Solved

How do I finish the cleanup of this malware/virus?

Posted on 2008-10-15
23
1,114 Views
Last Modified: 2013-12-06
I am having problems with malware/virus removal on a Dell Dimension 4600.  At first I could not access System Restore or hidden files and folders.  I was able to gain control after running Symantec and Spybot.  I then ran Symantec, Spybot, and Trendmicro's Houscall on it with System Restore turned off and view hidden files and folders enabled.  However on reboot, the Adsense popup program and a foreign language program that had been uninstalled through Add/Remove programs will reappear.  Deleted shorcuts to MSDOS also reappear with a new file name.  I would just reformat/reinstall XP, but there are documents that need to be recovered if possible.  I am currently working on another computer with similar problems.  A flashdrive became infected when she copied the documents to it, consequently it is now on two computers.  The following is a Hijackthis log.  Any help would be greatly appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:41 AM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wuauclt.exe
c:\fgc\fgcrepl.exe
c:\fgc\f101\fgcupd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system\rundll32.exe
C:\WINDOWS\Driver.\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102737
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) -  - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system\rundll32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system\rundll32.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Kler\pbhealth.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [360] C:\WINDOWS\360safe.exe
O4 - HKLM\..\Run: [RavMonS] C:\WINDOWS\soni.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [explorer] C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Policies\Explorer\Run: [internetnet] C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.com/downloads/viewer3dv.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etoreports.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6ED9273C-2A83-460A-9288-82F0B06C382B}: NameServer = 65.32.1.65
O23 - Service: CtjcKem - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: FGC Replication (fgcrepl) - Fortres Grand Corporation - c:\fgc\fgcrepl.exe
O23 - Service: Fortres 101 Update (fgcupdate) - Unknown owner - c:\fgc\f101\fgcupd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8619 bytes
0
Comment
Question by:charismatic100
  • 11
  • 8
  • 3
  • +1
23 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22721365
Hi,
This machine is still very heavily infected. Here's what I would advise doing.

Please download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22721391
The log file shows these entries as bad.
C:\WINDOWS\wuauclt.exe
C:\WINDOWS\system\rundll32.exe
C:\WINDOWS\system\rundll32.exe
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [360] C:\WINDOWS\360safe.exe
O4 - HKLM\..\Policies\Explorer\Run: [explorer] C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Policies\Explorer\Run: [internetnet] C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O23 - Service: CtjcKem - Unknown owner - C:\WINDOWS\wuauclt.exe
If you have not done so, please download, update and run in SAFE MODE malwarebytes. It's a free utilility that is proven very effective in malware removal.
www.malwarebytes.org
0
 

Author Comment

by:charismatic100
ID: 22724625
Computer responding more like normal now.  I am now able to boot into Safe Mode and the Internet Explorer desktop icon previously MIA has been restored.  However homepage is still hijacked.

This is what the ComboFix log file looks like:

ComboFix 08-10-15.01 - Administrator 2008-10-15 14:39:59.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.256 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\strategy.txt
C:\WINDOWS\AntiEng.dll
C:\WINDOWS\Aseo\pbhealth.dll
C:\WINDOWS\dt1.dat
C:\WINDOWS\ias.dll
C:\WINDOWS\icpb.dll
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\KB611311.log
C:\WINDOWS\mspcexp.dll
C:\WINDOWS\MsWino.dat
C:\WINDOWS\soni.exe
C:\WINDOWS\sv.dat
C:\WINDOWS\sv.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\gprmsgse.axz
C:\WINDOWS\system32\gscpx32r.det
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\w3S7fa.dll
C:\WINDOWS\system32\wanifts.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\witst.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\UP
C:\WINDOWS\vv.dat
C:\WINDOWS\wuauclt.exe
E:\GX.PIF
F:\autorun.inf
F:\GSR.PIF

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_NPF
-------\Service_Ias
-------\Service_IPRIP
-------\Service_npf
-------\Service_sys_hkt


(((((((((((((((((((((((((   Files Created from 2008-09-15 to 2008-10-15  )))))))))))))))))))))))))))))))
.

2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-15 12:43 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-14 12:07 . 2008-10-15 09:28      <DIR>      d--------      C:\hjt
2008-10-13 14:09 . 2008-10-14 14:35      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-10-13 13:47 . 2007-08-01 22:47      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-13 12:53 . 2008-10-15 13:39      <DIR>      d--------      C:\WINDOWS\Kler
2008-10-13 12:40 . 2008-10-13 14:02      <DIR>      d--------      C:\Documents and Settings\Administrator\.housecall6.6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 18:47      ---------      d-----w      C:\Program Files\Spybot - Search & Destroy
2008-10-14 18:47      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 23:12      774,144      ----a-w      C:\Program Files\RngInterstitial.dll
2006-06-21 18:21      974,832      ----a-w      C:\Program Files\advisor.exe
2004-09-29 15:12      151,552      ------w      C:\Program Files\internet explorer\plugins\icwres.dll
2006-12-06 23:25      168      --sh--r      C:\WINDOWS\system32\BF191EB649.sys
2006-12-06 23:25      2,672      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MostFun.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MostFun.lnk
backup=C:\WINDOWS\pss\MostFun.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 qazat;qazat;C:\WINDOWS\system32\drivers\qazat.sys [2004-08-04 28256]
R2 DujgNnu;DujgNnu;C:\WINDOWS\wuauclt.exe [2008-10-15 40960]
R2 fgcfs;fgcfs;c:\fgc\f101\fgcfs.sys [2004-09-21 112670]
R2 fgcrepl;FGC Replication;c:\fgc\fgcrepl.exe [2004-06-11 122880]
R2 fgcupdate;Fortres 101 Update;c:\fgc\f101\fgcupd.exe [2004-02-16 49152]
R2 Viewpoint Service;Viewpoint Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S2 LlbiPge;LlbiPge;C:\WINDOWS\wuauclt.exe [2008-10-15 40960]
S2 NadbFlb;NadbFlb;C:\WINDOWS\wuauclt.exe [2008-10-15 40960]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 167808]
S3 sys_hkd;sys_hkd;C:\WINDOWS\TEMP\~62.tmp [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
WbWin

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e6418d5-54c2-11dd-8423-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb11466-535a-11dd-841c-00146cb3d788}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e066842-f860-11d8-8461-00146cb3d788}]
\shell\explore\command - I:\GX.PIF
\shell\open\Command - I:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89c7d85-f876-11d8-8462-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7be4a44-083a-11d9-846b-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f4-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f5-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec35e329-04e1-11d9-846a-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d12-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d13-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\irclaso.dll,InstallM

*Newly Created Service* - DUJGNNU
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 09:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-Microsoft Works Update Detection - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM-Run-360 - C:\WINDOWS\360safe.exe
HKLM-Run-RavMonS - C:\WINDOWS\soni.exe
HKLM-Explorer_Run-user - C:\WINDOWS\Driver..\daemon.exe
MSConfigStartUp-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-Pando - C:\Program Files\Pando Networks\Pando\Pando.exe
MSConfigStartUp-Yahoo! Pager - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u2hozav2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 14:45:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  user = C:\WINDOWS\Driver..\daemon.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sys_hkd]
"ImagePath"="\??\C:\WINDOWS\TEMP\~62.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\Driver.\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-10-15 14:54:44 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-15 18:54:40

Pre-Run: 1,383,256,064 bytes free
Post-Run: 1,534,980,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

213      --- E O F ---      2008-08-18 16:13:14
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22724867
If you right click your IE desktop icon and select Properties, what does it list for home page? If it's an entry other than the one you desire, delete it and add your home page (Ex: http://www.MSN , etc.)
0
 

Author Comment

by:charismatic100
ID: 22725052
I should have been more specific.  When I said that the homepage was still hijacked, I had already tried to manually change the homepage in IE properties.
However, since running Combofix.exe had restored my abitlity to reboot into safe mode, I ran Malwarebyte's in safe mode.  Homepage is reset to original setting and everything seems to be fine for now.  I will be gone until Monday morning.  We will see what it looks like then.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22725137
Question, what is on your F, H, and I drives? I believe they are also still infected. There is still more malware present also.

And I would like you to check a file.

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\WINDOWS\system32\drivers\qazat.sys

Post the results back here.

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 22725425
Outstanding! Please remember for future reference (if this happens to you again) to run all anti-malware and anti-virus suites in Safe Mode. Safe Mode can prevent most malicious software from running thus allowing you to remove it.
David
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22730729
Is MalwareBytes the last scanner that you used?
I'm curious because some bad files/reg entries that are still showing in the combofix log may no longer be in the system If MBAM had deleted those.
Could you attach the MalwareBytes log as well, so we'll know what's been deleted by it.
0
 

Author Comment

by:charismatic100
ID: 22758277
Sorry, all scans ran before MBAM were not in Safe Mode as the computer would BSOD when trying to boot into Safe Mode a fact that I forgot to mention in the question.  Before I even started, I tried to boot into Safe Mode, turn off System Restore and enable viewing of hidden files and folders.  All failed.  Old version of AVG would not update so I uninstalled.  First virus scan was from Symantec Recovery Disk with recent virus definition update.  Then ran Trend Micro Housecall. Then ComboFix.  At this point I should be able to run whatever is needed under the correct circumstances.
MBAM was last scanner used, as that was the first time that I was able to boot into Safe Mode.  
MBAM log follows:

Malwarebytes' Anti-Malware 1.28
Database version: 1274
Windows 5.1.2600 Service Pack 2

10/15/2008 3:34:38 PM
mbam-log-2008-10-15 (15-34-38).txt

Scan type: Quick Scan
Objects scanned: 56933
Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dujgnnu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dujgnnu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dujgnnu (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\llbipge (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\llbipge (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\llbipge (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nadbflb (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nadbflb (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nadbflb (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.3929.cn?tn=102737) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\wuauclt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
0
 

Author Comment

by:charismatic100
ID: 22758503
IndiGenius,
I was not successful in uploading that file for analysis.  Message says, "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Not sure that MBAM was successful either.  The following excerpt from the log:
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.3929.cn?tn=102737) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

On reboot this morning, I had www.3929.cn?tn=102737 set as the homepage in IE again.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22758625
From combofix....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e6418d5-54c2-11dd-8423-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb11466-535a-11dd-841c-00146cb3d788}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e066842-f860-11d8-8461-00146cb3d788}]
\shell\explore\command - I:\GX.PIF
\shell\open\Command - I:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89c7d85-f876-11d8-8462-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7be4a44-083a-11d9-846b-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f4-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f5-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec35e329-04e1-11d9-846a-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d12-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d13-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\irclaso.dll,InstallM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is on your F, H, and I drives? I believe they are still infected which is just causing you to be re-infected.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:charismatic100
ID: 22758643
F, H, I drives are flash drives that had been infected.
0
 

Author Comment

by:charismatic100
ID: 22758730
The flash drives  were removed last Wednesday night.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22758953
OK I would recommend if you're still infected to give combofix another run, obviously without those drives. Then post that log and see if there's anything else we need to deal with.
0
 

Author Comment

by:charismatic100
ID: 22762377
ComboFix 08-10-15.01 - Administrator 2008-10-20 16:54:02.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.369 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-09-20 to 2008-10-20  )))))))))))))))))))))))))))))))
.

2008-10-20 08:59 . 2008-10-20 09:38      <DIR>      d--h-----      C:\$AVG8.VAULT$
2008-10-20 08:54 . 2008-10-20 08:54      97,928      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-20 08:54 . 2008-10-20 08:54      76,040      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-20 08:54 . 2008-10-20 08:54      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-10-20 08:53 . 2008-10-20 08:57      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Program Files\AVG
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 08:03 . 2008-10-20 08:03      <DIR>      d--------      C:\bad
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-15 12:43 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-14 12:07 . 2008-10-15 15:17      <DIR>      d--------      C:\hjt
2008-10-13 14:09 . 2008-10-14 14:35      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-10-13 13:47 . 2007-08-01 22:47      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-13 12:53 . 2008-10-15 13:39      <DIR>      d--------      C:\WINDOWS\Kler
2008-10-13 12:40 . 2008-10-13 14:02      <DIR>      d--------      C:\Documents and Settings\Administrator\.housecall6.6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 18:47      ---------      d-----w      C:\Program Files\Spybot - Search & Destroy
2008-10-14 18:47      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 23:12      774,144      ----a-w      C:\Program Files\RngInterstitial.dll
2006-06-21 18:21      974,832      ----a-w      C:\Program Files\advisor.exe
2008-10-20 21:00      151,552      ----a-w      C:\Program Files\internet explorer\plugins\icwres.dll
2006-12-06 23:25      168      --sh--r      C:\WINDOWS\system32\BF191EB649.sys
2006-12-06 23:25      2,672      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-10-15_14.53.31.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-20 12:54:01      26,824      ----a-w      C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-12-02 02:56:00      96,256      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 02:54:32      479,232      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34      548,864      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32      626,688      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 04:25:52      1,101,824      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 04:25:56      1,093,120      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 04:25:58      69,632      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 04:26:00      57,856      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 04:08:00      40,960      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 04:08:00      45,056      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 04:08:00      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 04:08:00      57,344      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 04:46:44      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-20 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"user"="C:\WINDOWS\Driver..\daemon.exe" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MostFun.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MostFun.lnk
backup=C:\WINDOWS\pss\MostFun.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-20 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-20 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-20 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-20 76040]
R2 fgcfs;fgcfs;c:\fgc\f101\fgcfs.sys [2004-09-21 112670]
R2 fgcrepl;FGC Replication;c:\fgc\fgcrepl.exe [2004-06-11 122880]
R2 fgcupdate;Fortres 101 Update;c:\fgc\f101\fgcupd.exe [2004-02-16 49152]
R2 HpqdGsm;HpqdGsm;C:\WINDOWS\wuauclt.exe [2008-10-20 40960]
R2 Viewpoint Service;Viewpoint Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S0 qazat;qazat;C:\WINDOWS\system32\drivers\qazat.sys [ ]
S2 ZbcrNjb;ZbcrNjb;C:\WINDOWS\wuauclt.exe [2008-10-20 40960]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 167808]
S3 sys_hkd;sys_hkd;C:\WINDOWS\TEMP\~62.tmp [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
WbWin

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e6418d5-54c2-11dd-8423-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb11466-535a-11dd-841c-00146cb3d788}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e066842-f860-11d8-8461-00146cb3d788}]
\shell\explore\command - I:\GX.PIF
\shell\open\Command - I:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89c7d85-f876-11d8-8462-00146cb3d788}]
\shell\explore\command - F:\GX.PIF
\shell\open\Command - F:\GX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7be4a44-083a-11d9-846b-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f4-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f5-0e2d-11d9-846d-00146cb3d788}]
\Shell\AutoRun\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec35e329-04e1-11d9-846a-00146cb3d788}]
\shell\explore\command - F:\LINUX.PIF
\shell\open\Command - F:\LINUX.PIF

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d12-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d13-47aa-11dd-840f-00146cb3d788}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\irclaso.dll,InstallM

*Newly Created Service* - HPQDGSM
.
Contents of the 'Scheduled Tasks' folder

2008-10-20 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 09:53]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u2hozav2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 17:00:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  user = C:\WINDOWS\Driver..\daemon.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sys_hkd]
"ImagePath"="\??\C:\WINDOWS\TEMP\~62.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Internet Explorer\PLUGINS\icwres.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Driver.\daemon.exe
.
**************************************************************************
.
Completion time: 2008-10-20 17:08:19 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-20 21:08:13
ComboFix2.txt  2008-10-20 20:31:05
ComboFix3.txt  2008-10-15 18:54:45

Pre-Run: 1,515,913,216 bytes free
Post-Run: 1,500,831,744 bytes free

201      --- E O F ---      2008-08-18 16:13:14
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762533
1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\wuauclt.exe
C:\WINDOWS\system32\drivers\qazat.sys

Folder::
C:\WINDOWS\Kler

Driver::
HpqdGsm
qazat
ZbcrNjb
sys_hkd

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e6418d5-54c2-11dd-8423-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb11466-535a-11dd-841c-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e066842-f860-11d8-8461-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89c7d85-f876-11d8-8462-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7be4a44-083a-11d9-846b-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f4-0e2d-11d9-846d-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d35d44f5-0e2d-11d9-846d-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec35e329-04e1-11d9-846a-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d12-47aa-11dd-840f-00146cb3d788}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c57d13-47aa-11dd-840f-00146cb3d788}]


------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
 

Author Comment

by:charismatic100
ID: 22762866
ComboFix log:

ComboFix 08-10-15.01 - Administrator 2008-10-20 18:04:32.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.237 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\qazat.sys
C:\WINDOWS\wuauclt.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Kler
C:\WINDOWS\wuauclt.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HPQDGSM
-------\Legacy_QAZAT
-------\Legacy_ZBCRNJB
-------\Service_HpqdGsm
-------\Service_qazat
-------\Service_sys_hkd
-------\Service_ZbcrNjb


(((((((((((((((((((((((((   Files Created from 2008-09-20 to 2008-10-20  )))))))))))))))))))))))))))))))
.

2008-10-20 08:59 . 2008-10-20 09:38      <DIR>      d--h-----      C:\$AVG8.VAULT$
2008-10-20 08:54 . 2008-10-20 08:54      97,928      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-20 08:54 . 2008-10-20 08:54      76,040      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-20 08:54 . 2008-10-20 08:54      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-10-20 08:53 . 2008-10-20 08:57      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Program Files\AVG
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 08:03 . 2008-10-20 08:03      <DIR>      d--------      C:\bad
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-15 12:43 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-14 12:07 . 2008-10-15 15:17      <DIR>      d--------      C:\hjt
2008-10-13 14:09 . 2008-10-14 14:35      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-10-13 13:47 . 2007-08-01 22:47      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-13 12:40 . 2008-10-13 14:02      <DIR>      d--------      C:\Documents and Settings\Administrator\.housecall6.6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 18:47      ---------      d-----w      C:\Program Files\Spybot - Search & Destroy
2008-10-14 18:47      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 23:12      774,144      ----a-w      C:\Program Files\RngInterstitial.dll
2006-06-21 18:21      974,832      ----a-w      C:\Program Files\advisor.exe
2008-10-20 21:00      151,552      ----a-w      C:\Program Files\internet explorer\plugins\icwres.dll
2006-12-06 23:25      168      --sh--r      C:\WINDOWS\system32\BF191EB649.sys
2006-12-06 23:25      2,672      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-10-15_14.53.31.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-20 12:54:01      26,824      ----a-w      C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-12-02 02:56:00      96,256      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 02:54:32      479,232      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34      548,864      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32      626,688      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 04:25:52      1,101,824      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 04:25:56      1,093,120      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 04:25:58      69,632      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 04:26:00      57,856      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 04:08:00      40,960      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 04:08:00      45,056      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 04:08:00      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 04:08:00      57,344      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 04:46:44      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-20 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"user"="C:\WINDOWS\Driver..\daemon.exe" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MostFun.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MostFun.lnk
backup=C:\WINDOWS\pss\MostFun.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-20 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-20 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-20 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-20 76040]
R2 fgcfs;fgcfs;c:\fgc\f101\fgcfs.sys [2004-09-21 112670]
R2 fgcrepl;FGC Replication;c:\fgc\fgcrepl.exe [2004-06-11 122880]
R2 fgcupdate;Fortres 101 Update;c:\fgc\f101\fgcupd.exe [2004-02-16 49152]
R2 RrslGpy;RrslGpy;C:\WINDOWS\wuauclt.exe [2008-10-20 40960]
R2 Viewpoint Service;Viewpoint Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 167808]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
WbWin

*Newly Created Service* - RRSLGPY
.
Contents of the 'Scheduled Tasks' folder

2008-10-20 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 09:53]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 18:10:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  user = C:\WINDOWS\Driver..\daemon.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Driver.\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-10-20 18:18:55 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-20 22:18:42
ComboFix2.txt  2008-10-20 21:08:20
ComboFix3.txt  2008-10-20 20:31:05
ComboFix4.txt  2008-10-15 18:54:45

Pre-Run: 1,450,278,912 bytes free
Post-Run: 1,439,924,224 bytes free

176      --- E O F ---      2008-08-18 16:13:14
-------------------------------------------------------------------------------------------
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:38 PM, on 10/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\fgc\fgcrepl.exe
c:\fgc\f101\fgcupd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Driver.\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\hjt\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.3929.cn?tn=102737
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [user] C:\WINDOWS\Driver..\daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.com/downloads/viewer3dv.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etoreports.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6ED9273C-2A83-460A-9288-82F0B06C382B}: NameServer = 65.32.1.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FGC Replication (fgcrepl) - Fortres Grand Corporation - c:\fgc\fgcrepl.exe
O23 - Service: Fortres 101 Update (fgcupdate) - Unknown owner - c:\fgc\f101\fgcupd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RrslGpy - Unknown owner - C:\WINDOWS\wuauclt.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8709 bytes
-----------------------------------------------------------
Will have to pick this back up tomorrow morning.  Sorry
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 22764139
Hmm this thing is pretty stubborn, but I think I missed something. Hopefully this will keep it from coming back again.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\Driver..\daemon.exe

Driver::
RrslGpy

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"user"=-

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log


0
 

Author Comment

by:charismatic100
ID: 22766468
ComboFix log:

ComboFix 08-10-15.01 - Administrator 2008-10-21  7:46:10.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.380 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\Driver..\daemon.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\wuauclt.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RRSLGPY
-------\Service_RrslGpy


(((((((((((((((((((((((((   Files Created from 2008-09-21 to 2008-10-21  )))))))))))))))))))))))))))))))
.

2008-10-20 08:59 . 2008-10-21 07:32      <DIR>      d--h-----      C:\$AVG8.VAULT$
2008-10-20 08:54 . 2008-10-20 08:54      97,928      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-20 08:54 . 2008-10-20 08:54      76,040      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-20 08:54 . 2008-10-20 08:54      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-10-20 08:53 . 2008-10-20 08:57      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Program Files\AVG
2008-10-20 08:53 . 2008-10-20 08:53      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 08:03 . 2008-10-20 08:03      <DIR>      d--------      C:\bad
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-10-15 12:43      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-15 12:43 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-15 12:43 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-14 13:41 . 2008-10-14 13:41      <DIR>      d--------      C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-14 12:07 . 2008-10-20 18:19      <DIR>      d--------      C:\hjt
2008-10-13 14:09 . 2008-10-14 14:35      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-10-13 13:47 . 2007-08-01 22:47      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-13 12:40 . 2008-10-13 14:02      <DIR>      d--------      C:\Documents and Settings\Administrator\.housecall6.6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 18:47      ---------      d-----w      C:\Program Files\Spybot - Search & Destroy
2008-10-14 18:47      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 23:12      774,144      ----a-w      C:\Program Files\RngInterstitial.dll
2006-06-21 18:21      974,832      ----a-w      C:\Program Files\advisor.exe
2008-10-20 21:00      151,552      ----a-w      C:\Program Files\internet explorer\plugins\icwres.dll
2006-12-06 23:25      168      --sh--r      C:\WINDOWS\system32\BF191EB649.sys
2006-12-06 23:25      2,672      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-10-15_14.53.31.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-20 12:54:01      26,824      ----a-w      C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-12-02 02:56:00      96,256      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 02:54:32      479,232      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34      548,864      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32      626,688      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 04:25:52      1,101,824      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 04:25:56      1,093,120      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 04:25:58      69,632      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 04:26:00      57,856      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 04:08:00      40,960      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 04:08:00      45,056      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 04:08:00      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 04:08:00      57,344      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 04:08:00      61,440      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 04:08:00      49,152      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 04:46:44      65,536      ----a-w      C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 385024]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-20 1234712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MostFun.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MostFun.lnk
backup=C:\WINDOWS\pss\MostFun.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-20 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-20 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-20 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-20 76040]
R2 fgcfs;fgcfs;c:\fgc\f101\fgcfs.sys [2004-09-21 112670]
R2 fgcrepl;FGC Replication;c:\fgc\fgcrepl.exe [2004-06-11 122880]
R2 fgcupdate;Fortres 101 Update;c:\fgc\f101\fgcupd.exe [2004-02-16 49152]
R2 Viewpoint Service;Viewpoint Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 167808]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
WbWin
.
Contents of the 'Scheduled Tasks' folder

2008-10-21 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 09:53]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 07:51:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-10-21  7:59:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-21 11:59:32
ComboFix2.txt  2008-10-20 22:18:56
ComboFix3.txt  2008-10-20 21:08:20
ComboFix4.txt  2008-10-20 20:31:05
ComboFix5.txt  2008-10-21 11:45:15

Pre-Run: 1,510,363,136 bytes free
Post-Run: 1,470,214,144 bytes free

162      --- E O F ---      2008-08-18 16:13:14
----------------------------------------------------------------------------------
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:48 AM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\fgc\fgcrepl.exe
c:\fgc\f101\fgcupd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\hjt\hjt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.com/downloads/viewer3dv.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etoreports.com/viewer9/activeXViewer/activexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6ED9273C-2A83-460A-9288-82F0B06C382B}: NameServer = 65.32.1.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FGC Replication (fgcrepl) - Fortres Grand Corporation - c:\fgc\fgcrepl.exe
O23 - Service: Fortres 101 Update (fgcupdate) - Unknown owner - c:\fgc\f101\fgcupd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8426 bytes
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22766539
Looks like that may have finally got it. How's it running?
0
 

Author Comment

by:charismatic100
ID: 22769070
Finally, the computer is running as it is expected to.  As you mentioned this thing was a very stubborn, did not want to give up.  Now following up on any computers that the flash drives may have been plugged into.
I thank you for all of your help.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22769138
Great, glad we were able to sort this nasty one out.

Regards,
Dave
0
 

Author Closing Comment

by:charismatic100
ID: 31506302
I was on the verge of just reformatting/reinstalling XP.  Altogether too much time invested in cleaning this computer up.  I was trying to avoid having to tell the Service Director that she would lose all documents.  In the process, infected my own laptop when I tried to transfer her files.  
Thank You for staying with it until it was finished.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now