Serious spyware infection!

[triskit]

*As the title suggests, im trying to get rid of a very intense spyware infection. I went through the removal guide, but there still seems to be quite a bit of work to do.

Background info: Windows XP (was SP3 but may not be anymore)
After I was redirected to a malitious website with a few popups, AVG warned me that my computer was being targeted by a massive amount of spyware. It immediately shut down and windows would no longer load(even in safe mode). It could no longer access kernel32.DLL, which i gather is rather important to the computer on a fundamental level.

I did a repair install of windows xp in order to allow the computer to boot up at all. It can now boot in both safe and normal mode, but it is apparent that the computer has a rather serious spyware infection. I repeatedly scanned the computer with malwarebites, spybot, and superantispyware. At one point, all three programs found no threats, but ALL threats soon came back and their symptoms never went away. Also, I am worried that, after the rapair install, I do not have vital updated that would help to secure my computer... And no, windows update is not happening with this infection.

When loading in normal mode, I get a message at login saying" etc etc, "0X007106b7" the memory could not be 'written'. After this (which does not happen in safemode=spyware, right?) the computer usually loads, although it sometimes takes a couple of tries. In both safe and normal mode, the computer is slowed and i do not have access to many faetures. I cannot access most of the stuff in the control pannel, nor can I get into the My Computer> Preferences to turn off system restore. When I try to do these things, I get an error message saying something about not being able to access RunDLL. I also cannot open text files without using OPENOFFICE ( which I expect is a clever way of preventing users from sharing their combofix, MWB, HJT logs with sites like this).

After all of this, I went through your tutorial, with the exception of the AVG scan ( ill explain later). After running CCleaner, I could not connect to the internet in normal mode(nothing appears in network connections), but It can connect in safemode with netowrking, so ive been using that, unplugging it from the internet when i do not absolutely need to be connected. I then ran smitfraud, vundofix(found nothing), malwarebites.

When I ran combofix, the computer restarted before finnishing the scan because it detected rootkit activity (as Im writing this it is dawning on me that I never used that program you said was for rootkits... i failed to put that together...) After the restart, i ran it again (this is all still in safemode w. networking) it did not delete those same files, but it did finnish the scan and save a log. I am just worried that whatever it did the first time will not be adequately reflected in the logfile.

I then ran Trojan Remover, which removed all threats it found, but one. It said it couldnt fix it and gave this error message: “An essential Windows file, USERINIT.EXE, has been replaced or virally patched by malware. Trojan Remover cannot locate a good copy of this file to restore. The file cannot be renamed.removed without a good copy available, because the system wold not be able to start correctly. YOU MUST MANUALLY RETORE A GOOD COPY OF USERNIT.EXE FILE”

I ran AVG in safe mode ( it did its brief, safemode command prompt scan), but I didnt try running it in normal mode because i did that before and was BOMBARDED with “win32/heur” detections. It must've found that in half the files on my computer, but it didnt seem to find anything else. It this a 'heuristics' detection? Should I ignore it/ how can i prevent it... id like to keep using AVG...

That should be the whole story... I've set up an email account so that I can send files to my infected computer from my trusty linux laptop and Im pretty much just running my infected computer in safemode. Im sort of terrified to run it normally. The HJT and COMBOFIX logs are below in separate posts. I hope you can help!

Thanks for reading my book^^ and for the help

 

[triskit]

HJT LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:52, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executor\Executor.exe
C:\Documents and Settings\God\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Crawler Toolbar -
{4B3803EA-5230-4DC3-A7FC-33638F3D3542} -
C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: AVG Security Toolbar -
{A057A204-BACC-4D26-9990-79A187E2698E} -
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Viewpoint Toolbar -
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common
Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program
Files\Creative\Shared Files\Module Loader\DLLML.exe" -1
AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module
Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster
X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster
X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program
Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan
Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\Executor.exe" -s
O4 - HKCU\..\Run: [Google Update] "C:\Documents and
Settings\God\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -
Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1498179910-152276622-527904364-1005\..\Run:
[ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1498179910-152276622-527904364-1005\..\Run:
[Executor] "C:\Program Files\Executor\Executor.exe" -s (User '?')
O4 - HKUS\S-1-5-21-1498179910-152276622-527904364-1005\..\Run:
[Google Update] "C:\Documents and Settings\God\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User
'?')
O4 - HKUS\S-1-5-21-1498179910-152276622-527904364-1005\..\Run:
[SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\qsll7lu.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\qsll7lu.exe (User
'Default user')
O4 - S-1-5-21-1498179910-152276622-527904364-1005 Startup: Stardock
ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
(User '?')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program
Files\Stardock\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration
- {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: Monarch - {90B74D03-6182-4AE6-8987-C1461822AB3C} -
http://www.monarchcomputer.com (file missing) (HKCU)
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109356669921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bw+0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} -
C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1}
- C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 -
{CBE7A7C0-C8F5-4442-99FC-C06084A2E52A} - C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -
C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

 

[triskit]

HJT Log Continued :


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation
- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies
CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner -
C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (imapiservice) - Unknown
owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.
- C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDF Creator (PDFCreator) - - c:\program files\alexis
rios software\pdf creator service 1.01\pdfcreatorservice.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) -
Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 20175 bytes

 

[triskit]

COMBOFIX LOG
ComboFix 09-04-19.01 - God 04/18/2009 14:44.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional
5.1.2600.2.1252.1.1033.18.2047.1763 [GMT -5:00]
Running from: c:\documents and settings\God\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *enabled*
FW: Norton Internet Worm Protection *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Install.txt
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll
c:\windows\system32\Install.txt
c:\windows\system32\iphy.dll
c:\windows\system32\ntos.exe
c:\windows\system32\sX3i19
c:\windows\system32\tcpd.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_at1394
-------\Legacy_fci
-------\Legacy_protect
-------\Legacy_RESTORE
-------\Legacy_sopidkc
-------\Legacy_tdctxte
-------\Legacy_TDSSSERV.SYS
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-03-19 to
2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-18 18:58 . 2009-04-18 18:58 38 ----a-w C:\25.tmp
2009-04-18 18:58 . 2009-04-18 18:58 0 ----a-w C:\24.tmp
2009-04-18 18:58 . 2009-04-18 18:58 0 ----a-w C:\23.tmp
2009-04-18 18:58 . 2009-04-18 18:58 0 ----a-w C:\22.tmp
2009-04-18 18:58 . 2009-04-18 18:58 0 ----a-w C:\21.tmp
2009-04-18 18:57 . 2009-04-18 18:57 0 ----a-w C:\20.tmp
2009-04-18 18:57 . 2009-04-18 18:57 0 ----a-w C:\1F.tmp
2009-04-18 18:57 . 2009-04-18 18:57 0 ----a-w C:\1E.tmp
2009-04-18 18:57 . 2009-04-18 18:57 0 ----a-w C:\1D.tmp
2009-04-18 18:57 . 2009-04-18 18:57 38 ----a-w C:\1C.tmp
2009-04-18 18:57 . 2009-04-18 18:57 52736 ----a-w C:\1B.tmp
2009-04-18 18:57 . 2009-04-18
18:57 15000 ----a-w c:\windows\system32\yaubfh983ind.dl_
2009-04-18 18:07 . 2009-04-18 18:07 -------- d-----w C:\VundoFix Backups
2009-04-18 17:36 . 2009-04-18 17:36 -------- d-----w c:\program
files\CCleaner
2009-04-18 17:11 . 2009-04-18 17:21 -------- d-----w c:\program
files\CleanUp!
2009-04-18 17:06 . 2009-04-18 17:06 38 ----a-w C:\19.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\18.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\17.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\16.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\15.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\14.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\13.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\12.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\11.tmp
2009-04-18 17:06 . 2009-04-18 17:06 38 ----a-w C:\10.tmp
2009-04-18 17:06 . 2009-04-18 17:06 52736 ----a-w C:\F.tmp
2009-04-18 17:06 . 2009-04-18 17:06 0 ----a-w C:\3.tmp
2009-04-18 17:00 . 2009-04-18 17:00 -------- d-----w c:\program
files\MSConfig CleanUp
2009-04-18 16:48 . 2009-04-18 16:48 38 ----a-w C:\E.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\D.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\C.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\B.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\A.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\9.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\8.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\7.tmp
2009-04-18 16:48 . 2009-04-18 16:48 0 ----a-w C:\6.tmp
2009-04-18 16:48 . 2009-04-18 16:48 38 ----a-w C:\5.tmp
2009-04-18 16:48 . 2009-04-18 16:48 52736 ----a-w C:\4.tmp
2009-04-17 21:52 . 2009-04-17 21:52 -------- d-----w c:\documents and
settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 21:52 . 2009-04-18 04:22 -------- d-----w c:\program
files\SUPERAntiSpyware
2009-04-17 21:52 . 2009-04-17 21:52 -------- d-----w c:\documents and
settings\God\Application Data\SUPERAntiSpyware.com
2009-04-17 01:44 . 2004-08-04
12:00 53248 -c--a-w c:\windows\system32\dllcache\nextlink.dll
2009-04-17 01:43 . 2004-08-04
12:00 66082 -c--a-w c:\windows\system32\dllcache\c_20424.nls
2009-04-17 01:41 . 2009-04-17
01:41 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-17 01:41 . 2009-04-17
01:41 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-17 01:41 . 2009-04-17
01:41 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-17 01:41 . 2009-04-17
01:41 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-17 01:41 . 2009-04-17
01:41 749 ---ha-r c:\windows\system32\nwc.cpl.manifest
2009-04-17 01:41 . 2009-04-17
01:41 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-17 01:41 . 2004-08-04
12:00 36864 -c--a-w c:\windows\system32\dllcache\isignup.exe
2009-04-17 01:38 . 2004-08-04
05:56 172544 ----a-w c:\windows\system32\irftp.exe
2009-04-17 01:38 . 2004-08-04
05:56 8192 ----a-w c:\windows\system32\wshirda.dll
2009-04-17 01:38 . 2004-08-04
05:56 27136 ----a-w c:\windows\system32\irmon.dll
2009-04-17 01:38 . 2004-08-04
04:00 87424 ----a-w c:\windows\system32\drivers\irda.sys
2009-04-17 01:33 . 2001-08-17
18:51 18688 ----a-w c:\windows\system32\drivers\irsir.sys
2009-04-17 01:22 . 2001-08-17
18:51 19584 ----a-w c:\windows\system32\drivers\rasirda.sys
2009-04-17 01:20 . 2004-08-04
12:00 502724 -c--a-w c:\windows\system32\dllcache\NT5INF.CAT
2009-04-17 01:20 . 2004-08-04
12:00 2012670 -c--a-w c:\windows\system32\dllcache\NT5.CAT
2009-04-17 01:20 . 2009-04-17
01:20 -------- d-s---w c:\windows\system32\config\systemprofile\History
2009-04-16 23:09 . 2009-04-16 23:09 0 ----a-w c:\windows\system32\DF.tmp
2009-04-16 23:08 . 2009-04-16
23:08 10240 ----a-w c:\windows\system32\Packer.dll
2009-04-16 23:08 . 2009-04-17 02:40 -------- d-----w c:\windows\system32\3361
2009-04-16 23:08 . 2009-04-17 23:55 -------- d-----w c:\windows\dhcp
2009-04-16 23:08 . 2009-04-16 23:09 71680 ----a-w c:\windows\system32\D3.tmp
2009-04-16 23:08 . 2009-04-16 23:08 168 ----a-w c:\windows\system32\D2.tmp
2009-04-15 20:48 . 2008-05-03
11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:04 . 2009-04-16 23:02 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-15 16:04 . 2009-04-15 16:04 1409 ----a-w c:\windows\QTFont.for
2009-04-01 03:14 . 2009-04-01 03:14 -------- d-----w c:\documents and
settings\NetworkService\Local Settings\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 19:33 . 2009-04-18 18:07 272 ----a-w C:\VundoFix.txt
2009-04-18 19:12 . 2006-08-16 16:44 -------- d-----w c:\documents and
settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-18 18:05 . 2009-04-18 18:03 3049 ----a-w C:\rapport.txt
2009-04-18 17:24 . 2006-07-29 20:45 -------- d-----w c:\documents and
settings\God\Application Data\OpenOffice.org2
2009-04-18 01:08 . 2006-08-16 16:44 -------- d-----w c:\program
files\Spybot - Search & Destroy
2009-04-18 00:30 . 2007-09-02 23:00 -------- d-----w c:\program
files\FrostWire
2009-04-17 21:52 . 2008-10-22 23:58 -------- d-----w c:\program
files\Common Files\Wise Installation Wizard
2009-04-17 02:01 . 2004-08-04
12:00 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-17 02:00 . 2008-11-13 03:09 -------- d-----w c:\program
files\Malwarebytes' Anti-Malware
2009-04-17 01:40 . 2005-02-25
18:10 23444 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-17 01:39 . 2009-04-17 01:39 873 ----a-w c:\windows\Inf\COM190.tmp
2009-04-16 23:08 . 2009-04-16 23:08 262 ----a-w C:\gadhq2g.log
2009-04-16 16:49 . 2008-08-27 14:47 0 ----a-w c:\documents and
settings\Other People\Local Settings\Application Data\prvlcl.dat
2009-04-16 03:48 . 2001-07-12 07:33 -------- d-----w c:\documents and
settings\God\Application Data\gtk-2.0
2009-04-06 20:32 . 2008-11-13
03:09 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-11-13
03:09 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 03:14 . 2006-08-14 16:55 -------- d-----w c:\program
files\Viewpoint
2009-03-29 07:27 . 2008-08-26 18:36 -------- d-----w c:\documents and
settings\All Users\Application Data\avg8
2009-03-29 06:17 . 2009-01-25 02:22 -------- d-----w c:\documents and
settings\God\Application Data\AVGTOOLBAR
2009-02-03 23:19 . 2009-01-25
02:22 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-31 04:39 . 2009-01-31
04:39 48456 ----a-w c:\windows\system32\UninstallElectricSheep.exe
2008-09-21 00:32 . 2006-07-30 05:06 24152 ----a-w c:\documents and
settings\God\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-25 16:36 . 2001-06-20 16:31 24152 ----a-w c:\documents and
settings\Other People\Local Settings\Application
Data\GDIPFONTCACHEV1.DAT
2008-01-20 21:26 . 2008-01-20 21:26 67176 ----a-w c:\documents and
settings\LocalService\Local Settings\Application
Data\FontCache3.0.0.0.dat
2007-02-05 03:59 . 2006-07-29 03:42 126 ----a-w c:\documents and
settings\God\Local Settings\Application Data\fusioncache.dat
2006-07-29 04:08 . 2006-07-29 04:08 137 ----a-w c:\documents and
settings\NetworkService\Local Settings\Application
Data\fusioncache.dat
2005-02-25 18:44 . 2006-10-19 15:35 136 ----a-w c:\documents and
settings\Guest\Local Settings\Application Data\fusioncache.dat
2005-02-25 18:44 . 2006-07-29
03:42 136 ----a-w c:\windows\system32\config\systemprofile\Local
Settings\Application Data\fusioncache.dat
2005-02-25 18:44 . 2005-02-25 18:44 136 ----a-w c:\documents and
settings\Administrator\Local Settings\Application
Data\fusioncache.dat
2005-02-25 18:44 . 2001-06-18 05:21 136 ----a-w c:\documents and
settings\Other People\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[-] 2004-08-04
12:00 34304 44A7E0D393C8C4742D12414D32C568B7 c:\windows\system32\svchost.exe
[-] 2004-08-04
12:00 34304 D3E94DD2D46C2BEC30C320FDC6207EF2 c:\windows\system32\dllcache\svchost.exe

[-] 2009-04-17
02:01 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-17
02:01 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04
12:00 1052160 9190AC0FB650C9282BEF4C22B1E061D4 c:\windows\explorer.exe
[-] 2007-06-13
11:26 1053184 32A457D57E6B3DB2B2ADB6E0009D2834 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2004-08-04
12:00 1052160 FE0843EE5A27C788073A1032E1C02179 c:\windows\system32\dllcache\explorer.exe

[-] 2004-08-04
12:00 35328 122DD0649E5AF8872392231E84493751 c:\windows\system32\ctfmon.exe
[-] 2004-08-04
12:00 35328 A567A44F7B2A6201F944648732D42D59 c:\windows\system32\dllcache\ctfmon.exe

[-] 2004-08-04
12:00 77824 1430675B4718AC7FE17AB3B96BD5A4AA c:\windows\system32\spoolsv.exe
[-] 2004-08-04
12:00 77824 281F673833AF5CC5DA814DDDDDDE3BFF c:\windows\system32\dllcache\spoolsv.exe

[-] 2004-08-04
12:00 131072 64040946B62A88758CF5C0CD166B58AA c:\windows\system32\wuauclt.exe
[-] 2004-08-04
12:00 131072 06E358AE92D8E1FAB75B442CBF19921B c:\windows\system32\dllcache\wuauclt.exe

[-] 2004-08-04
12:00 44544 E777D1C97C0B4C02E0E53ED1B998ED67 c:\windows\system32\userinit.exe
[-] 2004-08-04
12:00 44544 BC1B1EB9D27D09F473D989BF6F59E2B3 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 35328]
"Executor"="c:\program files\Executor\Executor.exe" [2008-05-19 1072640]
"Google Update"="c:\documents and settings\God\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-01
133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search &
Destroy\TeaTimer.exe" [2009-03-05 2280448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module
Loader\DLLML.exe" [2005-11-04 69632]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume
Panel\VolPanel.exe" [2005-10-14 143360]
"CTDVDDET"="c:\program files\Creative\Sound Blaster
X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 65536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 307200]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes'
Anti-Malware\mbam.exe" [2009-04-06 1298064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE"
[2004-08-04 178176]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE
[2003-11-07 39936]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1540096]

c:\documents and settings\God\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program
files\Stardock\ObjectDock\ObjectDock.exe [2008-1-18 3450608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program
files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program
files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\WBSrv]
2005-12-07
03:16 176128 ----a-w c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 23:19 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ezShieldProtector for Px"=c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2008\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\360desktop\\360manager.exe"=
"c:\\Program Files\\360desktop\\360desktop.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\ElectricSheep.scr"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 20c82ffa;20c82ffa; [x]
R1 AvgLdx86;AVG Free AVI Loader Driver
x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-03 325128]
R1 cob0888;cob0888; [x]
R1 gsfdeab;gsfdeab; [x]
R1 ibn009c;ibn009c; [x]
R1 kcj2384;kcj2384; [x]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS
[2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys
[2009-03-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe
[2009-02-03 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe
[2009-02-03 298264]
R2 IcRecUsb;IC Recorder
Driver;c:\windows\system32\Drivers\IcRecUsb.sys [2001-10-02 17432]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 PDFCreator;PDF Creator;c:\program files\alexis rios software\pdf
creator service 1.01\pdfcreatorservice.exe [2005-09-10 61440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program
files\Viewpoint\Common\ViewpointService.exe [2008-09-08 45132]
R3 evomouflt;Evoluent Mouse
filter;c:\windows\system32\DRIVERS\evomouflt.sys [2006-12-12 12288]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS
[2009-03-23 7408]
S0 Si3112r;ATI-437A Serial ATA
Controller;c:\windows\system32\DRIVERS\si3112r.sys [2004-09-30 97920]
S0 SiSRaid1;SiSRaid1;c:\windows\system32\DRIVERS\SiSRaid1.sys
[2003-12-09 45568]
S0 viapdsk;VIA ATA/ATAPI Host
Controller;c:\windows\system32\DRIVERS\viapdsk.sys [2003-10-31 29184]
S0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys
[2003-09-05 77056]
S1 AvgTdiX;AVG Free8 Network
Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-03
107272]
S3 FVDSCSI;FVDSCSI;c:\windows\system32\DRIVERS\fvdscsi.sys [2005-04-25 57216]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-08-26 23:58]

2009-04-18
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1498179910-152276622-527904364-1005.job
- c:\documents and settings\God\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe [2008-12-01 01:50]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.

 

[triskit]

COMBOFIX LOG CONTINUED

------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: Crawler Search - tbr:iemenu
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} -
c:\program files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -
c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\God\Application
Data\Mozilla\Firefox\Profiles\8jlks4xk.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program
files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\God\Local Settings\Application
Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program
files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program
files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience
Technology\npViewpoint_.dll
.
.
------- File Associations -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 14:49
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes
---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
.
Completion time: 2009-04-18 14:52
ComboFix-quarantined-files.txt 2009-04-18 19:52

Pre-Run: 53,550,166,016 bytes free
Post-Run: 53,732,802,560 bytes free

294 --- E O F --- 2009-04-16 04:46

 

[Osiris]

Can you upload the log? This one is hard to read

 

[triskit]

I hope the logs are formatted properly, as i said, my comp cant directly access them, I have to go through openoffice and that may have introduced some weird formatting. I can go through and change stuff if necessary.

Thanks again
Triskit

Edit. just got your message, Ill upload the logs

 

[triskit]

logs are attached (i hope) I had to split the HJT log into two txt files in order for it to be accepted as an attachemnt. There is an overlap of two entries between to two parts in order to ensure that nothing was left out.

 

[Osiris]

Remove

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\qsll7lu.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\qsll7lu.exe (User 'Default user')

O9 - Extra button: Monarch - {90B74D03-6182-4AE6-8987-C1461822AB3C} - http://www.monarchcomputer.com (file missing) (HKCU)

Uninstall ViewPoint if you can. Try to remove these in regular mode, if you cant, try safemode.

After you run these, run Combofix again and then malwarebytes, and post both their logs along with a new hijackthis

 

[triskit]

it appears that I am back to square one. after trying to reboot in regular mode I once again got an error message saying that KERNEL32.DLL was not found, the computer began repeatedly restarting and getting this message over and over. I'll try one of the spyware boot CDs you recomended... Id rather not go through another repair install... Other possibilities?