Please Help! My Computer is Running Multiple Viruses/malware.

**Mybabbits** · #1 18th Jun 2009, 11:46

Hello and thank you for reading. I have been trying to remove unwanted malware from my computer for more than a week now, and nothing seems to be working. I have found several processes including iexplorer.exe, winlogon.exe, spoolsv.exe and other unknown processes like PavPrSrv.exe and McciCMService.exe. I had to change the exe name of most of the programs to get them to open. I normally use AVG Free, but I uninstalled it and tried Panda to see if that would help (it didn't). Since then I have removed Panda and reinstalled AVG.

Thank you in advance for your help!

Here are the log files that I have retrieved.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/18/2009 at 01:15 PM

Application Version : 4.26.1004

Core Rules Database Version : 3945
Trace Rules Database Version: 1887

Scan type : Complete Scan
Total Scan Time : 01:11:18

Memory items scanned : 373
Memory threats detected : 1
Registry items scanned : 4431
Registry threats detected : 86
File items scanned : 39059
File threats detected : 11

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACKPXJQWVUGNSPO KQ.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACKPXJQWVUGNSPO KQ.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{9B053E00-78D3-47AE-B763-60FF36FF2886}

Trojan.Agent/Gen-AmblBE
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{06F20C1A-4811-4C73-A114-792ED70F2CAD}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{06F20C1A-4811-4C73-A114-792ED70F2CAD}

Adware.TrustInCash
C:\WINDOWS\system32\tisa.cnf
C:\WINDOWS\REMOVEADWARE.ICO
C:\WINDOWS\VIDEOSLOTS.ICO

Rogue.Component/Trace
HKU\S-1-5-21-776561741-1580436667-854245398-1003\Software\Microsoft\FIAS4057

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\connections#b43dcf0f
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShie ld.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.e xe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#6aed4b25
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\mask#c6216721
HKLM\SOFTWARE\UAC\mask#dd118673
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Adware.Tracking Cookie
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@myroitracking[1].txt
C:\Documents and Settings\Guest\Cookies\guest@serw.clicksor[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@ix-find[1].txt

Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\FASOFT\N-TRACK STUDIO 6\SETUP.EXE

Browser Hijacker.MS Web Search
C:\WINDOWS\LOCAL.HTML

Malwarebytes' Anti-Malware 1.37
Database version: 2269
Windows 5.1.2600 Service Pack 2

6/18/2009 2:25:06 PM
mbam-log-2009-06-18 (14-25-06).txt

Scan type: Quick Scan
Objects scanned: 28750
Time elapsed: 18 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:36 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
O1 - Hosts: 209.44.111.57 www.inetavirus.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [pivafuniya] Rundll32.exe "C:\WINDOWS\system32\luruwono.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [pivafuniya] Rundll32.exe "C:\WINDOWS\system32\luruwono.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\zuhagiye.dll c:\windows\system32\nulakili.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9c119864b630) (gupdate1c9c119864b630) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4735 bytes

**sjb007** · #2 18th Jun 2009, 15:35

Hi there Mybabbits

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop as combo-fix.exe.

Link 1
Link 2
Link 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Open Task Manager by pressing the Ctrl Alt and Del keys, at the same time.

In the menu at the top of the dialog box, click File>New Task (Run...)

Copy/paste (or type) the following in the Run box and click OK: (assuming ComboFix.exe is on the desktop as was instructed)

"%userprofile%\desktop\combo-fix.exe" /killall

Follow the on-screen insatructions and let combofix complete its run, Ensure that you install the recovery console when requested.

Post back with the results in your next post.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop and copy and paste this in your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Copy and paste both logs in your next reply

**Mybabbits** · #3 18th Jun 2009, 18:36

I downloaded ComboFix to the desktop and changed the name as instructed. When I try to run "%userprofile%\desktop\combo-fix.exe" /killall I get a popup screen that first warns me that the program is from an unidentified source, so I selected run. After that it appears as though combofix is running correctly then I get a popup screen that says something like "Windows cannot find "grpconv". Make sure you typed the name correctly..." and so on- the screen didn't stay up long enough for me to catch the rest of it. I clicked OK there, and then I got another screen from combofix that says it has detected AVG antivirus still running. I had problems disabling it, so I went ahead and uninstalled it completely. I'm not sure why it still thinks it is running. Should I go ahead and click OK though those screens too and see if it will still work?

Thank you!

**sjb007** · #4 18th Jun 2009, 23:48

Hi there

Click ok through the screens and see if you can get the combofix scan to complete

**Mybabbits** · #5 19th Jun 2009, 06:58

I still had some trouble with combofix. At some point during the process the desktop went blank and the combofix screen disappeared. Is it supposed to do this? I waited about 10 minutes to see if anything would happen and then I rebooted the computer. After that the combofix screen came back up and said it was creating the log file...

Here's what I got:

ComboFix 09-06-18.02 - Owner 06/19/2009 9:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.286 [GMT -4:00]
Running from: c:\documents and settings\Owner\desktop\combo-fix.exe
Command switches used :: /killall
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: F-Secure Anti-Virus 2006 6.10 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32
c:\windows\system32\components
c:\windows\system32\drivers\UACymttprqpphespir.sys
c:\windows\system32\UACakmovnkvlbejvsw.dll
c:\windows\system32\UACjqblgassmsyrtsd.log
c:\windows\system32\UACkpxjqwvugnspokq.dll
c:\windows\system32\UACllkyxudengakpfn.dll
c:\windows\system32\UACmxexwkuwcfyxylo.dll
c:\windows\system32\UACtdqoweywvrmpfuc.dat
c:\windows\system32\UACwixxvmnqlxbujns.log
c:\windows\system32\UACwqwjasvfplrvpdn.log
c:\windows\system32\UACxcvrjkwrnbmiqml.dll
C:\bt.log
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\system32\arosetud.ini
c:\windows\system32\barohozi.dll.tmp
c:\windows\system32\bavuvofi.dll.tmp
c:\windows\system32\components\flx0.dll
c:\windows\system32\diwovadu.dll.tmp
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACymttprqpphespir.sys
c:\windows\system32\edurozoj.ini
c:\windows\system32\foyefolu.dll.tmp
c:\windows\system32\huboweri.dll.tmp
c:\windows\system32\ipepiyik.ini
c:\windows\system32\irawesak.ini
c:\windows\system32\jiyiduse.dll.tmp
c:\windows\system32\lcch.dat
c:\windows\system32\lut.dat
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\obinunud.ini
c:\windows\system32\ofalonoy.ini
c:\windows\system32\ozejalir.ini
c:\windows\system32\srsut.bak1
c:\windows\system32\tconini.dat
c:\windows\system32\UACakmovnkvlbejvsw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjqblgassmsyrtsd.log
c:\windows\system32\UACkpxjqwvugnspokq.dll
c:\windows\system32\UACllkyxudengakpfn.dll
c:\windows\system32\UACmxexwkuwcfyxylo.dll
c:\windows\system32\UACtdqoweywvrmpfuc.dat
c:\windows\system32\UACwixxvmnqlxbujns.log
c:\windows\system32\UACwqwjasvfplrvpdn.log
c:\windows\system32\UACxcvrjkwrnbmiqml.dll
c:\windows\system32\ugujasof.ini
c:\windows\system32\utodobah.ini

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV

((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 13:09 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-19 13:09 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-18 18:04 . 2009-06-18 18:04 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 15:58 . 2009-06-18 18:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-18 15:57 . 2009-06-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-18 15:54 . 2009-06-18 15:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-18 15:54 . 2009-06-18 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-18 15:53 . 2009-06-18 15:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 15:42 . 2009-06-18 15:42 -------- d-----w- c:\program files\CCleaner
2009-06-18 05:27 . 2009-06-18 05:27 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 04:28 . 2009-06-18 04:28 -------- d-----w- c:\program files\Trend Micro
2009-06-13 07:06 . 2002-06-19 23:03 151552 ----a-w- c:\windows\system32\igfxres.dll
2009-06-13 06:38 . 2002-06-21 15:02 266240 ----a-w- c:\windows\system32\shpshftr.dll
2009-06-13 06:00 . 2009-06-13 06:00 444 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-13 05:01 . 2009-06-13 05:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-13 04:44 . 2009-06-18 04:53 -------- d-----w- c:\program files\Startup Optimizer
2009-06-12 23:31 . 2009-06-12 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-12 22:21 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 22:21 . 2009-06-12 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 22:21 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 19:18 . 2009-06-12 23:26 45 ----a-w- c:\windows\system32\ca.dat
2009-06-12 18:56 . 2008-03-04 19:59 41144 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys
2009-06-12 18:56 . 2008-02-07 16:03 179640 ----a-w- c:\windows\system32\drivers\PavProc.sys
2009-06-12 18:21 . 2009-06-12 18:56 -------- d-----w- c:\program files\Common Files\Panda Security
2009-06-03 05:12 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-19 01:27 . 2008-05-23 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 05:31 . 2009-01-05 00:21 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-18 05:31 . 2009-01-12 01:18 -------- d-----w- c:\program files\Java
2009-06-13 04:50 . 2009-01-05 04:50 -------- d-----w- c:\program files\Web Publish
2009-06-13 04:49 . 2008-08-20 22:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-12 22:57 . 2009-04-16 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-06-12 18:22 . 2006-05-02 03:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 16:10 . 2009-04-19 18:00 -------- d-----w- c:\program files\Google
2009-06-02 16:49 . 2009-03-29 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio6
2009-05-15 13:30 . 2006-07-15 14:36 -------- d-----w- c:\program files\QuickTime
2009-05-15 13:30 . 2006-07-15 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\program files\Apple Software Update
2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-12 19:53 . 2009-05-12 19:53 16141 ----a-w- c:\documents and settings\Owner\Application Data\Help\lego.exe
2009-05-12 19:53 . 2009-05-12 19:53 11410 ----a-w- c:\documents and settings\Owner\Application Data\Identities\msgdi.dll
2009-05-12 19:53 . 2009-05-12 19:53 10121 ----a-w- c:\documents and settings\Owner\Application Data\Lavasoft\kern.dll
2009-05-12 19:53 . 2009-05-12 19:53 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks1.exe
2009-05-12 19:53 . 2009-05-12 19:53 145131 ----a-w- c:\documents and settings\Owner\Application Data\DivX\nomad.exe
2009-05-12 19:53 . 2009-05-12 19:53 13221 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\rengo.dll
2009-05-12 19:53 . 2009-05-12 19:53 11232 ----a-w- c:\documents and settings\Owner\Application Data\acccore\shalom.exe
2009-05-11 14:21 . 2009-05-11 14:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-11 14:20 . 2009-05-11 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 02:42 . 2009-05-01 02:42 130443 ----a-w- c:\windows\system32\rn.tmp
2009-04-22 16:14 . 2006-05-03 02:44 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio
2009-04-21 07:27 . 2006-05-03 02:44 12024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 20:25 . 2009-04-19 18:01 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-04-15 20:25 . 2009-04-19 18:01 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 20:25 . 2009-04-19 18:01 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 20:25 . 2009-04-19 18:01 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-04-19 18:01 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2009-04-19 18:01 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-01 16:35 . 2009-04-01 16:34 7040776 ----a-w- c:\documents and settings\Owner\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe
2009-04-01 16:33 . 2009-04-01 16:33 300800 ----a-w- C:\MySpaceIM_Setup.exe
2009-03-31 23:24 . 2009-03-31 23:23 16494272 ----a-w- C:\nTrackSetup.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_16496df1.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_69525f90.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_294823.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_18be6784.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_4ae13d6c.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_2cd672ae.exe
2009-02-26 16:20 . 2009-02-26 16:20 6309376 ----a-w- c:\program files\ntrack.exe
2009-02-26 16:05 . 2009-02-26 16:05 126976 ----a-w- c:\program files\AMGateway.ax
2009-02-26 16:05 . 2009-02-26 16:05 63168 ----a-w- c:\program files\RegisterComponents.exe
2009-02-26 16:05 . 2009-02-26 16:05 163520 ----a-w- c:\program files\ReportDump.exe
2009-02-26 16:04 . 2009-02-26 16:04 86016 ----a-w- c:\program files\vstscan.exe
2009-02-26 16:04 . 2009-02-26 16:04 45056 ----a-w- c:\program files\ball.ax
2009-02-26 16:01 . 2009-02-26 16:01 78848 ----a-w- c:\program files\EmptyProjectAction.dll
2009-02-26 16:01 . 2009-02-26 16:01 147456 ----a-w- c:\program files\nTrackDotControls.dll
2009-02-26 16:00 . 2009-02-26 16:00 637440 ----a-w- c:\program files\NativeControls6.dll
2009-02-26 15:59 . 2009-02-26 15:59 99328 ----a-w- c:\program files\SurroundVSTGui.dll
2009-02-26 15:59 . 2009-02-26 15:59 45056 ----a-w- c:\program files\yeti.mmedia.dll
2009-02-26 15:59 . 2009-02-26 15:59 40960 ----a-w- c:\program files\cdcopier.dll
2009-02-26 15:59 . 2009-02-26 15:59 28672 ----a-w- c:\program files\Ripper.dll
2009-02-26 15:59 . 2009-02-26 15:59 8704 ----a-w- c:\program files\ntrack3rdparty.dll
2009-02-26 15:59 . 2009-02-26 15:59 5120 ----a-w- c:\program files\WindowsFormsBase.dll
2009-02-26 15:59 . 2009-02-26 15:59 36864 ----a-w- c:\program files\nttest.dll
2009-02-26 15:59 . 2009-02-26 15:59 32768 ----a-w- c:\program files\nTrackDotNet.dll
2009-02-26 15:59 . 2009-02-26 15:59 24576 ----a-w- c:\program files\AVFader.dll
2009-02-26 15:59 . 2009-02-26 15:59 6656 ----a-w- c:\program files\nativecontrolsinterop.dll
2009-02-07 22:10 . 2009-02-07 22:10 528726 ----a-w- c:\program files\n-Track.htm
2009-02-06 00:15 . 2009-02-06 00:15 225792 ----a-w- c:\program files\AutoVol.dll
2009-02-06 00:14 . 2009-02-06 00:14 228352 ----a-w- c:\program files\Chorus.dll
2009-02-06 00:14 . 2009-02-06 00:14 228864 ----a-w- c:\program files\Echo.dll
2009-02-06 00:12 . 2009-02-06 00:12 369152 ----a-w- c:\program files\ntrck_PitchShift.dll
2009-02-06 00:11 . 2009-02-06 00:11 176128 ----a-w- c:\program files\Riverbero.dll
2009-02-06 00:09 . 2009-02-06 00:09 434688 ----a-w- c:\program files\facomp10.dll
2009-02-06 00:08 . 2009-02-06 00:08 379904 ----a-w- c:\program files\dxirewire.dll
2009-02-06 00:06 . 2009-02-06 00:06 951808 ----a-w- c:\program files\fa4bdeq.dll
2009-01-13 14:16 . 2009-01-13 14:16 3455 ----a-w- c:\program files\order.html
2008-11-28 00:23 . 2008-11-28 00:23 642840 ----a-w- c:\program files\n-track.cfg
2008-10-25 23:46 . 2008-10-25 23:46 4920 ----a-w- c:\program files\order_upgrade.html
2008-09-02 23:06 . 2008-09-02 23:06 231936 ----a-w- c:\program files\ShellCtl.dll
2008-08-31 13:20 . 2008-08-31 13:20 105056 ----a-w- c:\program files\Setup.bmp
2008-06-20 18:37 . 2008-06-20 18:37 24576 ----a-w- c:\program files\ScrollerAbout.dll
2008-06-20 18:18 . 2008-06-20 18:18 831058 ----a-w- c:\program files\banks_default.txt
2008-06-20 18:18 . 2008-06-20 18:18 709 ----a-w- c:\program files\ntrack.exe.config
2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us428_faders.dat
2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us224_faders.dat
2008-06-20 18:17 . 2008-06-20 18:17 4035 ----a-w- c:\program files\n-track_help.cnt
2008-06-20 18:17 . 2008-06-20 18:17 169585 ----a-w- c:\program files\Drum Example.sng
2008-06-20 18:17 . 2008-06-20 18:17 15457 ----a-w- c:\program files\FACOMP10.HLP
2008-06-20 18:17 . 2008-06-20 18:17 25698 ----a-w- c:\program files\FA4BDEQ.HLP
2008-06-20 18:16 . 2008-06-20 18:16 19339 ----a-w- c:\program files\N-TRACK_EFX.HLP
2004-06-11 20:19 . 2004-06-11 20:19 25214 ----a-w- c:\program files\help_icon.ico
2004-06-07 13:23 . 2004-06-07 13:23 25214 ----a-w- c:\program files\link_icon.ico
2000-11-12 03:30 . 2000-11-12 03:30 86 ----a-w- c:\program files\BUYIT!.URL
2000-11-12 03:28 . 2000-11-12 03:28 73 ----a-w- c:\program files\n-Track.url
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-18 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dl l

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:websrvx

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 1:13 AM 96520]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [6/12/2009 2:56 PM 41144]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2008 1:13 AM 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2008 1:13 AM 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 1:13 AM 75272]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [6/12/2009 2:56 PM 179640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/5/2009 6:56 PM 24652]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [5/1/2006 11:58 PM 20023]
S2 gupdate1c9c119864b630;Google Update Service (gupdate1c9c119864b630);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 2:02 PM 133104]
S2 sgejhlqxcrvoui;sgejhlqxcrvoui;\??\c:\windows\syste m32\drivers\ngaysfvqh.sys --> c:\windows\system32\drivers\ngaysfvqh.sys [?]
S2 vnoakhdmmnhfkc;vnoakhdmmnhfkc;\??\c:\windows\syste m32\drivers\ncjdccfwkwt.sys --> c:\windows\system32\drivers\ncjdccfwkwt.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a8c9lkqd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 09:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Completion time: 2009-06-19 9:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 13:20

Pre-Run: 6,120,624,128 bytes free
Post-Run: 6,057,713,664 bytes free

300

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-19 09:55:00
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

**sjb007** · #6 19th Jun 2009, 15:36

Howdy there

Good work in getting combofix to complete, combofix certainly took some junk out of your system! Still some work left to do yet though....

1. Close any open browsers.

2.Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\luruwono.dll
c:\windows\system32\rn.tmp
c:\windows\system32\drivers\ngaysfvqh.sys
c:\windows\system32\drivers\ncjdccfwkwt.sys

Driver::
sgejhlqxcrvoui
vnoakhdmmnhfkc

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the results from combofix and from the kaspersky scan. Update me on how things are running now

**Mybabbits** · #7 21st Jun 2009, 09:08

Hello again. Sorry it took me so long to get back to this. It seems as though I have been busier than usual this week. I still had some trouble getting CF to run, but it did download the recovery console from microsoft this time, so that is one step closer I am assuming. I could not run the Kaspersky scanner because something is funny with my java. I uninstalled it and downloaded it again, but it still doesn't work (this is probably why my pogo games aren't working too). I saved the java console screen for you so perhaps you know what steps to take next. Thank you! ComboFix 09-06-20.04 - Owner 06/21/2009 11:33.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.123 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: F-Secure Anti-Virus 2006 6.10 *disabled* {D4747503-0346-49EB-9262-997542F79BF4} FILE :: "c:\windows\system32\drivers\ncjdccfwkwt.sys" "c:\windows\system32\drivers\ngaysfvqh.sys" "c:\windows\system32\luruwono.dll" "c:\windows\system32\rn.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rn.tmp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SGEJHLQXCRVOUI -------\Legacy_VNOAKHDMMNHFKC -------\Service_sgejhlqxcrvoui -------\Service_vnoakhdmmnhfkc ((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 ))))))))))))))))))))))))))))))) . 2009-06-19 13:09 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe 2009-06-19 13:09 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe 2009-06-19 13:09 . 2004-08-04 07:56 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe 2009-06-19 13:09 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe 2009-06-18 18:04 . 2009-06-18 18:04 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-18 15:58 . 2009-06-18 18:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL 2009-06-18 15:57 . 2009-06-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-06-18 15:54 . 2009-06-18 15:57 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-18 15:54 . 2009-06-18 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-06-18 15:53 . 2009-06-18 15:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-06-18 15:42 . 2009-06-18 15:42 -------- d-----w- c:\program files\CCleaner 2009-06-18 05:27 . 2009-06-18 05:27 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-18 04:28 . 2009-06-18 04:28 -------- d-----w- c:\program files\Trend Micro 2009-06-13 07:06 . 2002-06-19 23:03 151552 ----a-w- c:\windows\system32\igfxres.dll 2009-06-13 06:38 . 2002-06-21 15:02 266240 ----a-w- c:\windows\system32\shpshftr.dll 2009-06-13 06:00 . 2009-06-13 06:00 444 ----a-w- c:\windows\system32\d3d8caps.dat 2009-06-13 05:01 . 2009-06-13 05:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-06-13 04:44 . 2009-06-18 04:53 -------- d-----w- c:\program files\Startup Optimizer 2009-06-12 23:31 . 2009-06-12 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-06-12 22:21 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 22:21 . 2009-06-12 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 22:21 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-12 19:18 . 2009-06-12 23:26 45 ----a-w- c:\windows\system32\ca.dat 2009-06-12 18:56 . 2008-03-04 19:59 41144 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys 2009-06-12 18:56 . 2008-02-07 16:03 179640 ----a-w- c:\windows\system32\drivers\PavProc.sys 2009-06-12 18:21 . 2009-06-12 18:56 -------- d-----w- c:\program files\Common Files\Panda Security 2009-06-03 05:12 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-06-19 01:27 . 2008-05-23 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-18 05:31 . 2009-01-05 00:21 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-06-18 05:31 . 2009-01-12 01:18 -------- d-----w- c:\program files\Java 2009-06-13 04:50 . 2009-01-05 04:50 -------- d-----w- c:\program files\Web Publish 2009-06-13 04:49 . 2008-08-20 22:26 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-06-12 22:57 . 2009-04-16 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\U3 2009-06-12 18:22 . 2006-05-02 03:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-12 16:10 . 2009-04-19 18:00 -------- d-----w- c:\program files\Google 2009-06-02 16:49 . 2009-03-29 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio6 2009-05-15 13:30 . 2006-07-15 14:36 -------- d-----w- c:\program files\QuickTime 2009-05-15 13:30 . 2006-07-15 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\program files\Apple Software Update 2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-05-12 19:53 . 2009-05-12 19:53 16141 ----a-w- c:\documents and settings\Owner\Application Data\Help\lego.exe 2009-05-12 19:53 . 2009-05-12 19:53 11410 ----a-w- c:\documents and settings\Owner\Application Data\Identities\msgdi.dll 2009-05-12 19:53 . 2009-05-12 19:53 10121 ----a-w- c:\documents and settings\Owner\Application Data\Lavasoft\kern.dll 2009-05-12 19:53 . 2009-05-12 19:53 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks1.exe 2009-05-12 19:53 . 2009-05-12 19:53 145131 ----a-w- c:\documents and settings\Owner\Application Data\DivX\nomad.exe 2009-05-12 19:53 . 2009-05-12 19:53 13221 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\rengo.dll 2009-05-12 19:53 . 2009-05-12 19:53 11232 ----a-w- c:\documents and settings\Owner\Application Data\acccore\shalom.exe 2009-05-11 14:21 . 2009-05-11 14:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-05-11 14:20 . 2009-05-11 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-22 16:14 . 2006-05-03 02:44 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio 2009-04-21 07:27 . 2006-05-03 02:44 12024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 20:25 . 2009-04-19 18:01 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys 2009-04-15 20:25 . 2009-04-19 18:01 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys 2009-04-15 20:25 . 2009-04-19 18:01 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys 2009-04-15 20:25 . 2009-04-19 18:01 120056 ------w- c:\windows\system32\pxcpyi64.exe 2009-04-15 20:25 . 2009-04-19 18:01 118520 ------w- c:\windows\system32\pxinsi64.exe 2009-04-15 20:25 . 2009-04-19 18:01 129784 ------w- c:\windows\system32\pxafs.dll 2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll 2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll 2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll 2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll 2009-04-01 16:35 . 2009-04-01 16:34 7040776 ----a-w- c:\documents and settings\Owner\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe 2009-04-01 16:33 . 2009-04-01 16:33 300800 ----a-w- C:\MySpaceIM_Setup.exe 2009-03-31 23:24 . 2009-03-31 23:23 16494272 ----a-w- C:\nTrackSetup.exe 2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_16496df1.exe 2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_69525f90.exe 2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_294823.exe 2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_18be6784.exe 2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_4ae13d6c.exe 2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_2cd672ae.exe 2009-02-26 16:20 . 2009-02-26 16:20 6309376 ----a-w- c:\program files\ntrack.exe 2009-02-26 16:05 . 2009-02-26 16:05 126976 ----a-w- c:\program files\AMGateway.ax 2009-02-26 16:05 . 2009-02-26 16:05 63168 ----a-w- c:\program files\RegisterComponents.exe 2009-02-26 16:05 . 2009-02-26 16:05 163520 ----a-w- c:\program files\ReportDump.exe 2009-02-26 16:04 . 2009-02-26 16:04 86016 ----a-w- c:\program files\vstscan.exe 2009-02-26 16:04 . 2009-02-26 16:04 45056 ----a-w- c:\program files\ball.ax 2009-02-26 16:01 . 2009-02-26 16:01 78848 ----a-w- c:\program files\EmptyProjectAction.dll 2009-02-26 16:01 . 2009-02-26 16:01 147456 ----a-w- c:\program files\nTrackDotControls.dll 2009-02-26 16:00 . 2009-02-26 16:00 637440 ----a-w- c:\program files\NativeControls6.dll 2009-02-26 15:59 . 2009-02-26 15:59 99328 ----a-w- c:\program files\SurroundVSTGui.dll 2009-02-26 15:59 . 2009-02-26 15:59 45056 ----a-w- c:\program files\yeti.mmedia.dll 2009-02-26 15:59 . 2009-02-26 15:59 40960 ----a-w- c:\program files\cdcopier.dll 2009-02-26 15:59 . 2009-02-26 15:59 28672 ----a-w- c:\program files\Ripper.dll 2009-02-26 15:59 . 2009-02-26 15:59 8704 ----a-w- c:\program files\ntrack3rdparty.dll 2009-02-26 15:59 . 2009-02-26 15:59 5120 ----a-w- c:\program files\WindowsFormsBase.dll 2009-02-26 15:59 . 2009-02-26 15:59 36864 ----a-w- c:\program files\nttest.dll 2009-02-26 15:59 . 2009-02-26 15:59 32768 ----a-w- c:\program files\nTrackDotNet.dll 2009-02-26 15:59 . 2009-02-26 15:59 24576 ----a-w- c:\program files\AVFader.dll 2009-02-26 15:59 . 2009-02-26 15:59 6656 ----a-w- c:\program files\nativecontrolsinterop.dll 2009-02-07 22:10 . 2009-02-07 22:10 528726 ----a-w- c:\program files\n-Track.htm 2009-02-06 00:15 . 2009-02-06 00:15 225792 ----a-w- c:\program files\AutoVol.dll 2009-02-06 00:14 . 2009-02-06 00:14 228352 ----a-w- c:\program files\Chorus.dll 2009-02-06 00:14 . 2009-02-06 00:14 228864 ----a-w- c:\program files\Echo.dll 2009-02-06 00:12 . 2009-02-06 00:12 369152 ----a-w- c:\program files\ntrck_PitchShift.dll 2009-02-06 00:11 . 2009-02-06 00:11 176128 ----a-w- c:\program files\Riverbero.dll 2009-02-06 00:09 . 2009-02-06 00:09 434688 ----a-w- c:\program files\facomp10.dll 2009-02-06 00:08 . 2009-02-06 00:08 379904 ----a-w- c:\program files\dxirewire.dll 2009-02-06 00:06 . 2009-02-06 00:06 951808 ----a-w- c:\program files\fa4bdeq.dll 2009-01-13 14:16 . 2009-01-13 14:16 3455 ----a-w- c:\program files\order.html 2008-11-28 00:23 . 2008-11-28 00:23 642840 ----a-w- c:\program files\n-track.cfg 2008-10-25 23:46 . 2008-10-25 23:46 4920 ----a-w- c:\program files\order_upgrade.html 2008-09-02 23:06 . 2008-09-02 23:06 231936 ----a-w- c:\program files\ShellCtl.dll 2008-08-31 13:20 . 2008-08-31 13:20 105056 ----a-w- c:\program files\Setup.bmp 2008-06-20 18:37 . 2008-06-20 18:37 24576 ----a-w- c:\program files\ScrollerAbout.dll 2008-06-20 18:18 . 2008-06-20 18:18 831058 ----a-w- c:\program files\banks_default.txt 2008-06-20 18:18 . 2008-06-20 18:18 709 ----a-w- c:\program files\ntrack.exe.config 2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us428_faders.dat 2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us224_faders.dat 2008-06-20 18:17 . 2008-06-20 18:17 4035 ----a-w- c:\program files\n-track_help.cnt 2008-06-20 18:17 . 2008-06-20 18:17 169585 ----a-w- c:\program files\Drum Example.sng 2008-06-20 18:17 . 2008-06-20 18:17 15457 ----a-w- c:\program files\FACOMP10.HLP 2008-06-20 18:17 . 2008-06-20 18:17 25698 ----a-w- c:\program files\FA4BDEQ.HLP 2008-06-20 18:16 . 2008-06-20 18:16 19339 ----a-w- c:\program files\N-TRACK_EFX.HLP 2004-06-11 20:19 . 2004-06-11 20:19 25214 ----a-w- c:\program files\help_icon.ico 2004-06-07 13:23 . 2004-06-07 13:23 25214 ----a-w- c:\program files\link_icon.ico 2000-11-12 03:30 . 2000-11-12 03:30 86 ----a-w- c:\program files\BUYIT!.URL 2000-11-12 03:28 . 2000-11-12 03:28 73 ----a-w- c:\program files\n-Track.url 2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((( SnapShot@2009-06-19_13.16.48 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-21 15:41 . 2009-06-21 15:41 16384 c:\windows\temp\Perflib_Perfdata_5b4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-19 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-19 114688] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-18 148888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dl l [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\ATT-HSI\\McciBrowser.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\WINDOWS\\system32\\igfxtray.exe"= "c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"= "%windir%\\system32\\drivers\\svchost.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "53:TCP"= 53:TCP:websrvx R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 1:13 AM 96520] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944] R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [6/12/2009 2:56 PM 41144] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2008 1:13 AM 902424] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2008 1:13 AM 282904] R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 1:13 AM 75272] R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [6/12/2009 2:56 PM 179640] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/5/2009 6:56 PM 24652] R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [5/1/2006 11:58 PM 20023] S2 gupdate1c9c119864b630;Google Update Service (gupdate1c9c119864b630);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 2:02 PM 133104] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408] . Contents of the 'Scheduled Tasks' folder 2009-06-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 18:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.net/ uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: &Search FF - ProfilePath - . ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-21 11:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(612) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe . ************************************************** ************************ . Completion time: 2009-06-21 11:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-21 15:47 ComboFix2.txt 2009-06-19 13:20 Pre-Run: 4,974,522,368 bytes free Post-Run: 5,621,665,792 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 248 Java Plug-in 1.6.0_14 Using JRE version 1.6.0_14-b08 Java HotSpot(TM) Client VM User home directory = C:\Documents and Settings\Owner ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to ---------------------------------------------------- Exception in thread "AWT-EventQueue-2" java.lang.InternalError: couldn't create component peer at sun.awt.windows.WComponentPeer.checkCreation(Unkno wn Source) at sun.awt.windows.WComponentPeer.(Unknown Source) at sun.awt.windows.WCanvasPeer.(Unknown Source) at sun.awt.windows.WPanelPeer.(Unknown Source) at sun.awt.windows.WWindowPeer.(Unknown Source) at sun.awt.windows.WFramePeer.(Unknown Source) at sun.awt.windows.WEmbeddedFramePeer.(Unknown Source) at sun.awt.windows.WToolkit.createEmbeddedFrame(Unkno wn Source) at sun.awt.windows.WEmbeddedFrame.addNotify(Unknown Source) at sun.plugin2.main.client.PluginEmbeddedFrame.addNot ify(Unknown Source) at sun.awt.windows.WEmbeddedFrame.(Unknown Source) at sun.plugin2.main.client.PluginEmbeddedFrame.(Unkno wn Source) at sun.plugin2.main.client.PluginMain$StartAppletRunn er.run(Unknown Source) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilter s(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(U nknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarch y(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source)

**sjb007** · #8 21st Jun 2009, 14:54

Hi there

The log you posted is unreadable, Can you please repost it using notepad as your editor and ensure that word wrap is turned off.

Lets try a different scanner...

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please post the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

**Mybabbits** · #9 22nd Jun 2009, 04:28

Wow. You're absolutely right about that last post- Sorry about that. I have no idea what happened (it looked right when I pasted it anyway), but I will try again. The Active Scan worked, but I don't think it actually disinfected anything, I clicked on the button and it turned gray, but nothing happened. Here's the logs from both:

ComboFix 09-06-20.04 - Owner 06/21/2009 11:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.123 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: F-Secure Anti-Virus 2006 6.10 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\system32\drivers\ncjdccfwkwt.sys"
"c:\windows\system32\drivers\ngaysfvqh.sys"
"c:\windows\system32\luruwono.dll"
"c:\windows\system32\rn.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rn.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SGEJHLQXCRVOUI
-------\Legacy_VNOAKHDMMNHFKC
-------\Service_sgejhlqxcrvoui
-------\Service_vnoakhdmmnhfkc

((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-19 13:09 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-19 13:09 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-19 13:09 . 2004-08-04 07:56 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-19 13:09 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-18 18:04 . 2009-06-18 18:04 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 15:58 . 2009-06-18 18:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-18 15:57 . 2009-06-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-18 15:54 . 2009-06-18 15:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-18 15:54 . 2009-06-18 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-18 15:53 . 2009-06-18 15:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 15:42 . 2009-06-18 15:42 -------- d-----w- c:\program files\CCleaner
2009-06-18 05:27 . 2009-06-18 05:27 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 04:28 . 2009-06-18 04:28 -------- d-----w- c:\program files\Trend Micro
2009-06-13 07:06 . 2002-06-19 23:03 151552 ----a-w- c:\windows\system32\igfxres.dll
2009-06-13 06:38 . 2002-06-21 15:02 266240 ----a-w- c:\windows\system32\shpshftr.dll
2009-06-13 06:00 . 2009-06-13 06:00 444 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-13 05:01 . 2009-06-13 05:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-13 04:44 . 2009-06-18 04:53 -------- d-----w- c:\program files\Startup Optimizer
2009-06-12 23:31 . 2009-06-12 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-12 22:21 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 22:21 . 2009-06-12 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 22:21 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 19:18 . 2009-06-12 23:26 45 ----a-w- c:\windows\system32\ca.dat
2009-06-12 18:56 . 2008-03-04 19:59 41144 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys
2009-06-12 18:56 . 2008-02-07 16:03 179640 ----a-w- c:\windows\system32\drivers\PavProc.sys
2009-06-12 18:21 . 2009-06-12 18:56 -------- d-----w- c:\program files\Common Files\Panda Security
2009-06-03 05:12 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-19 01:27 . 2008-05-23 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-18 05:31 . 2009-01-05 00:21 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-18 05:31 . 2009-01-12 01:18 -------- d-----w- c:\program files\Java
2009-06-13 04:50 . 2009-01-05 04:50 -------- d-----w- c:\program files\Web Publish
2009-06-13 04:49 . 2008-08-20 22:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-12 22:57 . 2009-04-16 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-06-12 18:22 . 2006-05-02 03:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 16:10 . 2009-04-19 18:00 -------- d-----w- c:\program files\Google
2009-06-02 16:49 . 2009-03-29 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio6
2009-05-15 13:30 . 2006-07-15 14:36 -------- d-----w- c:\program files\QuickTime
2009-05-15 13:30 . 2006-07-15 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\program files\Apple Software Update
2009-05-15 13:29 . 2009-05-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-12 19:53 . 2009-05-12 19:53 16141 ----a-w- c:\documents and settings\Owner\Application Data\Help\lego.exe
2009-05-12 19:53 . 2009-05-12 19:53 11410 ----a-w- c:\documents and settings\Owner\Application Data\Identities\msgdi.dll
2009-05-12 19:53 . 2009-05-12 19:53 10121 ----a-w- c:\documents and settings\Owner\Application Data\Lavasoft\kern.dll
2009-05-12 19:53 . 2009-05-12 19:53 422 ----a-w- c:\documents and settings\Owner\Application Data\Apple Computer\socks1.exe
2009-05-12 19:53 . 2009-05-12 19:53 145131 ----a-w- c:\documents and settings\Owner\Application Data\DivX\nomad.exe
2009-05-12 19:53 . 2009-05-12 19:53 13221 ----a-w- c:\documents and settings\Owner\Application Data\Adobe\rengo.dll
2009-05-12 19:53 . 2009-05-12 19:53 11232 ----a-w- c:\documents and settings\Owner\Application Data\acccore\shalom.exe
2009-05-11 14:21 . 2009-05-11 14:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-11 14:20 . 2009-05-11 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-22 16:14 . 2006-05-03 02:44 -------- d-----w- c:\documents and settings\Owner\Application Data\n-Track Studio
2009-04-21 07:27 . 2006-05-03 02:44 12024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 20:25 . 2009-04-19 18:01 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-04-15 20:25 . 2009-04-19 18:01 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 20:25 . 2009-04-19 18:01 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 20:25 . 2009-04-19 18:01 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-04-19 18:01 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:25 . 2009-04-19 18:01 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-01 16:35 . 2009-04-01 16:34 7040776 ----a-w- c:\documents and settings\Owner\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.789.0-static-A.exe
2009-04-01 16:33 . 2009-04-01 16:33 300800 ----a-w- C:\MySpaceIM_Setup.exe
2009-03-31 23:24 . 2009-03-31 23:23 16494272 ----a-w- C:\nTrackSetup.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_16496df1.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_69525f90.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_294823.exe
2009-03-30 22:38 . 2009-03-30 22:38 2998 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_18be6784.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_4ae13d6c.exe
2009-03-30 22:38 . 2009-03-30 22:38 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{47312E0A-043C-409D-B6D0-1482457F2CDA}\_2cd672ae.exe
2009-02-26 16:20 . 2009-02-26 16:20 6309376 ----a-w- c:\program files\ntrack.exe
2009-02-26 16:05 . 2009-02-26 16:05 126976 ----a-w- c:\program files\AMGateway.ax
2009-02-26 16:05 . 2009-02-26 16:05 63168 ----a-w- c:\program files\RegisterComponents.exe
2009-02-26 16:05 . 2009-02-26 16:05 163520 ----a-w- c:\program files\ReportDump.exe
2009-02-26 16:04 . 2009-02-26 16:04 86016 ----a-w- c:\program files\vstscan.exe
2009-02-26 16:04 . 2009-02-26 16:04 45056 ----a-w- c:\program files\ball.ax
2009-02-26 16:01 . 2009-02-26 16:01 78848 ----a-w- c:\program files\EmptyProjectAction.dll
2009-02-26 16:01 . 2009-02-26 16:01 147456 ----a-w- c:\program files\nTrackDotControls.dll
2009-02-26 16:00 . 2009-02-26 16:00 637440 ----a-w- c:\program files\NativeControls6.dll
2009-02-26 15:59 . 2009-02-26 15:59 99328 ----a-w- c:\program files\SurroundVSTGui.dll
2009-02-26 15:59 . 2009-02-26 15:59 45056 ----a-w- c:\program files\yeti.mmedia.dll
2009-02-26 15:59 . 2009-02-26 15:59 40960 ----a-w- c:\program files\cdcopier.dll
2009-02-26 15:59 . 2009-02-26 15:59 28672 ----a-w- c:\program files\Ripper.dll
2009-02-26 15:59 . 2009-02-26 15:59 8704 ----a-w- c:\program files\ntrack3rdparty.dll
2009-02-26 15:59 . 2009-02-26 15:59 5120 ----a-w- c:\program files\WindowsFormsBase.dll
2009-02-26 15:59 . 2009-02-26 15:59 36864 ----a-w- c:\program files\nttest.dll
2009-02-26 15:59 . 2009-02-26 15:59 32768 ----a-w- c:\program files\nTrackDotNet.dll
2009-02-26 15:59 . 2009-02-26 15:59 24576 ----a-w- c:\program files\AVFader.dll
2009-02-26 15:59 . 2009-02-26 15:59 6656 ----a-w- c:\program files\nativecontrolsinterop.dll
2009-02-07 22:10 . 2009-02-07 22:10 528726 ----a-w- c:\program files\n-Track.htm
2009-02-06 00:15 . 2009-02-06 00:15 225792 ----a-w- c:\program files\AutoVol.dll
2009-02-06 00:14 . 2009-02-06 00:14 228352 ----a-w- c:\program files\Chorus.dll
2009-02-06 00:14 . 2009-02-06 00:14 228864 ----a-w- c:\program files\Echo.dll
2009-02-06 00:12 . 2009-02-06 00:12 369152 ----a-w- c:\program files\ntrck_PitchShift.dll
2009-02-06 00:11 . 2009-02-06 00:11 176128 ----a-w- c:\program files\Riverbero.dll
2009-02-06 00:09 . 2009-02-06 00:09 434688 ----a-w- c:\program files\facomp10.dll
2009-02-06 00:08 . 2009-02-06 00:08 379904 ----a-w- c:\program files\dxirewire.dll
2009-02-06 00:06 . 2009-02-06 00:06 951808 ----a-w- c:\program files\fa4bdeq.dll
2009-01-13 14:16 . 2009-01-13 14:16 3455 ----a-w- c:\program files\order.html
2008-11-28 00:23 . 2008-11-28 00:23 642840 ----a-w- c:\program files\n-track.cfg
2008-10-25 23:46 . 2008-10-25 23:46 4920 ----a-w- c:\program files\order_upgrade.html
2008-09-02 23:06 . 2008-09-02 23:06 231936 ----a-w- c:\program files\ShellCtl.dll
2008-08-31 13:20 . 2008-08-31 13:20 105056 ----a-w- c:\program files\Setup.bmp
2008-06-20 18:37 . 2008-06-20 18:37 24576 ----a-w- c:\program files\ScrollerAbout.dll
2008-06-20 18:18 . 2008-06-20 18:18 831058 ----a-w- c:\program files\banks_default.txt
2008-06-20 18:18 . 2008-06-20 18:18 709 ----a-w- c:\program files\ntrack.exe.config
2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us428_faders.dat
2008-06-20 18:18 . 2008-06-20 18:18 22124 ----a-w- c:\program files\us224_faders.dat
2008-06-20 18:17 . 2008-06-20 18:17 4035 ----a-w- c:\program files\n-track_help.cnt
2008-06-20 18:17 . 2008-06-20 18:17 169585 ----a-w- c:\program files\Drum Example.sng
2008-06-20 18:17 . 2008-06-20 18:17 15457 ----a-w- c:\program files\FACOMP10.HLP
2008-06-20 18:17 . 2008-06-20 18:17 25698 ----a-w- c:\program files\FA4BDEQ.HLP
2008-06-20 18:16 . 2008-06-20 18:16 19339 ----a-w- c:\program files\N-TRACK_EFX.HLP
2004-06-11 20:19 . 2004-06-11 20:19 25214 ----a-w- c:\program files\help_icon.ico
2004-06-07 13:23 . 2004-06-07 13:23 25214 ----a-w- c:\program files\link_icon.ico
2000-11-12 03:30 . 2000-11-12 03:30 86 ----a-w- c:\program files\BUYIT!.URL
2000-11-12 03:28 . 2000-11-12 03:28 73 ----a-w- c:\program files\n-Track.url
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-19_13.16.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 15:41 . 2009-06-21 15:41 16384 c:\windows\temp\Perflib_Perfdata_5b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-19 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-18 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dl l

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:websrvx

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 1:13 AM 96520]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [6/12/2009 2:56 PM 41144]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2008 1:13 AM 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2008 1:13 AM 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 1:13 AM 75272]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [6/12/2009 2:56 PM 179640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/5/2009 6:56 PM 24652]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [5/1/2006 11:58 PM 20023]
S2 gupdate1c9c119864b630;Google Update Service (gupdate1c9c119864b630);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 2:02 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-21 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 11:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-06-21 11:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 15:47
ComboFix2.txt 2009-06-19 13:20

Pre-Run: 4,974,522,368 bytes free
Post-Run: 5,621,665,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

248

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-06-22 07:16:51
PROTECTIONS: 1
MALWARE: 10
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AVG Anti-Virus Free 8.0 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP500\A0228202.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP501\A0229224.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP491\A0222017.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP493\A0223098.sys
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP491\A0221911.dll
00674736 W32/Autorun.AFX Virus/Worm No 1 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP490\A0221821.dll
00950476 Bck/Tdss.AZ Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0233263.dll
00950476 Bck/Tdss.AZ Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\UACakmovnk vlbejvsw.dll.vir
00950477 Bck/Tdss.AZ Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\UACllkyxud engakpfn.dll.vir
00950477 Bck/Tdss.AZ Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0233264.dll
00966996 Bck/Tdss.BC Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkpxjqwv ugnspokq.dll.vir
00966996 Bck/Tdss.BC Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0233265.dll
01099605 Trj/Alureon.AL Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0233262.dll
01099605 Trj/Alureon.AL Virus/Trojan No 0 Yes Yes C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxcvrjkw rnbmiqml.dll.vir
01318562 Trj/Downloader.WAV Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP492\A0223044.dll
01318562 Trj/Downloader.WAV Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP492\A0223065.dll
01318562 Trj/Downloader.WAV Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP492\A0223056.dll
01318562 Trj/Downloader.WAV Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP492\A0223073.dll
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0234260.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP505\A0235260.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{0BC9C26D-029D-4DC1-B3DC-4990696A2ECD}\RP503\A0233266.sys
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location f
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description f
;================================================= ================================================== ================================================== ==============================
208380 HIGH MS09-015 f
208379 HIGH MS09-014 f
208378 HIGH MS09-013 f
208377 HIGH MS09-012 f
206981 HIGH MS09-007 f
206980 HIGH MS09-006 f
204670 HIGH MS09-001 f
203806 HIGH MS08-078 f
203508 HIGH MS08-073 f
203505 HIGH MS08-071 f
202465 HIGH MS08-068 f
201683 HIGH MS08-067 f
201258 HIGH MS08-066 f
201256 HIGH MS08-064 f
201255 HIGH MS08-063 f
201253 HIGH MS08-061 f
201250 HIGH MS08-058 f
209275 HIGH MS08-049 f
209273 HIGH MS08-045 f
196455 MEDIUM MS08-037 f
194861 HIGH MS08-031 f
194860 HIGH MS08-030 f
191618 HIGH MS08-025 f
191617 HIGH MS08-024 f
191614 HIGH MS08-021 f
191613 HIGH MS08-020 f
187735 HIGH MS08-010 f
187733 HIGH MS08-008 f
184380 MEDIUM MS08-002 f
184379 MEDIUM MS08-001 f
182048 HIGH MS07-069 f
182046 HIGH MS07-067 f
179553 HIGH MS07-061 f
176383 HIGH MS07-058 f
176382 HIGH MS07-057 f
170911 HIGH MS07-050 f
170907 HIGH MS07-046 f
170906 HIGH MS07-045 f
170904 HIGH MS07-043 f
114666 HIGH MS06-015 f
93454 MEDIUM MS05-049 f
;================================================= ================================================== ================================================== ==============================

**sjb007** · #10 22nd Jun 2009, 09:30

Howdy there

Please note - During this fix we will be entering into safe mode. Please print out these instructions as your internet connection will not be available to you during this period. You may also copy and paste the fix into a text file and save it in an easy accessable location for reference.

Quote:

Sorry about that. I have no idea what happened

Not to worry, just one of those things!

One thing I did mean to mention earlier was that you appear to have two antiviruses installed, with one disabled. Can I just ask is F-Secure an old AV where the subscription has run out?

Although the Panda scan picked up a few items - the scan results actually look good. Most of what is found is either in quarantine by combofix or is trapped in your system restore which we can flush out at the end of the fix to prevent re-infection.

I notice that you already have SUPERAntiSpyware installed...

I want you to run a scan for me in safe mode.

First lets update SAS and set the options prior to scanning

update the definitions by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
In the Main Menu, click the Preferences... button.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.
Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes" and reboot normally.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Post back with the resulting log, also update me on how things are running now