06 02:29 34 ----a-w c:\windows\cdplayer.ini
2009-04-02 23:40 . 2009-04-02 23:40 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-01 22:54 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-20 00:03 -------- d-----w c:\program files\Google
2009-04-01 22:54 . 2009-04-18 21:50 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Google
2009-03-31 04:19 . 2009-03-31 04:19 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\WinAVI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 03:36 . 2009-02-11 06:56 -------- d-----w c:\documents and settings\Carson\Application Data\Azureus
2009-04-27 03:30 . 2009-02-11 08:27 -------- d-----w c:\documents and settings\Carson\Application Data\Vso
2009-04-26 03:14 . 2009-02-20 00:14 -------- d-----w c:\program files\Trojan Remover
2009-04-25 08:31 . 2009-03-04 21:53 -------- d-----w c:\documents and settings\All Users\Application Data\Vso
2009-04-25 07:10 . 2009-02-11 06:41 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-04-24 09:04 . 2009-03-13 09:34 -------- d-----w c:\documents and settings\Carson\Application Data\Any Video Converter Professional
2009-04-23 07:40 . 2009-02-11 06:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 07:00 . 2009-02-11 06:12 22720 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 01:23 . 2009-04-23 01:24 2075136 ----a-w c:\windows\Internet Logs\xDB10.tmp
2009-04-22 22:22 . 2009-02-25 02:02 -------- d-----w c:\documents and settings\Carson\Application Data\LimeWire
2009-04-20 08:57 . 2009-02-25 02:00 -------- d-----w c:\program files\Java
2009-04-18 21:44 . 2009-04-18 21:46 68608 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-04-18 21:44 . 2009-04-18 21:46 3340800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-04-18 21:35 . 2009-04-18 21:37 3335680 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-18 21:35 . 2009-04-18 21:37 2895872 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-15 20:33 . 2009-03-21 06:05 268 ---ha-w C:\sqmdata18.sqm
2009-04-15 20:33 . 2009-03-21 06:05 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata16.sqm
2009-04-11 17:02 . 2009-03-18 21:20 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-11 17:02 . 2009-03-18 21:20 232 ---ha-w C:\sqmdata15.sqm
2009-04-11 00:49 . 2009-03-18 21:08 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-11 00:49 . 2009-03-18 21:08 232 ---ha-w C:\sqmdata14.sqm
2009-04-11 00:46 . 2009-03-18 21:06 232 ---ha-w C:\sqmdata13.sqm
2009-04-11 00:46 . 2009-03-18 21:06 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-09 03:18 . 2009-03-18 17:34 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-09 03:18 . 2009-03-18 17:34 232 ---ha-w C:\sqmdata12.sqm
2009-04-09 03:13 . 2009-03-18 17:32 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-09 03:13 . 2009-03-18 17:32 232 ---ha-w C:\sqmdata11.sqm
2009-04-09 03:08 . 2009-03-17 14:04 232 ---ha-w C:\sqmdata10.sqm
2009-04-09 03:08 . 2009-03-17 14:04 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-05 04:00 . 2009-03-17 14:01 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-05 04:00 . 2009-03-17 14:01 232 ---ha-w C:\sqmdata09.sqm
2009-04-04 21:55 . 2009-03-17 14:00 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-04 21:55 . 2009-03-17 14:00 232 ---ha-w C:\sqmdata08.sqm
2009-04-03 07:54 . 2009-04-03 07:56 3200000 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-03 07:54 . 2009-04-03 07:56 2880000 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:34 . 2009-03-17 00:37 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-30 18:34 . 2009-03-17 00:37 232 ---ha-w C:\sqmdata07.sqm
2009-03-30 18:30 . 2009-03-17 00:36 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-30 18:30 . 2009-03-17 00:36 232 ---ha-w C:\sqmdata06.sqm
2009-03-30 18:25 . 2009-03-15 19:16 232 ---ha-w C:\sqmdata05.sqm
2009-03-30 18:25 . 2009-03-15 19:16 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-30 01:52 . 2009-03-30 01:52 2243609 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-29 09:23 . 2009-02-26 11:04 -------- d-----w c:\documents and settings\Carson\Application Data\dvdcss
2009-03-27 22:16 . 2009-03-14 15:48 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-27 22:16 . 2009-03-14 15:48 232 ---ha-w C:\sqmdata04.sqm
2009-03-27 18:38 . 2009-03-13 15:14 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-27 18:38 . 2009-03-13 15:14 232 ---ha-w C:\sqmdata03.sqm
2009-03-25 04:46 . 2009-03-25 04:46 -------- d-----w c:\documents and settings\Carson\Application Data\TypingMaster7
2009-03-25 04:44 . 2009-03-25 04:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 06:49 . 2009-03-11 17:58 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-24 06:49 . 2009-03-11 17:58 232 ---ha-w C:\sqmdata02.sqm
2009-03-24 06:44 . 2009-03-10 05:04 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-24 06:44 . 2009-03-10 05:04 232 ---ha-w C:\sqmdata01.sqm
2009-03-23 21:12 . 2009-03-23 21:12 135037 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_13_04_54_small.dmp.zip
2009-03-23 04:45 . 2009-02-11 07:48 -------- d-----w c:\documents and settings\Carson\Application Data\Roxio
2009-03-22 17:41 . 2009-02-23 19:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-22 17:41 . 2009-02-23 19:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 06:28 . 2009-03-21 06:28 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-21 06:28 . 2009-03-21 06:28 232 ---ha-w C:\sqmdata19.sqm
2009-03-10 06:40 . 2009-03-10 06:40 -------- d-----w c:\documents and settings\Carson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-09 12:19 . 2009-02-25 02:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 06:19 . 2009-02-11 07:00 27712 ----a-w c:\documents and settings\Carson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-05 00:55 . 2009-03-05 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\documents and settings\Carson\Application Data\pcouffin.sys
2009-03-01 06:16 . 2009-03-01 06:16 -------- d-----w c:\documents and settings\Carson\Application Data\ACD Systems
2009-03-01 06:13 . 2009-03-01 06:12 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 06:12 . 2009-03-01 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-28 19:14 . 2009-02-11 06:16 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 12:38 . 2009-02-28 12:41 2703872 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-28 12:35 . 2009-02-28 12:41 1259008 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-23 00:21 . 2009-02-23 00:23 2853888 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-02-20 09:03 . 2009-02-20 09:06 2837504 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-02-20 09:03 . 2009-02-20 09:06 1031168 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2802688 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2981888 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-16 16:52 . 2009-02-16 16:59 1424384 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-02-16 16:51 . 2009-02-16 17:00 684544 ----a-w c:\windows\Internet Logs\xDB5.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Azureus Vuze.lnk - e:\program files\Azureus\Azureus.exe [2008-12-13 254976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\iassam32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate1c9b31cd9abb7d3;Google Update Service (gupdate1c9b31cd9abb7d3);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 133104]
R3 laguna;laguna;c:\windows\system32\DRIVERS\cl546xm.sys [2001-08-17 248064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-11 337800]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2160b7f0-2fac-11de-a2ba-00b0d0925717}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
.
Contents of the 'Scheduled Tasks' folder
2009-04-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Carson\Application Data\Mozilla\Firefox\Profiles\4xisy04g.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 20:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-27 20:44
ComboFix-quarantined-files.txt 2009-04-27 03:44
ComboFix2.txt 2009-04-26 05:08
ComboFix3.txt 2009-04-25 07:06
Pre-Run: 3,916,595,200 bytes free
Post-Run: 3,910,189,056 bytes free
222
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:07 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4448 bytes
-
![]()
Download ATF Cleaner
http://www.atribune.org/index.phpopt...d=25&Itemid=25
Click "Main" > check 'select all' this first time using it, then click "Empty Selected". Do the same for FireFox or Opera if you use either of those browsers.
Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Next,
Please run a free online scan with Kaspersky AntiVirus (works only
with MS Internet Explorer 5.0 or higher).
http://www.kaspersky.com/kos/english/kavwebscan.html
1. click the "Accept" button to
accept the user agreement, install the ActiveX control, and download the
program.
2. When you get the Windows dialog asking if you want to install this
software, click the "Install" button.
3. When the "Update progress" line changes to "Ready" and the
"NEXT ->" button lights up with a
green arrow, click it.
4. Click on the "Scan Settings" button, and in the next window
select the "extended" database, and click Ok.
5. Under "Please select a target to scan:", click My Computer
to start the scan.
6. When the scan is finished, click the "Save as .txt" button, and
save the file as kavscan.txt to your Desktop, close the Kaspersky On-line
Scanner window, and post the text in kavscan.txt in your next reply.
Please restart your system, and post a new HijackThis log, and the log from
Kaspersky's on-line virus scan.
-
Jacee im having trouble with the kaspersky scan, ie hangs at the last few hundred kb of the update stage, after reading your post last night i fell asleep waiting for it to update, and when i woke up this morning i tried it again and when i got off work today ie hung again with only 202 kb left to go on the update stage.
-
-
Rescan with HJT, check these items:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
Close all windows except HJT, click "fix checked".
Exit out of HJT, and reboot/restart your computer.
Update Malwarebyte's Antimalware, run a scan as per my earlier instructions.
Post the saved log and a fresh HJT log.
*** Please don't use Azureus, LimeWire or any other such application, while we're trying to get this mess off your machine.
-
![]()
Ok on the p2p software.
Malwarebytes' Anti-Malware 1.36
Database version: 2051
Windows 5.1.2600 Service Pack 2
4/27/2009 8:23:50 PM
mbam-log-2009-04-27 (20-23-50).txt
Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 172682
Time elapsed: 2 hour(s), 3 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:20 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3996 bytes
-
Looks good! Post one more Combofix log, please.
-
![]()
ok doky
ComboFix 09-04-28.02 - Carson 04/28/2009 14:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.183 [GMT -7:00]
Running from: c:\documents and settings\Carson\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090427-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\Carson\Application Data\Malwarebytes
2009-04-25 22:05 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 22:05 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 22:05 . 2009-04-25 22:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 22:02 . 2009-04-25 22:02 -------- d-----w c:\program files\Alwil Software
2009-04-23 07:08 . 2004-08-04 12:00 4096 -c--a-w c:\windows\system32\dllcache\rpcref.dll
2009-04-23 07:07 . 2004-08-04 12:00 22016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll
2009-04-23 07:06 . 2004-08-04 12:00 39936 -c--a-w c:\windows\system32\dllcache\hostmib.dll
2009-04-23 07:05 . 2004-08-04 12:00 45568 -c--a-w c:\windows\system32\dllcache\browscap.dll
2009-04-23 07:04 . 2003-03-24 23:52 188494 -c--a-w c:\windows\system32\dllcache\fpcount.exe
2009-04-23 06:50 . 2004-08-04 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-04-23 06:50 . 2004-08-04 12:00 13312 ----a-w c:\windows\system32\irclass.dll
2009-04-23 06:50 . 2004-08-04 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-04-23 06:50 . 2004-08-04 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-04-18 21:52 . 2006-09-29 18:24 217127 ----a-w c:\windows\system32\drv43260.dll
2009-04-18 21:52 . 2006-09-29 18:25 208935 ----a-w c:\windows\system32\drv33260.dll
2009-04-18 21:52 . 2006-09-29 18:26 176165 ----a-w c:\windows\system32\drv23260.dll
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\vso
2009-04-18 09:04 . 2009-04-20 04:00 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Corel
2009-04-18 09:03 . 2009-04-20 04:06 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-18 09:02 . 2009-04-18 09:03 -------- d-----w c:\documents and settings\Carson\Application Data\Corel
2009-04-18 09:01 . 2009-04-18 09:01 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-04-18 08:55 . 2009-04-18 08:57 -------- d-----w c:\program files\Common Files\Corel
2009-04-18 08:43 . 2009-04-18 08:43 -------- d-----w c:\documents and settings\Carson\Application Data\InstallShield
2009-04-15 19:57 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\skypePM
2009-04-15 19:53 . 2009-04-28 21:11 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 02:33 . 2009-04-06 02:33 -------- d-----w c:\program files\VSTplugins
2009-04-06 02:32 . 2009-04-06 02:32 -------- d-----w c:\documents and settings\Carson\Application Data\Publish Providers
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Application Data\Sony
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Sony
2009-04-02 23:40 . 2009-04-02 23:40 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-01 22:54 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-20 00:03 -------- d-----w c:\program files\Google
2009-04-01 22:54 . 2009-04-18 21:50 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Google
2009-03-31 04:19 . 2009-03-31 04:19 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\WinAVI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 21:18 . 2009-02-11 07:20 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-26 03:14 . 2009-02-20 00:14 -------- d-----w c:\program files\Trojan Remover
2009-04-25 07:10 . 2009-02-11 06:41 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-04-23 07:03 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-23 07:00 . 2009-02-11 06:12 22720 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 01:23 . 2009-04-23 01:24 2075136 ----a-w c:\windows\Internet Logs\xDB10.tmp
2009-04-20 08:57 . 2009-02-25 02:00 -------- d-----w c:\program files\Java
2009-04-18 21:44 . 2009-04-18 21:46 68608 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-04-18 21:44 . 2009-04-18 21:46 3340800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-04-18 21:35 . 2009-04-18 21:37 3335680 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-18 21:35 . 2009-04-18 21:37 2895872 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-03 07:54 . 2009-04-03 07:56 3200000 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-03 07:54 . 2009-04-03 07:56 2880000 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 01:52 . 2009-03-30 01:52 2243609 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-25 04:44 . 2009-03-25 04:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-23 21:12 . 2009-03-23 21:12 135037 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_13_04_54_small.dmp.zip
2009-03-09 12:19 . 2009-02-25 02:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 06:19 . 2009-02-11 07:00 27712 ----a-w c:\documents and settings\Carson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\documents and settings\Carson\Application Data\pcouffin.sys
2009-03-01 06:13 . 2009-03-01 06:12 -------- d-----w c:\program files\Common Files\ACD Systems
2009-02-28 19:14 . 2009-02-11 06:16 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 12:38 . 2009-02-28 12:41 2703872 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-28 12:35 . 2009-02-28 12:41 1259008 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-23 00:21 . 2009-02-23 00:23 2853888 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-02-20 09:03 . 2009-02-20 09:06 2837504 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-02-20 09:03 . 2009-02-20 09:06 1031168 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-02-20 00:16 . 2009-02-20 00:16 0 ----a-w c:\windows\nsreg.dat
2009-02-18 17:44 . 2009-02-18 17:46 2802688 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2981888 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-16 16:52 . 2009-02-16 16:59 1424384 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-02-16 16:51 . 2009-02-16 17:00 684544 ----a-w c:\windows\Internet Logs\xDB5.tmp
.
((((((((((((((((((((((((((((( SnapShot@2009-04-26_05.03.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 01:14 . 2009-04-28 01:14 16384 c:\windows\Temp\Perflib_Perfdata_584.dat
+ 2009-04-28 01:14 . 2009-04-28 01:14 16384 c:\windows\Temp\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2160b7f0-2fac-11de-a2ba-00b0d0925717}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
.
Contents of the 'Scheduled Tasks' folder
2009-04-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Carson\Application Data\Mozilla\Firefox\Profiles\4xisy04g.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 14:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-28 14:31
ComboFix-quarantined-files.txt 2009-04-28 21:31
ComboFix2.txt 2009-04-27 03:45
ComboFix3.txt 2009-04-26 05:08
ComboFix4.txt 2009-04-25 07:06
Pre-Run: 4,185,264,128 bytes free
Post-Run: 4,258,709,504 bytes free
146
Quote