I am stuck, I have been reading the forums and attempting what was recommended to do. I could not run task manager, Malwarebytes' Anti-Malware, I kept getting the application is infected. I can not reboot in safe mode, for some reason when I attempt to in the middle of loading the drivers my system reboots. I finally got Combofix to run after renaming to svchost.exe, it ran completely and I got the log file however I still have the antivirus pro on my system, I was able to run the combofix again, then attempted to run malwarebyte, it froze at 6 mins, then the computer gave me the blue screen, I rebooted and ran combofix again, then malwarebyte, this time malware froze after 1 min. I rebooted and ran combofix again and here I am, I am running win xp, I hope someone can help me fix this mess!
Here is the latest log file from combofix:
ComboFix 09-09-25.01 - Name 09/27/2009 12:53.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.535 [GMT -5:00]
Running from: c:\documents and settings\Name\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\13222504
c:\documents and settings\All Users\Application Data\13222504\13222504
c:\documents and settings\All Users\Application Data\13222504\13222504.exe
c:\documents and settings\All Users\Application Data\13222504\pc13222504ins
c:\documents and settings\All Users\Application Data\awyzok.bat
c:\documents and settings\All Users\Application Data\tutocu.bat
c:\documents and settings\All Users\Documents\azucesev.com
c:\documents and settings\Name\Application Data\ebudimokab._sy
c:\documents and settings\Name\Application Data\gutafakeha._dl
c:\documents and settings\Name\Application Data\mapijov.bin
c:\documents and settings\Name\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Name\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Name\Local Settings\Application Data\owakojy.vbs
c:\documents and settings\Name\Local Settings\Application Data\ubawona.reg
c:\documents and settings\Name\Local Settings\Temporary Internet Files\eticojixu.bat
c:\documents and settings\Name\Local Settings\Temporary Internet Files\vyturus.sys
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\dopyqum.pif
c:\windows\system32\niwezufa.exe
c:\windows\system32\romezeju.dll
c:\windows\system32\yetugayu.dll
c:\windows\system32\yujitana.dll
c:\windows\xiceb.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.
2009-09-27 14:25 . 2009-09-27 14:25 18748 ----a-w- c:\windows\rotygikiru.com
2009-09-27 14:25 . 2009-09-27 14:25 16084 ----a-w- c:\windows\system32\evuguduv.dat
2009-09-27 14:25 . 2009-09-27 14:25 11611 ----a-w- c:\windows\ukumo.com
2009-09-27 12:55 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 12:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 09:29 . 2009-09-26 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Artist Colony
2009-09-23 09:29 . 2009-09-23 09:29 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\Artist Colony
2009-09-21 09:45 . 2009-09-21 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kristanix Games
2009-09-20 18:47 . 2009-09-20 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-09-15 00:43 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3
2009-09-13 19:02 . 2009-09-13 19:02 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\AlwaysNeat
2009-09-13 13:38 . 2009-09-13 13:38 -------- d-----w- c:\windows\She is a Shadow
2009-09-13 13:38 . 2009-09-13 13:38 -------- d-----w- c:\program files\She is a Shadow
2009-09-13 13:32 . 2009-09-13 13:32 -------- d-----w- c:\documents and settings\Name\Application Data\GloomBeacon
2009-09-13 13:30 . 2009-09-13 13:32 -------- d-----w- c:\program files\GloomBeacon
2009-09-13 13:29 . 2009-09-13 13:29 -------- d-----w- c:\program files\Gemini Lost
2009-09-13 13:29 . 2009-09-13 13:29 -------- d-----w- c:\windows\Gemini Lost
2009-09-13 13:19 . 2009-09-13 18:29 -------- d-----w- c:\program files\Crazy Honeymoon Season I
2009-09-13 13:18 . 2009-09-20 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-09-12 19:46 . 2009-09-12 19:46 -------- d-----w- c:\program files\LeeGTs Games
2009-09-12 01:21 . 2009-09-12 01:21 -------- d-----w- c:\documents and settings\Name\Application Data\DivoGames
2009-09-11 23:28 . 2009-09-11 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-09-11 10:20 . 2009-09-11 11:19 -------- d-----w- c:\documents and settings\Name\uspy
2009-09-10 10:12 . 2009-09-10 10:12 -------- d-----w- c:\documents and settings\Name\Application Data\Little Games Company
2009-09-10 10:12 . 2009-09-10 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Little Games Company
2009-09-09 09:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 10:30 . 2009-09-08 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SuperRanch
2009-09-03 10:14 . 2009-09-03 10:14 -------- d-----w- C:\Patriot Games
2009-08-30 13:31 . 2009-08-18 19:11 -------- d-----w- c:\program files\Cleopatra Queen of The Nile
2009-08-30 12:58 . 2009-08-30 13:07 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\Deployment
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 17:52 . 2007-02-21 17:32 -------- d-----w- c:\program files\FlashGet
2009-09-27 15:16 . 2009-06-27 15:16 49152 --sha-w- c:\windows\system32\tuvafuye.dll
2009-09-27 15:16 . 2009-06-27 15:16 88576 --sha-w- c:\windows\system32\kafawagi.dll
2009-09-27 14:24 . 2009-09-27 03:14 229488 ----a-w- c:\documents and settings\Name\Application Data\lizkavd.exe
2009-09-27 03:07 . 2009-09-27 03:07 265216 ----a-w- c:\documents and settings\Name\Application Data\svcst.exe
2009-09-27 03:07 . 2009-09-27 03:07 265216 ----a-w- c:\documents and settings\Name\Application Data\seres.exe
2009-09-26 22:42 . 2007-03-19 13:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-13 14:28 . 2009-03-22 12:39 -------- d-----w- c:\program files\Games
2009-09-13 13:17 . 2007-01-24 21:30 -------- d-----w- c:\program files\Alawar
2009-09-12 19:47 . 2008-01-10 22:28 -------- d-----w- c:\documents and settings\Name\Application Data\Valusoft
2009-09-12 19:47 . 2008-01-10 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Valusoft
2009-09-11 23:28 . 2007-01-21 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin
2009-09-11 23:28 . 2007-01-21 05:55 -------- d-----w- c:\documents and settings\Name\Application Data\iWin
2009-09-09 22:24 . 2009-07-16 14:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-05 18:26 . 2008-04-04 21:46 -------- d-----w- c:\documents and settings\Name\Application Data\Meridian93
2009-09-04 11:07 . 2007-04-02 05:48 -------- d-----w- c:\program files\Coupons
2009-09-01 22:39 . 2009-08-09 14:52 45344 ----a-w- c:\windows\system32\drivers\dahf818.sys
2009-08-30 10:29 . 2009-04-05 11:37 -------- d-----w- c:\program files\Big Kahuna Reef 2
2009-08-27 23:42 . 2009-03-07 02:31 -------- d-----w- c:\program files\ATTToolbar
2009-08-27 23:42 . 2006-12-09 05:37 -------- d-----w- c:\program files\Yahoo!
2009-08-23 00:08 . 2008-06-13 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 01:51 . 2009-08-22 01:48 6853096 ----a-w- C:\SpyHunter-Compact-OS.exe
2009-08-22 01:48 . 2009-08-22 01:48 -------- d-----w- c:\program files\Enigma Software Group
2009-08-17 22:41 . 2008-06-26 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 22:41 . 2008-06-26 14:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 22:41 . 2008-06-26 14:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 10:49 . 2006-12-09 06:00 -------- d-----w- c:\program files\LimeWire
2009-08-15 21:30 . 2006-01-01 13:36 102184 ----a-w- c:\documents and settings\Name\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 08:35 . 2009-08-15 08:35 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:35 . 2009-08-15 08:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-11 10:46 . 2008-06-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 09:32 . 2006-12-08 04:50 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 01:36 . 2009-08-04 01:36 -------- d-----w- c:\program files\MSECache
2009-08-03 18:36 . 2009-08-11 11:00 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-06-13 03:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 15:56 . 2006-12-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-25 10:23 . 2009-02-20 11:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2008-03-08 04:59 . 2008-03-08 00:30 19340134 ----a-w- c:\program files\WarChessSetup.exe
2008-03-01 21:48 . 2008-03-01 21:48 0 ----a-w- c:\program files\temp01
2006-12-09 06:20 . 2006-12-09 06:20 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-07-20 23:13 . 2007-07-18 14:16 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-20 23:13 . 2007-07-18 14:16 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-20 23:13 . 2007-07-18 14:16 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-20 23:13 . 2007-07-18 14:16 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-20 23:13 . 2007-07-18 14:16 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-06-27 15:17 . 2009-06-27 15:17 49152 --sha-w- c:\windows\system32\lugopuko.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-27_12.59.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-01 12:55 . 2009-09-27 13:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-01 12:55 . 2009-09-27 13:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{baedba90-c61b-47ff-ad2c-c3cae46694fd}]
2009-06-27 15:17 49152 --sha-w- c:\windows\system32\lugopuko.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-10 160832]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"mserv"="c:\documents and settings\Name\Application Data\svcst.exe" [2009-09-27 265216]
"svchost"="c:\documents and settings\Name\Application Data\svcst.exe" [2009-09-27 265216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2006-12-21 663552]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2007-07-02 2841824]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-05-03 55368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"KMCONFIG"="c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"yenetevoj"="c:\windows\system32\kafawagi.dll" [2009-09-27 88576]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-27 229488]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-02 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"fesilusuto"="yujitana.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{9a22e867-a899-49d3-8b21-f98195c5bf74}"= "c:\windows\system32\kafawagi.dll" [2009-09-27 88576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gobepumot"= {9a22e867-a899-49d3-8b21-f98195c5bf74} - c:\windows\system32\kafawagi.dll [2009-09-27 88576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 22:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"c:\\Program Files\\Atari\\Civilization III\\Civ3PTW\\Civ3XEdit.exe"=
"c:\\Program Files\\Atari\\Civilization III\\Civ3PTW\\Civilization3X.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Micro Innovations\\Wireless Keyboard & Mouse Driver\\KMCONFIG.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/1/2006 8:09 AM 11264]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/26/2008 9:52 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/26/2008 9:52 AM 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/1/2006 8:08 AM 13696]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 11:11 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 11:11 AM 297752]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 11:29 AM 208896]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 9:16 PM 24652]
S0 dahf818;dahf818;\SystemRoot\\SystemRoot\System32\drivers\dahf818.sys --> \SystemRoot\\SystemRoot\System32\drivers\dahf818.sys [?]
S1 16ff13ce.sys;16ff13ce.sys;\??\c:\windows\System32\drivers\16ff13ce.sys --> c:\windows\System32\drivers\16ff13ce.sys [?]
S2 ziymhyshv;ziymhyshv;\??\c:\windows\system32\drivers\jbbxngpk.sys --> c:\windows\system32\drivers\jbbxngpk.sys [?]
S3 Amps2prt;Kensington PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys --> c:\windows\system32\DRIVERS\Amps2prt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/11/2009 6:00 AM 38160]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = www.att.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Name\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: motive.com\patttbc.att
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\Name\Application Data\Mozilla\Firefox\Profiles\m08bc0kg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/index.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-13222504 - c:\documents and settings\All Users\Application Data\13222504\13222504.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 13:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
c:\windows\system32\_scui.cpl 167424 bytes executable
c:\documents and settings\Name\Application Data\opopevu.com 13823 bytes
c:\documents and settings\Name\Application Data\iqex.inf 17332 bytes
c:\documents and settings\Name\Application Data\cocaky.ban 18451 bytes
c:\documents and settings\Name\Application Data\epokatasax.bin 10366 bytes
scan completed successfully
hȋdden files: 5
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\kafawagi.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMCONFIG.exe
c:\program files\Consumer Input Rewarded with MyPoints, Consumer Input\dca-ua.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
c:\documents and settings\Name\Application Data\seres.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-09-27 13:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 18:13
ComboFix2.txt 2009-09-27 14:31
ComboFix3.txt 2009-09-27 13:11
Pre-Run: 40,948,469,760 bytes free
Post-Run: 41,000,275,968 bytes free
314 --- E O F --- 2009-09-09 11:16
Here is the latest log file from combofix:
ComboFix 09-09-25.01 - Name 09/27/2009 12:53.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.535 [GMT -5:00]
Running from: c:\documents and settings\Name\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\13222504
c:\documents and settings\All Users\Application Data\13222504\13222504
c:\documents and settings\All Users\Application Data\13222504\13222504.exe
c:\documents and settings\All Users\Application Data\13222504\pc13222504ins
c:\documents and settings\All Users\Application Data\awyzok.bat
c:\documents and settings\All Users\Application Data\tutocu.bat
c:\documents and settings\All Users\Documents\azucesev.com
c:\documents and settings\Name\Application Data\ebudimokab._sy
c:\documents and settings\Name\Application Data\gutafakeha._dl
c:\documents and settings\Name\Application Data\mapijov.bin
c:\documents and settings\Name\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Name\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Name\Local Settings\Application Data\owakojy.vbs
c:\documents and settings\Name\Local Settings\Application Data\ubawona.reg
c:\documents and settings\Name\Local Settings\Temporary Internet Files\eticojixu.bat
c:\documents and settings\Name\Local Settings\Temporary Internet Files\vyturus.sys
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Name\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\dopyqum.pif
c:\windows\system32\niwezufa.exe
c:\windows\system32\romezeju.dll
c:\windows\system32\yetugayu.dll
c:\windows\system32\yujitana.dll
c:\windows\xiceb.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.
2009-09-27 14:25 . 2009-09-27 14:25 18748 ----a-w- c:\windows\rotygikiru.com
2009-09-27 14:25 . 2009-09-27 14:25 16084 ----a-w- c:\windows\system32\evuguduv.dat
2009-09-27 14:25 . 2009-09-27 14:25 11611 ----a-w- c:\windows\ukumo.com
2009-09-27 12:55 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 12:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-23 09:29 . 2009-09-26 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Artist Colony
2009-09-23 09:29 . 2009-09-23 09:29 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\Artist Colony
2009-09-21 09:45 . 2009-09-21 09:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kristanix Games
2009-09-20 18:47 . 2009-09-20 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan
2009-09-15 00:43 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3
2009-09-13 19:02 . 2009-09-13 19:02 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\AlwaysNeat
2009-09-13 13:38 . 2009-09-13 13:38 -------- d-----w- c:\windows\She is a Shadow
2009-09-13 13:38 . 2009-09-13 13:38 -------- d-----w- c:\program files\She is a Shadow
2009-09-13 13:32 . 2009-09-13 13:32 -------- d-----w- c:\documents and settings\Name\Application Data\GloomBeacon
2009-09-13 13:30 . 2009-09-13 13:32 -------- d-----w- c:\program files\GloomBeacon
2009-09-13 13:29 . 2009-09-13 13:29 -------- d-----w- c:\program files\Gemini Lost
2009-09-13 13:29 . 2009-09-13 13:29 -------- d-----w- c:\windows\Gemini Lost
2009-09-13 13:19 . 2009-09-13 18:29 -------- d-----w- c:\program files\Crazy Honeymoon Season I
2009-09-13 13:18 . 2009-09-20 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-09-12 19:46 . 2009-09-12 19:46 -------- d-----w- c:\program files\LeeGTs Games
2009-09-12 01:21 . 2009-09-12 01:21 -------- d-----w- c:\documents and settings\Name\Application Data\DivoGames
2009-09-11 23:28 . 2009-09-11 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-09-11 10:20 . 2009-09-11 11:19 -------- d-----w- c:\documents and settings\Name\uspy
2009-09-10 10:12 . 2009-09-10 10:12 -------- d-----w- c:\documents and settings\Name\Application Data\Little Games Company
2009-09-10 10:12 . 2009-09-10 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Little Games Company
2009-09-09 09:39 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 10:30 . 2009-09-08 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SuperRanch
2009-09-03 10:14 . 2009-09-03 10:14 -------- d-----w- C:\Patriot Games
2009-08-30 13:31 . 2009-08-18 19:11 -------- d-----w- c:\program files\Cleopatra Queen of The Nile
2009-08-30 12:58 . 2009-08-30 13:07 -------- d-----w- c:\documents and settings\Name\Local Settings\Application Data\Deployment
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 17:52 . 2007-02-21 17:32 -------- d-----w- c:\program files\FlashGet
2009-09-27 15:16 . 2009-06-27 15:16 49152 --sha-w- c:\windows\system32\tuvafuye.dll
2009-09-27 15:16 . 2009-06-27 15:16 88576 --sha-w- c:\windows\system32\kafawagi.dll
2009-09-27 14:24 . 2009-09-27 03:14 229488 ----a-w- c:\documents and settings\Name\Application Data\lizkavd.exe
2009-09-27 03:07 . 2009-09-27 03:07 265216 ----a-w- c:\documents and settings\Name\Application Data\svcst.exe
2009-09-27 03:07 . 2009-09-27 03:07 265216 ----a-w- c:\documents and settings\Name\Application Data\seres.exe
2009-09-26 22:42 . 2007-03-19 13:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-13 14:28 . 2009-03-22 12:39 -------- d-----w- c:\program files\Games
2009-09-13 13:17 . 2007-01-24 21:30 -------- d-----w- c:\program files\Alawar
2009-09-12 19:47 . 2008-01-10 22:28 -------- d-----w- c:\documents and settings\Name\Application Data\Valusoft
2009-09-12 19:47 . 2008-01-10 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Valusoft
2009-09-11 23:28 . 2007-01-21 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin
2009-09-11 23:28 . 2007-01-21 05:55 -------- d-----w- c:\documents and settings\Name\Application Data\iWin
2009-09-09 22:24 . 2009-07-16 14:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-05 18:26 . 2008-04-04 21:46 -------- d-----w- c:\documents and settings\Name\Application Data\Meridian93
2009-09-04 11:07 . 2007-04-02 05:48 -------- d-----w- c:\program files\Coupons
2009-09-01 22:39 . 2009-08-09 14:52 45344 ----a-w- c:\windows\system32\drivers\dahf818.sys
2009-08-30 10:29 . 2009-04-05 11:37 -------- d-----w- c:\program files\Big Kahuna Reef 2
2009-08-27 23:42 . 2009-03-07 02:31 -------- d-----w- c:\program files\ATTToolbar
2009-08-27 23:42 . 2006-12-09 05:37 -------- d-----w- c:\program files\Yahoo!
2009-08-23 00:08 . 2008-06-13 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 01:51 . 2009-08-22 01:48 6853096 ----a-w- C:\SpyHunter-Compact-OS.exe
2009-08-22 01:48 . 2009-08-22 01:48 -------- d-----w- c:\program files\Enigma Software Group
2009-08-17 22:41 . 2008-06-26 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 22:41 . 2008-06-26 14:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 22:41 . 2008-06-26 14:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 10:49 . 2006-12-09 06:00 -------- d-----w- c:\program files\LimeWire
2009-08-15 21:30 . 2006-01-01 13:36 102184 ----a-w- c:\documents and settings\Name\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 08:35 . 2009-08-15 08:35 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:35 . 2009-08-15 08:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-11 10:46 . 2008-06-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 09:32 . 2006-12-08 04:50 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 01:36 . 2009-08-04 01:36 -------- d-----w- c:\program files\MSECache
2009-08-03 18:36 . 2009-08-11 11:00 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-06-13 03:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 15:56 . 2006-12-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-25 10:23 . 2009-02-20 11:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2008-03-08 04:59 . 2008-03-08 00:30 19340134 ----a-w- c:\program files\WarChessSetup.exe
2008-03-01 21:48 . 2008-03-01 21:48 0 ----a-w- c:\program files\temp01
2006-12-09 06:20 . 2006-12-09 06:20 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-07-20 23:13 . 2007-07-18 14:16 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-07-20 23:13 . 2007-07-18 14:16 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-07-20 23:13 . 2007-07-18 14:16 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-07-20 23:13 . 2007-07-18 14:16 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-07-20 23:13 . 2007-07-18 14:16 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-06-27 15:17 . 2009-06-27 15:17 49152 --sha-w- c:\windows\system32\lugopuko.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-27_12.59.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-01 12:55 . 2009-09-27 13:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-01 12:55 . 2009-09-27 13:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{baedba90-c61b-47ff-ad2c-c3cae46694fd}]
2009-06-27 15:17 49152 --sha-w- c:\windows\system32\lugopuko.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-10 160832]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"mserv"="c:\documents and settings\Name\Application Data\svcst.exe" [2009-09-27 265216]
"svchost"="c:\documents and settings\Name\Application Data\svcst.exe" [2009-09-27 265216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2006-12-21 663552]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2007-07-02 2841824]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-05-03 55368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"KMCONFIG"="c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"yenetevoj"="c:\windows\system32\kafawagi.dll" [2009-09-27 88576]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-27 229488]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-02 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"fesilusuto"="yujitana.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{9a22e867-a899-49d3-8b21-f98195c5bf74}"= "c:\windows\system32\kafawagi.dll" [2009-09-27 88576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gobepumot"= {9a22e867-a899-49d3-8b21-f98195c5bf74} - c:\windows\system32\kafawagi.dll [2009-09-27 88576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 22:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"c:\\Program Files\\Atari\\Civilization III\\Civ3PTW\\Civ3XEdit.exe"=
"c:\\Program Files\\Atari\\Civilization III\\Civ3PTW\\Civilization3X.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Micro Innovations\\Wireless Keyboard & Mouse Driver\\KMCONFIG.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/1/2006 8:09 AM 11264]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/26/2008 9:52 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/26/2008 9:52 AM 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/1/2006 8:08 AM 13696]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 11:11 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 11:11 AM 297752]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 11:29 AM 208896]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 9:16 PM 24652]
S0 dahf818;dahf818;\SystemRoot\\SystemRoot\System32\drivers\dahf818.sys --> \SystemRoot\\SystemRoot\System32\drivers\dahf818.sys [?]
S1 16ff13ce.sys;16ff13ce.sys;\??\c:\windows\System32\drivers\16ff13ce.sys --> c:\windows\System32\drivers\16ff13ce.sys [?]
S2 ziymhyshv;ziymhyshv;\??\c:\windows\system32\drivers\jbbxngpk.sys --> c:\windows\system32\drivers\jbbxngpk.sys [?]
S3 Amps2prt;Kensington PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys --> c:\windows\system32\DRIVERS\Amps2prt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/11/2009 6:00 AM 38160]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = www.att.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Download All with FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Name\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: motive.com\patttbc.att
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\Name\Application Data\Mozilla\Firefox\Profiles\m08bc0kg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/index.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-13222504 - c:\documents and settings\All Users\Application Data\13222504\13222504.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 13:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
c:\windows\system32\_scui.cpl 167424 bytes executable
c:\documents and settings\Name\Application Data\opopevu.com 13823 bytes
c:\documents and settings\Name\Application Data\iqex.inf 17332 bytes
c:\documents and settings\Name\Application Data\cocaky.ban 18451 bytes
c:\documents and settings\Name\Application Data\epokatasax.bin 10366 bytes
scan completed successfully
hȋdden files: 5
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\kafawagi.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMCONFIG.exe
c:\program files\Consumer Input Rewarded with MyPoints, Consumer Input\dca-ua.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
c:\documents and settings\Name\Application Data\seres.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-09-27 13:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 18:13
ComboFix2.txt 2009-09-27 14:31
ComboFix3.txt 2009-09-27 13:11
Pre-Run: 40,948,469,760 bytes free
Post-Run: 41,000,275,968 bytes free
314 --- E O F --- 2009-09-09 11:16