Hijack this report:

[daddywarbucks]

Trying to install trend hijackthis:
- The program installation doesnt work and the program stops working.( windows gives message to check online for solution...does nothing)
*********************************************

Report From Smitfraud Fix it also said I may be victim of DNS Hijack so I switched it to the option it suggested.( DHTTP?)
SmitFraudFix v2.423

Scan done at 14:27:13.64, 18/07/2009
Run from C:\Users\Michael MacDonald\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\AAV\ Deleted
C:\Program Files\Google\googletoolbar1.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8F4C10CE-035E-47C1-AB44-0478DC6F18B1}: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


*****************************************
This happened when scanning with Vundo Fix: (it auto shutdown)

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 4105

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 820C2930
BCP3: ADF853BC
BCP4: 00000000
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini071809-01.dmp
C:\Users\Michael MacDonald\AppData\Local\Temp\WER-44007-0.sysdata.xml
C:\Users\Michael MacDonald\AppData\Local\Temp\WER5F9C.tmp.version.txt

I ran the program again and it worked no infections
********************************************************************
upon installing Malwarebytes:

the program stopped working Stopped working and wouldn't run.(windows gave message to check online for solution. ..does nothing)
**********************************************************************
Upon installing: AVG

Local machine: installation failed
Installation:
Error: Action failed for file avgmfx86.sys: starting service....
Error 0x8007013d
Rollback:
Warning: Action failed for directory Toolbar: removing directory....
Error 0x80070091
Warning: Action failed for directory AVG8: removing directory....
Error 0x80070091
Warning: Action failed for directory AVG: removing directory....
Error 0x80070091

Notes: Windows can not search for or install updates,
I can not install Spybot SD/AVG/Trend Micro/ products. They all stop working before they run after completeing download.
My browser gets extensively redirected to other pages PPC advertising etc., tons of dating service pop up sites or redirects,
And internet explorer 7 crashes consistantly(even with security settings high). I also can not install fire fox browser either it stops working as well.< PLEASE HELP>

Michael MacDonald

 

[Osiris]

Can you run anything in safemode?

Try renaming the files like for hijackthis, rename it your name or whatever and see if that works

If you can run in safemode, run combofix and then malwarebytes, post both their logs and then try to run hijackthis

 

[daddywarbucks]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:07, on 19/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WordPerfect Lightning\Programs\LightningViewer.exe
C:\Program Files\WordPerfect Lightning\Programs\wpviewer.exe
C:\Program Files\WordPerfect Lightning\Programs\LightningNavigator.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ClixSense.com Toolbar - {70df8d13-bdd3-448e-944c-efde21b77161} - C:\Program Files\ClixSense.com\tbClix.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\Michael MacDonald\AppData\Roaming\Mozilla\Firefox\Profiles\tuvr27em.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.63.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ClixSense.com Toolbar - {70df8d13-bdd3-448e-944c-efde21b77161} - C:\Program Files\ClixSense.com\tbClix.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Copy to &Lightning Note - C:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ6\\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ6\\ICQ.exe (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O9 - Extra 'Tools' menuitem: FireShot menu - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8618 bytes

 

[daddywarbucks]

Re: combofix part1 report

ComboFix 09-07-19.02 - Michael MacDonald 19/07/2009 14:27.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2038.854 [GMT -7:00]
Running from: c:\users\Michael MacDonald\Desktop\michaelcombofix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
((((( Other Deletions ))))
.
c:\program files\INSTALL.LOG
c:\program files\Internet Saving Optimizer
c:\program files\Privacy components
c:\users\Michael MacDonald\AppData\Roaming\Privacy components
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\dbases\cg.dat
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\dbases\mw.dat
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\dbases\rd.dat
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\dbases\sc.dat
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\dbases\sm.dat
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\keys\cg.key
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\keys\rd.key
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\keys\sc.key
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\keys\sp.key
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\temp\settings.ini
c:\users\Michael MacDonald\AppData\Roaming\Privacy components\temp\spfilter
c:\users\Michael MacDonald\Documents\My Documents.url
c:\windows\system32\drivers\gxvxcdevqfqkbnhpircempbrmcipxrfuoxvws.sys
c:\windows\System32\gxvxcckqbcpodvqjhnuddybcfienugqwpsvxq.dll
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcepemonebrdmyniuubcymsbtwxxiquera.dll
c:\windows\system32\tmp.reg
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\install.exe
(((((((Drivers/Services )))))))))))
-------\Service_gxvxcserv.sys
((((( Files Created from 2009-06-19 to 2009-07-19 ))))
.
2009-07-19 21:34 . 2009-07-19 21:34 -------- d-----w- c:\users\Michael MacDonald\AppData\Local\temp
2009-07-18 21:51 . 2009-07-18 21:51 -------- d-----w- c:\program files\AVG
2009-07-18 21:34 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-07-18 21:34 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-18 21:27 . 2009-07-18 21:27 35 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\SetValue.bat
2009-07-18 20:59 . 2009-07-18 20:59 -------- d-----w- C:\VundoFix Backups
2009-07-18 20:51 . 2009-07-18 20:51 401720 ----a-w- c:\program files\HiJackThis.exe
2009-07-18 20:22 . 2009-07-18 20:22 401720 ----a-w- C:\HiJackThis.exe
2009-07-18 20:18 . 2009-07-18 20:18 -------- d-----w- c:\program files\Trend Micro
2009-07-18 19:35 . 2009-07-18 19:35 -------- d-----w- c:\program files\CCleaner
2009-07-18 19:19 . 2009-07-18 19:19 -------- d-----w- c:\program files\CleanUp!
2009-07-18 19:07 . 2009-07-18 19:07 -------- d-----w- c:\program files\MSConfig CleanUp
2009-07-10 09:24 . 2009-07-10 09:24 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\Windows Live Writer
2009-07-10 09:24 . 2009-07-10 09:24 -------- d-----w- c:\users\Michael MacDonald\AppData\Local\Windows Live Writer
2009-07-09 10:05 . 2009-07-09 10:05 593053 -c--a-w- c:\programdata\{732BD52C-2B24-4AF1-8509-89A619EC2006}\OFFLINE\mFileBagIDE.dll\bag\HJSetup.exe
2009-07-09 10:05 . 2009-07-09 10:05 595765 -c--a-w- c:\programdata\{732BD52C-2B24-4AF1-8509-89A619EC2006}\OFFLINE\mFileBagIDE.dll\bag\AdwareSetup.exe
2009-07-08 06:21 . 2009-07-08 07:22 -------- d-----w- C:\tanya simpson
2009-07-07 01:39 . 2009-07-12 09:55 -------- d-----w- c:\program files\Blog Announcer Pro
2009-07-07 01:39 . 2009-07-07 01:39 -------- d-----w- c:\program files\Article Assistance
2009-07-06 06:56 . 2009-07-06 06:56 -------- d-----w- c:\program files\ICQ6Toolbar
2009-07-06 06:56 . 2009-07-06 06:56 -------- d-----w- c:\programdata\ICQ
2009-07-06 06:55 . 2009-07-06 07:02 -------- d-----w- c:\program files\ICQ6.5
2009-07-04 17:20 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-04 17:20 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-04 17:20 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-04 17:20 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-04 17:20 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-04 17:20 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-04 17:20 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-04 17:12 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-04 17:12 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-04 17:12 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-04 17:12 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-04 17:12 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-01 19:11 . 2009-07-01 19:10 38208 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-01 19:11 . 2009-07-01 19:11 -------- d-----w- c:\program files\Google Goggles
2009-07-01 19:11 . 2009-07-01 19:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-01 18:25 . 2009-07-01 18:25 2118144 ----a-w- c:\users\Michael MacDonald\AppData\Local\cooliris-win-ie-release-1.11.0.26762.en-US.msi
2009-06-29 10:40 . 2009-06-29 21:05 -------- d-----w- c:\program files\Submit Machine Demo
((((((((((((((( Find3M Report ))))))))))))

2009-07-19 20:52 . 2008-03-06 03:17 88 --sh--r- c:\windows\system32\AA87F7E27C.sys
2009-07-19 20:52 . 2008-03-06 03:17 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-19 19:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-18 23:03 . 2007-07-17 06:25 -------- d-----w- c:\program files\Microsoft Works
2009-07-18 21:51 . 2008-06-03 07:44 -------- d-----w- c:\programdata\avg8
2009-07-18 21:44 . 2009-07-18 21:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 21:33 . 2009-07-18 21:33 -------- d-----w- c:\programdata\Malwarebytes
2009-07-18 21:27 . 2009-07-18 21:27 691 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\GetValue.vbs
2009-07-18 21:27 . 2008-03-11 03:30 -------- d-----w- c:\program files\Google
2009-07-18 19:12 . 2008-05-15 04:51 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\DNA
2009-07-18 16:49 . 2008-05-15 04:51 -------- d-----w- c:\program files\DNA
2009-07-17 18:49 . 2008-11-24 05:42 -------- d-----w- c:\program files\Shaw Secure
2009-07-17 03:20 . 2008-11-24 05:43 -------- d-----w- c:\programdata\F-Secure
2009-07-13 20:36 . 2009-07-18 21:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-07-18 21:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 22:17 . 2008-10-01 19:51 -------- d-----w- c:\program files\PicLensIE
2009-06-16 08:16 . 2009-06-16 08:16 -------- d-----w- c:\program files\ClixSense.com
2009-06-16 08:16 . 2009-06-16 08:16 -------- d-----w- c:\program files\Conduit
2009-06-15 15:24 . 2009-07-18 21:33 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-18 21:33 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-18 21:33 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-18 21:33 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-02 22:26 . 2009-06-02 22:26 -------- d-----w- c:\programdata\RoboForm
2009-06-02 22:26 . 2009-06-02 22:26 -------- d-----w- c:\program files\Siber Systems
2009-05-25 15:44 . 2008-11-25 15:45 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\F-Secure
2009-05-24 22:49 . 2008-03-09 07:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 19:40 . 2009-02-07 08:17 -------- d-----w- c:\program files\NCH Software
2009-05-23 19:39 . 2008-03-09 07:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-04-24 16:05 . 2009-07-18 21:33 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-07-18 21:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-07-18 21:33 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-07-18 21:33 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-07-18 21:33 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-07-18 21:33 2033152 ----a-w- c:\windows\system32\win32k.sys

 

[Osiris]

Remove

O2 - BHO: ClixSense.com Toolbar - {70df8d13-bdd3-448e-944c-efde21b77161} - C:\Program Files\ClixSense.com\tbClix.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\Michael MacDonald\AppData\Roaming\Mozilla\Firefox\Profiles \tuvr27em.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsad din-0.63.dll (file missing)

O3 - Toolbar: ClixSense.com Toolbar - {70df8d13-bdd3-448e-944c-efde21b77161} - C:\Program Files\ClixSense.com\tbClix.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - CROGRA~1ICQ6\ICQ.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - CROGRA~1ICQ6\ICQ.exe (file missing)

O9 - Extra button: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)

O9 - Extra 'Tools' menuitem: FireShot menu - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)

 

[daddywarbucks]

thank you very much....My computer is lightning fast again which helps as a web designer/ administrator, and of course security is a much needed peace of mind....thank you.

Only question I have is do the combo fix logs still need to be reviewed? I have tryed to upload it but it contains 12 smiley faces on it and I can only upload a maximum of 10. do you want me to split the report and upload it? or am I all clear now?
- Michael aka. daddywarbucks
Online Affiliate Dating Sites solutions by World Dating Partners - Worlddatingpartners.com

 

[Osiris]

Yes, split the posts.

After you run combofix and malwarebytes, post both of their logs and a new hijackthis log.

 

[daddywarbucks]

i deleted thids bad confusing look

 

[daddywarbucks]

latest post: combofix split part 1

ComboFix 09-07-20.05 - Michael MacDonald 21/07/2009 13:26.2.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2038.1060 [GMT -7:00]
Running from: c:\users\Michael MacDonald\Desktop\michaelcombofix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-21 09:35 . 2009-07-21 12:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-21 06:47 . 2009-07-21 06:48 -------- d-----w- C:\idpassrobo
2009-07-20 01:21 . 2009-07-19 23:11 327688 ----a-w- c:\programdata\avg8\update\backup\avgldx86.sys
2009-07-20 01:21 . 2009-07-19 23:11 692504 ----a-w- c:\programdata\avg8\update\backup\avgcsrvx.exe
2009-07-20 01:21 . 2009-07-19 23:11 69912 ----a-w- c:\programdata\avg8\update\backup\avgcrlpx.dll
2009-07-20 01:21 . 2009-07-19 23:11 417560 ----a-w- c:\programdata\avg8\update\backup\avgcclix.dll
2009-07-20 01:21 . 2009-07-19 23:11 382744 ----a-w- c:\programdata\avg8\update\backup\avgclitx.dll
2009-07-20 01:21 . 2009-07-19 23:11 2301208 ----a-w- c:\programdata\avg8\update\backup\avguiadv.dll
2009-07-20 01:21 . 2009-07-19 23:11 2052888 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-07-20 01:20 . 2009-07-19 23:11 3402008 ----a-w- c:\programdata\avg8\update\backup\avgui.exe
2009-07-19 23:11 . 2009-07-19 23:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-19 23:11 . 2009-07-21 18:44 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-19 23:11 . 2009-07-19 23:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-07-19 21:42 . 2009-07-19 21:42 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\Malwarebytes
2009-07-19 21:36 . 2009-07-21 20:31 -------- d-----w- c:\users\Michael MacDonald\AppData\Local\temp
2009-07-18 21:51 . 2009-07-18 21:51 -------- d-----w- c:\program files\AVG
2009-07-18 21:34 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-07-18 21:34 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-18 21:27 . 2009-07-18 21:27 35 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\SetValue.bat
2009-07-18 20:59 . 2009-07-18 20:59 -------- d-----w- C:\VundoFix Backups
2009-07-18 20:51 . 2009-07-18 20:51 401720 ----a-w- c:\program files\HiJackThis.exe
2009-07-18 20:22 . 2009-07-18 20:22 401720 ----a-w- C:\HiJackThis.exe
2009-07-18 20:18 . 2009-07-18 20:18 -------- d-----w- c:\program files\Trend Micro
2009-07-18 19:35 . 2009-07-18 19:35 -------- d-----w- c:\program files\CCleaner
2009-07-18 19:19 . 2009-07-18 19:19 -------- d-----w- c:\program files\CleanUp!
2009-07-18 19:07 . 2009-07-18 19:07 -------- d-----w- c:\program files\MSConfig CleanUp
2009-07-10 09:24 . 2009-07-10 09:24 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\Windows Live Writer
2009-07-10 09:24 . 2009-07-10 09:24 -------- d-----w- c:\users\Michael MacDonald\AppData\Local\Windows Live Writer
2009-07-09 10:05 . 2009-07-09 10:05 593053 -c--a-w- c:\programdata\{732BD52C-2B24-4AF1-8509-89A619EC2006}\OFFLINE\mFileBagIDE.dll\bag\HJSetup.exe
2009-07-09 10:05 . 2009-07-09 10:05 595765 -c--a-w- c:\programdata\{732BD52C-2B24-4AF1-8509-89A619EC2006}\OFFLINE\mFileBagIDE.dll\bag\AdwareSetup.exe
2009-07-08 06:21 . 2009-07-08 07:22 -------- d-----w- C:\tanya simpson
2009-07-07 01:39 . 2009-07-12 09:55 -------- d-----w- c:\program files\Blog Announcer Pro
2009-07-07 01:39 . 2009-07-07 01:39 -------- d-----w- c:\program files\Article Assistance
2009-07-06 06:56 . 2009-07-06 06:56 -------- d-----w- c:\program files\ICQ6Toolbar
2009-07-06 06:56 . 2009-07-06 06:56 -------- d-----w- c:\programdata\ICQ
2009-07-06 06:55 . 2009-07-06 07:02 -------- d-----w- c:\program files\ICQ6.5
2009-07-04 17:20 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-04 17:20 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-04 17:20 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-04 17:20 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-04 17:20 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-04 17:20 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-04 17:20 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-04 17:12 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-04 17:12 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-04 17:12 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-04 17:12 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-04 17:12 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-01 19:11 . 2009-07-01 19:10 38208 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-01 19:11 . 2009-07-01 19:11 -------- d-----w- c:\program files\Google Goggles
2009-07-01 19:11 . 2009-07-01 19:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-01 18:25 . 2009-07-01 18:25 2118144 ----a-w- c:\users\Michael MacDonald\AppData\Local\cooliris-win-ie-release-1.11.0.26762.en-US.msi
2009-06-29 10:40 . 2009-06-29 21:05 -------- d-----w- c:\program files\Submit Machine Demo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 12:16 . 2008-05-15 04:52 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\BitTorrent
2009-07-19 23:11 . 2008-06-03 07:44 -------- d-----w- c:\programdata\avg8
2009-07-19 19:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-18 23:03 . 2007-07-17 06:25 -------- d-----w- c:\program files\Microsoft Works
2009-07-18 21:44 . 2009-07-18 21:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 21:33 . 2009-07-18 21:33 -------- d-----w- c:\programdata\Malwarebytes
2009-07-18 21:27 . 2009-07-18 21:27 691 ----a-w- c:\users\Michael MacDonald\AppData\Roaming\GetValue.vbs
2009-07-18 21:27 . 2008-03-11 03:30 -------- d-----w- c:\program files\Google
2009-07-18 19:12 . 2008-05-15 04:51 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\DNA
2009-07-18 16:49 . 2008-05-15 04:51 -------- d-----w- c:\program files\DNA
2009-07-17 18:49 . 2008-11-24 05:42 -------- d-----w- c:\program files\Shaw Secure
2009-07-17 03:20 . 2008-11-24 05:43 -------- d-----w- c:\programdata\F-Secure
2009-07-13 20:36 . 2009-07-18 21:33 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-07-18 21:33 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 22:17 . 2008-10-01 19:51 -------- d-----w- c:\program files\PicLensIE
2009-06-16 08:16 . 2009-06-16 08:16 -------- d-----w- c:\program files\Conduit
2009-06-15 15:24 . 2009-07-18 21:33 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-18 21:33 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-18 21:33 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-18 21:33 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-14 23:07 . 2009-07-19 23:14 1004800 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2009-06-02 22:26 . 2009-06-02 22:26 -------- d-----w- c:\programdata\RoboForm
2009-06-02 22:26 . 2009-06-02 22:26 -------- d-----w- c:\program files\Siber Systems
2009-05-25 15:44 . 2008-11-25 15:45 -------- d-----w- c:\users\Michael MacDonald\AppData\Roaming\F-Secure
2009-05-24 22:49 . 2008-03-09 07:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-23 19:40 . 2009-02-07 08:17 -------- d-----w- c:\program files\NCH Software
2009-05-23 19:39 . 2008-03-09 07:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-04-24 16:05 . 2009-07-18 21:33 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-07-18 21:33 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-07-18 21:33 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-07-18 21:33 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-07-18 21:33 636928 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-19_21.34.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-17 06:24 . 2009-07-21 18:44 90884 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-05 04:44 . 2009-07-21 18:44 24756 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2915978231-3768050918-614530301-1000_UserData.bin
- 2008-03-05 03:34 . 2009-07-19 21:17 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-05 03:34 . 2009-07-21 20:22 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-05 03:34 . 2009-07-21 20:22 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-05 03:34 . 2009-07-19 21:17 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-05 03:34 . 2009-07-21 20:22 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-05 03:34 . 2009-07-19 21:17 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-19 23:11 . 2009-07-19 23:11 11952 c:\windows\System32\avgrsstx.dll
+ 2008-09-13 04:48 . 2009-07-21 18:42 40960 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\rtdrvmon.exe
- 2008-09-13 04:48 . 2009-07-19 21:27 40960 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\rtdrvmon.exe
+ 2008-03-06 03:17 . 2009-07-20 01:20 3350 c:\windows\System32\KGyGaAvL.sys
+ 2009-07-21 18:42 . 2009-07-21 18:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-19 21:26 . 2009-07-19 21:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-21 18:42 . 2009-07-21 18:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-19 21:26 . 2009-07-19 21:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 13:05 . 2009-07-21 18:44 121532 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-19 23:11 . 2009-07-19 23:11 108552 c:\windows\System32\drivers\avgtdix.sys
+ 2009-07-19 23:11 . 2009-07-20 01:20 335752 c:\windows\System32\drivers\avgldx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 23:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-03 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-19 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-10-12 267520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CC798B78-DE13-4976-9DBA-0015A8CE56F8}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{81030BAF-357C-40FB-8793-B99ADE4212A8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4C0E0174-247F-4069-9F52-9AD19DC71D83}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{560429FD-BAD7-4E9A-857F-AA8C893A477F}"= c:\program files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{ED9E9E19-C630-464A-87A6-C20269418FC1}"= c:\program files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{492EC220-FB41-4472-8B20-E400B5B81034}"= c:\program files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{63C2B5ED-23AB-4CB2-AC71-1114E8E91419}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{9C8A4F83-9400-4816-BA61-125CC31F09BB}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{D174244A-0FBB-4C36-8948-020059CF029E}"= c:\program files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{7DDAC852-04CD-4EFE-8DE0-1361BE28FB87}"= c:\program files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{E294E1BD-19A7-4DEB-8F47-DA0D8D3F8C41}"= c:\program files\Acer Arcade Live\Acer PlayMovie\PlayMovie.exe:Acer Play Movie
"{EED3443D-C6EF-49E5-B4DA-1150AA913EAC}"= c:\program files\Acer Arcade Live\Acer PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{E52573FA-FB54-4AD7-AA7D-205FFF254274}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{B0D1C829-D544-4F66-84B8-0F7F2209CEFB}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{18CA0F6F-ECEB-4FF0-B400-6DE8E891A7CD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{13E5CE36-E6ED-4EB2-A529-1FA8006C21DF}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{68DFF7BF-81C1-4F67-A10D-25B138C7FE38}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54C3E5F2-4202-4FCC-BC65-74524236FACE}"= UDP:c:\program files\DNA\btdna.exeNA
"{726B7248-BF44-4502-881C-BFC28B713471}"= TCP:c:\program files\DNA\btdna.exeNA
"{279F6899-B42B-456D-A16A-FB56496B8359}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{4CE9966E-A1AD-4F2D-AF86-D02D78D1F073}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{E48C3695-C032-4C97-943A-D61BF5365908}"= UDP:c:\program files\DNA\btdna.exeNA
"{81ECDC1D-B293-43E2-A34A-D13278CAAA86}"= TCP:c:\program files\DNA\btdna.exeNA
"TCP Query User{C1908D61-18F5-4546-9A75-03EA7F9F20B7}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ
"UDP Query User{CC9117B7-68A2-46A0-858E-0F02642D3DBA}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ
"{07200B71-4EEC-4FB5-A574-652F14D5B261}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4544EDBE-1B22-4055-8E60-B38B9166281C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5DC7C34B-E7AD-4A1A-9CD6-11B0735FE7AF}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B232A98B-F990-4891-9F13-0FCB80EA40F5}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0635AFA6-CA96-4BF8-B5BC-DEBEB6C47FF0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

 

[daddywarbucks]

Re: Hijack this reportart 2 of combo fix report split

"{4C61DF22-9CE8-4440-9189-41B769F8CC36}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{F00BC6B2-A0E3-4595-B3A1-A14105821564}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{BC62FC5E-99EA-4B79-9D4B-29105CF93333}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exereamweaver 8
"UDP Query User{D553E68A-8540-4953-AE4E-C87F5454F9CB}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exereamweaver 8
"{AD81B75F-319E-49EB-B066-E6D05053F706}"= UDP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{4A9C9DDA-520D-4D2B-A994-28EDB3191503}"= TCP:c:\windows\System32\lxczcoms.exe:Lexmark Communications System
"{6A45BA7B-1C3B-4686-8F1F-81B639D2E38B}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exerinter Status Window
"{79B15503-D0E3-4653-BAAD-DDF693DFB95D}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxczpswx.exerinter Status Window
"{179EB11F-717C-4902-94C8-80B0A21B9101}"= UDP:c:\program files\GameSpy Arcade\Aphex.exe:GameSpy Arcade
"{16B2CBE6-5C60-4087-B2F2-89741106DEEE}"= TCP:c:\program files\GameSpy Arcade\Aphex.exe:GameSpy Arcade
"{497E8672-3903-4BE3-8959-36D9EF39D6EA}"= UDP:c:\program files\DNA\btdna.exeNA (TCP-In)
"{7CC63D60-A210-4819-A38B-095576E119E4}"= TCP:c:\program files\DNA\btdna.exeNA (UDP-In)
"{0414683A-607A-4881-87DD-4ABB102DB504}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{7926BA22-0879-4AC8-9087-95630C190C27}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{051F2FB1-25CB-41A3-BA56-BCE5922D03E9}"= UDP:c:\program files\NCSoft\Launcher\NCLauncher.exelayNC Launcher
"{B33187F5-D0CF-4F3C-93A6-BAC7A89DECB8}"= TCP:c:\program files\NCSoft\Launcher\NCLauncher.exelayNC Launcher
"{D8680124-03C7-450C-AC69-D6D64A3ACEED}"= UDP:c:\program files\Guild Wars\Gw.exe:Gw
"{CBD884FB-F4B2-4B31-A14B-BBD6F467F563}"= TCP:c:\program files\Guild Wars\Gw.exe:Gw
"{85C6BB91-A559-44F5-A321-7F6F62301A01}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{5FAD2EFC-B9DE-47E2-BE53-2C42BB578AD1}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"TCP Query User{A31AFEC1-75DD-41E6-A59A-8DAD19C01530}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{994A2DB0-E176-4097-B978-85D23C680C5A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51FE6AF3-692E-48A3-9CDA-49F460582112}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ
"UDP Query User{54F78677-9381-496D-A165-1DD072358C9A}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ
"{0985B7E6-BF5D-4BD8-B1E7-14E4385D47EF}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{1E2BEA41-E028-43ED-BDAA-F7A03E0944BC}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{95FAB8DF-9381-4C36-BACC-75EE82BE063E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [19/07/2009 4:11 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [19/07/2009 4:11 PM 108552]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Live\Acer PlayMovie\000.fcl [04/03/2008 9:46 PM 13560]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [16/07/2007 11:50 PM 269448]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [19/07/2009 4:11 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [19/07/2009 4:11 PM 298776]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [05/07/2009 11:56 PM 222456]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [25/11/2008 12:26 AM 203616]
S3 WMSvc;Web Management Service;c:\windows\System32\inetsrv\WMSvc.exe [20/06/2008 12:39 PM 11264]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [05/03/2008 10:47 PM 80744]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [22/02/2007 6:39 PM 2808664]
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\User_Feed_Synchronization-{F8DE44E3-06E5-4ECD-B1FE-83392AC0D4E4}.job
- c:\windows\system32\msfeedssync.exe [2008-06-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: Copy to &Lightning Note - c:\program files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-21 13:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Live\Acer PlayMovie\000.fcl"
.
Completion time: 2009-07-21 13:34
ComboFix-quarantined-files.txt 2009-07-21 20:34
ComboFix2.txt 2009-07-19 21:36

Pre-Run: 77,736,771,584 bytes free
Post-Run: 77,766,397,952 bytes free

272 --- E O F --- 2009-07-20 17:12