Help Please - How to Analyze My Hijack Log

**midnight11** · #1 31st Aug 2009, 09:14

can anyone tell me please what does my hijack log report mean? i have tried to click 'the analyze this' button but i redirected into hijackthis website and i found nothing there.

also i wanted to check for update but kept having pop up 'no internet connection' (and i do have my internet run though!) thank you for your time to answer my questions.

this is my hijack log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:00 PM, on 8/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RTPSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
d:\My Documents\i-hate-keyloggers.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [I-Hate-Keyloggers] d:\My Documents\i-hate-keyloggers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.windowsupdate.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{34B79D1B-9AC3-4BF5-9C5A-4DC610AA56B2}: NameServer = 10.17.3.254 10.17.3.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{34B79D1B-9AC3-4BF5-9C5A-4DC610AA56B2}: NameServer = 10.17.3.254 10.17.3.252
O17 - HKLM\System\CS2\Services\Tcpip\..\{34B79D1B-9AC3-4BF5-9C5A-4DC610AA56B2}: NameServer = 10.17.3.254 10.17.3.252
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe

--
End of file - 4870 bytes

**midnight11** · #2 1st Sep 2009, 01:23

do i have some virus or trojan within this log? thank you very much

**evilfantasy** · #3 1st Sep 2009, 17:07

Download, update and run a-squared Free edition

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan and then click Scan

* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to somewhere convenient, such as your desktop
* Add the report as an attachment in your next post.

**midnight11** · #4 3rd Sep 2009, 12:07

thank you evilfantasy for replying. here is what i got from scanning with a-squared free.

i kept having error to delete or quarantine them so i'll try to type them old fashion way.

1. riskware.monitor.win32.keylogger!ik
11 process, 1 file, low risk.
process: (1300) c:\windows\system32\kbhookdll.dll

2. gen.trojan!ik
1 process, 1 files, high risk
process: (1896) c:\windows\system32\RTPSvc.exe
file: c\windows\system32\RTPScv.exe

3. backdoor.vb!ik
process: (2672)
d:\my documents\i-hate-keyloggers.exe

when i tried to delete them, came a pop up window confirmed this:

(1896)
c:\windows\system32\rtpsvc.exe: can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

c:\windows\system32\ripscv.exe:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(1300) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2404) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2412) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2420) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2428)c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2444) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2460) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2468) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2672) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(2956)c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

(3108) c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com
c:\windows\system32\kbhookdll.dll:can not be deleted! please consult the experts in the a-squared online forum for help with manual removal of this malware http://forum.emsisoft.com

any help would be much appreciated. thank you.

**evilfantasy** · #5 3rd Sep 2009, 12:59

The reason those were not removed is because you have 'I Hate Keyloggers' installed. Did you install that software?

**midnight11** · #6 4th Sep 2009, 12:12

yes, you are right. i've just remove i-hate-keylogger and right after that i was able to delete them from scanner. but still i have some questions:
1. is my computer system safe now?
2. i keep having trouble to update my antivirus after i found backdoor. it always came to error running.
3. occasionally i found a pop up message with bip sound confirm that i have keylogger infected in my computer while i was doing a scanner system.. but the pop up window always dissapeared quickly and the scanner didn't perform any keylogger infected at all.
4. now i keep finding www.google.com redirect to www.google.co.id and www.yahoo.com redirect to http://m.www.yahoo.com. and i didn't experience this weird thing before. what does this mean?

thank you for your advices and help.

**evilfantasy** · #7 4th Sep 2009, 14:50

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**midnight11** · #8 4th Sep 2009, 15:54

ok. i'm gonna follow your advices. thank you!

**midnight11** · #9 5th Sep 2009, 17:33

hello again evilfantasy,

this is my log report given below:

ComboFix 09-09-05.02 - USER 09/06/2009 6:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.316 [GMT 7:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-04 21:05 . 2009-09-04 21:11 -------- d-----w- c:\documents and settings\USER\.gimp-2.7
2009-09-04 20:53 . 2009-03-30 03:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-04 20:53 . 2009-02-13 05:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-04 20:52 . 2009-02-13 05:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-04 20:51 . 2009-09-04 20:51 -------- d-----w- c:\program files\Avira
2009-09-04 20:51 . 2009-09-04 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-09-04 20:08 . 2009-09-04 20:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-04 19:35 . 2009-09-04 22:40 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-04 17:17 . 2009-09-04 17:17 -------- d-sh--w- c:\documents and settings\USER\IECompatCache
2009-09-03 20:13 . 2009-09-03 20:13 -------- d-----w- c:\windows\ie8updates
2009-09-03 20:09 . 2009-09-04 13:31 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-03 19:40 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-03 19:40 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-03 19:39 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-03 19:39 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-03 19:39 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-03 19:31 . 2009-09-03 19:31 -------- d-----w- c:\documents and settings\USER\Application Data\WinPatrol
2009-09-03 19:30 . 2009-09-03 19:30 -------- d-----w- c:\program files\BillP Studios
2009-09-03 19:15 . 2009-09-03 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 11:41 . 2009-09-03 11:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-03 09:30 . 2009-09-03 09:30 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Google
2009-09-03 08:23 . 2009-09-03 18:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-03 08:18 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-03 08:18 . 2009-09-03 08:18 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-03 08:15 . 2009-09-03 14:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-03 08:14 . 2009-09-03 18:48 -------- d-----w- c:\program files\Google
2009-09-03 08:14 . 2009-09-03 08:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-03 08:13 . 2009-09-03 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-03 08:13 . 2009-09-03 08:13 -------- d-----w- c:\program files\Lavasoft
2009-09-02 01:16 . 2009-02-06 17:22 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-02 01:16 . 2009-02-06 17:24 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-02 01:16 . 2009-02-06 16:49 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-02 01:16 . 2009-02-06 16:49 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-30 14:13 . 2009-08-30 14:13 -------- d-----w- c:\documents and settings\USER\Application Data\AdobeUM
2009-08-29 16:41 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-29 14:00 . 2009-08-29 14:00 -------- d-sh--w- c:\documents and settings\USER\PrivacIE
2009-08-29 10:48 . 2009-08-29 10:48 -------- d-sh--w- c:\documents and settings\USER\IETldCache
2009-08-29 08:16 . 2009-08-29 08:21 -------- dc-h--w- c:\windows\ie8
2009-08-28 23:36 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-28 23:36 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-28 20:35 . 2009-08-28 20:35 102912 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-08-28 12:07 . 2009-08-28 12:07 -------- d-----w- c:\documents and settings\USER\Application Data\Media Player Classic
2009-08-27 19:17 . 2009-08-27 19:40 -------- d-----w- c:\documents and settings\USER\Application Data\Comodo
2009-08-27 19:09 . 2009-08-27 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-27 19:09 . 2009-08-27 19:08 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-27 19:09 . 2009-08-27 19:08 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-27 19:09 . 2009-08-27 19:08 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-27 19:09 . 2009-08-27 19:08 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-27 19:08 . 2009-08-27 21:30 -------- d-----w- c:\program files\COMODO
2009-08-27 17:33 . 2009-08-27 17:33 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Opera
2009-08-27 17:32 . 2009-09-01 18:06 -------- d-----w- c:\program files\Opera
2009-08-27 14:24 . 2009-08-27 14:24 -------- d-----w- c:\windows\ServicePackFiles
2009-08-27 13:09 . 2009-08-27 13:09 -------- d-sh--w- c:\documents and settings\USER\UserData
2009-08-27 12:40 . 2009-09-05 22:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 12:40 . 2009-09-05 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-27 11:15 . 2009-01-07 11:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-08-27 11:15 . 2009-09-05 17:49 -------- d--h--w- c:\windows\$hf_mig$
2009-08-26 16:48 . 2009-08-26 16:48 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2009-08-26 16:48 . 2009-08-26 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 16:32 . 2009-08-26 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-26 16:32 . 2009-09-05 22:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-26 16:32 . 2009-08-26 16:32 -------- d-----w- c:\documents and settings\USER\Application Data\SUPERAntiSpyware.com
2009-08-26 13:50 . 2006-05-11 04:23 43520 ----a-w- c:\windows\system32\drivers\ViaUsbEts.sys
2009-08-26 13:50 . 2005-08-02 04:27 39680 ----a-w- c:\windows\system32\drivers\ViaUsbModem.sys
2009-08-26 13:49 . 2006-11-08 03:53 49152 ----a-w- c:\windows\system32\samclass.dll
2009-08-26 13:40 . 2004-08-03 16:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-26 13:40 . 2004-08-03 16:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-26 13:34 . 2007-07-14 07:12 143360 ----a-w- c:\windows\system32\ViaSetupDll.dll
2009-08-26 13:34 . 2007-07-10 09:21 2560 ----a-w- c:\windows\system32\ViaClassCoInstaller.dll
2009-08-25 22:25 . 2009-07-03 08:32 126464 ----a-w- c:\windows\system32\RTPScan.dll
2009-08-25 21:07 . 2009-08-25 21:07 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-04 14:10 . 2009-08-24 08:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-26 13:34 . 2009-08-24 08:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 08:53 . 2009-08-24 08:53 68064 ----a-w- c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 08:36 . 2009-08-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 08:32 . 2009-08-24 08:32 0 ----a-w- c:\windows\nsreg.dat
2009-08-24 08:31 . 2009-08-24 08:31 2301 ----a-w- c:\windows\mozver.dat
2009-08-24 08:27 . 2009-08-24 08:27 -------- d-----w- c:\program files\Borland
2009-08-24 08:13 . 2009-08-24 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-24 08:13 . 2009-08-24 08:13 -------- d-----w- c:\program files\CyberLink
2009-08-24 08:08 . 2009-08-24 08:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-24 07:59 . 2009-08-24 07:59 -------- d-----w- c:\program files\Microsoft Works
2009-08-24 07:38 . 2009-08-24 07:38 -------- d-----w- c:\program files\microsoft frontpage
2009-08-24 07:32 . 2009-08-24 07:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:11 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-03 22:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2001-08-23 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-28 09:33 . 2009-08-24 08:23 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-17 18:55 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:18 . 2004-08-03 22:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-03 22:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2004-08-03 22:56 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-03 22:56 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-03 22:56 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-03 22:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-03 22:56 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-03 22:56 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-03 22:56 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-03 22:56 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-03 22:56 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-03 22:56 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-03 22:56 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-03 22:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-03 22:56 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-03 22:56 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-03 22:56 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-03 20:58 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-12 11:50 . 2004-08-03 22:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-03 22:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-03 22:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-03 22:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-03 18:49 . 2009-09-03 18:49 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-08-27 1796368]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-09-03 30192]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-08-15 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/3/2009 3:18 PM 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/28/2009 2:09 AM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/28/2009 2:09 AM 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/5/2009 3:52 AM 108289]
S2 gupdate1ca2c6ea11a8558;Google Update Service (gupdate1ca2c6ea11a8558);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 3:14 PM 133104]
S2 PCMAVRTPService;PCMAV RealTime Protector Service;c:\windows\system32\RTPSvc.exe --> c:\windows\system32\RTPSvc.exe [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/4/2009 1:48 AM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 PM 1029456]
S3 ViaUsbEtsDriver;VIA Telecom USB ETS Driver;c:\windows\system32\drivers\ViaUsbEts.sys [8/26/2009 8:50 PM 43520]
S3 ViaUsbModemDriver;Via Telecom USB Modem Driver;c:\windows\system32\drivers\ViaUsbModem.sys [8/26/2009 8:50 PM 39680]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 08:14]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 08:14]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-I-Hate-Keyloggers - d:\my documents\i-hate-keyloggers.exe
HKCU-Run-HijackThis startup scan - E:\HijackThis.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com \www.windowsupdate
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\o5txbn7u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 06:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-09-05 6:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 23:23

Pre-Run: 3,763,548,160 bytes free
Post-Run: 3,847,122,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2009-09-04 19:59

thanks for taking the time to analyze this.

**evilfantasy** · #10 6th Sep 2009, 09:46

Download GooredFix from one of the locations below and save it to your desktop

Download Mirror #1
Download Mirror #2

* Ensure all Firefox windows are closed.
* To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
* When prompted to run the scan, click Yes.
* GooredFix will check for infections, and then a log will appear.

Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

----------

How is the computer running now?