WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Security Tool

2 posters

descriptionSecurity Tool EmptySecurity Tool12th October 2009, 3:18 am

more_horiz
so i was trying to remove the security virus because it wont let me use anything of my programs(task manager & user accounts..etc.) or anti virus even MBAM. So, i went to safe mode and deleted the security tool. then i went back to normal mode and it seems it doesnt pop out anymore. everyting is back to normal except the MBAM wont work. does that mean its fix already?

descriptionSecurity Tool EmptyRe: Security Tool12th October 2009, 6:00 am

more_horiz
Welcome to GeekPolice. We are here to save you money. Our expertise here can help you get rid of threats.

From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a Tech Staff member, administrator, or moderator. Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.

As this topic is for you only, I just need to issue a warning to outside readers:
Roger that Warning: Instructions issued in this topic are for this user only. We are not responsible for damages, so if you need help; please register for this site, and start a new topic requesting help.



Please download ComboFixSecurity Tool Combofix by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first:

Security Tool Cf110
Security Tool Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

Security Tool Cf410
Security Tool Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionSecurity Tool EmptyRe: Security Tool12th October 2009, 8:35 pm

more_horiz
ComboFix 09-10-11.03 - nikki 10/12/2009 15:12.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1400 [GMT -5:00]
Running from: c:\documents and settings\nikki\My Documents\Downloads\svchost.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Guest\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\nikki\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\gifepujo.dll
c:\windows\system32\luwelinu.dll
c:\windows\system32\pehirema.dll
c:\windows\system32\zagodowi.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-12 00:30 . 2009-10-12 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\27922022
2009-10-10 23:16 . 2009-10-10 23:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 23:16 . 2009-10-10 23:16 -------- d-----w- c:\documents and settings\nikki\Application Data\skypePM
2009-10-10 23:15 . 2009-10-11 15:18 -------- d-----w- c:\documents and settings\nikki\Application Data\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\program files\Common Files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----r- c:\program files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 16:38 . 2009-10-03 16:38 -------- d-----w- c:\program files\iPod
2009-10-03 16:38 . 2009-10-03 16:39 -------- d-----w- c:\program files\iTunes
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\documents and settings\nikki\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\ViiKiiDesktopPlugin
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-19 23:03 . 2009-10-12 04:19 14012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-19 20:39 . 2009-09-19 20:39 -------- d-----w- c:\program files\Safari
2009-09-19 20:36 . 2009-09-19 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 20:33 . 2009-09-19 20:34 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:19 . 2008-07-12 23:57 13664 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 02:28 . 2009-04-25 01:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-12 02:27 . 2009-08-22 02:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 23:14 . 2008-08-30 16:46 -------- d-----w- c:\program files\Google
2009-10-04 00:34 . 2008-07-10 19:41 -------- d-----w- c:\documents and settings\nikki\Application Data\gtk-2.0
2009-10-03 16:38 . 2008-07-12 23:48 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 23:03 . 2008-07-12 23:52 -------- d-----w- c:\documents and settings\nikki\Application Data\Apple Computer
2009-09-07 22:56 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\nikki\Application Data\AVS4YOU
2009-09-07 22:56 . 2009-09-05 20:29 -------- d-----w- c:\program files\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:30 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-31 01:01 . 2009-08-31 01:00 -------- d-----w- c:\documents and settings\nikki\Application Data\ICAClient
2009-08-29 00:42 . 2008-07-12 23:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2008-07-12 23:49 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 22:52 . 2009-08-28 22:52 -------- d-----w- c:\program files\THQICE
2009-08-23 23:58 . 2008-07-11 04:29 -------- d-----w- c:\documents and settings\Guest\Application Data\gtk-2.0
2009-08-22 03:59 . 2009-08-22 01:24 -------- d-----w- c:\program files\hdxoju
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\nikki\Application Data\Malwarebytes
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 21:54 . 2009-08-06 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-20 23:16 . 2009-08-20 23:16 -------- d-----w- c:\program files\GIMP-2.0
2009-08-18 22:46 . 2009-08-18 22:44 -------- d-----w- c:\documents and settings\nikki\Application Data\AdobeUM
2009-08-16 23:13 . 2009-07-24 18:36 -------- d-----w- c:\program files\Tales of Pirates Online
2009-08-14 18:52 . 2009-08-09 00:18 -------- d-----w- c:\documents and settings\admin\Application Data\DivX
2009-08-14 16:51 . 2009-08-14 16:51 12328 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 16:49 . 2009-08-14 16:49 -------- d-----w- c:\documents and settings\admin\Application Data\Apple Computer
2009-08-06 03:11 . 2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 03:11 . 2009-08-06 03:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 03:11 . 2009-08-06 03:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 03:11 . 2009-08-06 03:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 02:52 . 2009-08-06 02:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 02:50 . 2009-08-06 02:50 128 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\fusioncache.dat
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-08-22 02:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-08-22 02:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 05:58 . 2009-07-18 05:58 4096 ----a-w- c:\windows\d3dx.dat
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 00:29 . 2009-07-12 00:29 172544 --sha-w- c:\windows\system32\demibigi.dll
2009-07-12 00:29 . 2009-07-12 00:29 69120 --sha-w- c:\windows\system32\fawenuto.dll
2009-07-12 00:29 . 2009-07-12 00:29 1011646 --sha-w- c:\windows\system32\firugoti.exe
2009-07-12 15:40 . 2009-07-12 15:40 38400 --sha-w- c:\windows\system32\pedabara.dll
2009-07-12 15:40 . 2009-07-12 15:40 50688 --sha-w- c:\windows\system32\sifajade.dll
2009-07-12 15:40 . 2009-07-12 15:40 50688 --sha-w- c:\windows\system32\wakozawa.dll
2009-07-12 00:29 . 2009-07-12 00:29 88576 --sha-w- c:\windows\system32\zadimeve.dll
2009-07-12 00:29 . 2009-07-12 00:29 51200 --sha-w- c:\windows\system32\zovujiwu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f12aa5b4-c491-4b07-8a1d-5c47472ed327}]
2009-07-12 15:40 50688 --sha-w- c:\windows\system32\wakozawa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"winuwided"="c:\windows\system32\demibigi.dll" [2009-07-12 172544]

c:\documents and settings\nikki\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [2009-9-25 95232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{057b1d8b-3cf4-47d0-b86a-a33fb843bb81}"= "c:\windows\system32\demibigi.dll" [2009-07-12 172544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fuhehonad"= {057b1d8b-3cf4-47d0-b86a-a33fb843bb81} - c:\windows\system32\demibigi.dll [2009-07-12 172544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\demibigi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Microsoft\\Search Enhancement Pack\\SeaPort\\SeaPort.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 10:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 10:11 PM 108552]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/5/2009 10:10 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 10:10 PM 297752]
S2 gupdate1c90abffa25f956;Google Update Service (gupdate1c90abffa25f956);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2008 11:46 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{9387AF0C-9827-4C56-8418-C356C23D5B76}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\nikki\Application Data\Mozilla\Firefox\Profiles\es52l3bd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-tidabizoze - pehirema.dll
SharedTaskScheduler-{388cad73-cc8d-4319-9077-0bc489f53ac0} - c:\windows\system32\zagodowi.dll
SSODL-hijowojub-{388cad73-cc8d-4319-9077-0bc489f53ac0} - c:\windows\system32\zagodowi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 15:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2388)
c:\windows\system32\WININET.dll
c:\windows\system32\demibigi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-12 15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 20:29

Pre-Run: 15,998,070,784 bytes free
Post-Run: 23,410,044,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

243 --- E O F --- 2009-09-20 17:07

descriptionSecurity Tool EmptyRe: Security Tool13th October 2009, 1:34 am

more_horiz

Repeat log removed.
~ DragonMaster Jay

descriptionSecurity Tool EmptyRe: Security Tool13th October 2009, 3:45 am

more_horiz
Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\program files\hdxoju

    File::
    c:\windows\system32\demibigi.dll
    c:\windows\system32\fawenuto.dll
    c:\windows\system32\firugoti.exe
    c:\windows\system32\pedabara.dll
    c:\windows\system32\sifajade.dll
    c:\windows\system32\wakozawa.dll
    c:\windows\system32\zadimeve.dll
    c:\windows\system32\zovujiwu.dll

    DirLook::
    c:\documents and settings\All Users\Application Data\27922022

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f12aa5b4-c491-4b07-8a1d-5c47472ed327}]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Security Tool Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionSecurity Tool EmptyRe: Security Tool13th October 2009, 9:22 pm

more_horiz
here's the log :
ComboFix 09-10-11.03 - nikki 10/13/2009 16:09.2.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1776 [GMT -5:00]
Running from: c:\documents and settings\nikki\My Documents\Downloads\svchost.exe.exe
Command switches used :: c:\documents and settings\nikki\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\demibigi.dll"
"c:\windows\system32\fawenuto.dll"
"c:\windows\system32\firugoti.exe"
"c:\windows\system32\pedabara.dll"
"c:\windows\system32\sifajade.dll"
"c:\windows\system32\wakozawa.dll"
"c:\windows\system32\zadimeve.dll"
"c:\windows\system32\zovujiwu.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\ziperame\ziperame.dll
c:\documents and settings\All Users\Application Data\15465122
c:\documents and settings\All Users\Application Data\15465122\15465122.bat
c:\documents and settings\All Users\Application Data\15465122\15465122.exe
c:\documents and settings\nikki\Start Menu\Programs\Security Tool.lnk
c:\program files\hdxoju
c:\windows\system32\demibigi.dll
c:\windows\system32\fawenuto.dll
c:\windows\system32\firugoti.exe
c:\windows\system32\pedabara.dll
c:\windows\system32\sifajade.dll
c:\windows\system32\wakozawa.dll
c:\windows\system32\zadimeve.dll
c:\windows\system32\zovujiwu.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-13 12:41 . 2009-10-13 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\ziperame
2009-10-13 12:41 . 2009-10-13 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\voladeti
2009-10-13 12:41 . 2009-10-13 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\sufokiyu
2009-10-13 12:41 . 2009-10-13 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\seniyuro
2009-10-12 00:30 . 2009-10-12 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\27922022
2009-10-10 23:16 . 2009-10-10 23:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 23:16 . 2009-10-12 22:39 -------- d-----w- c:\documents and settings\nikki\Application Data\skypePM
2009-10-10 23:15 . 2009-10-13 02:19 -------- d-----w- c:\documents and settings\nikki\Application Data\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\program files\Common Files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----r- c:\program files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 16:38 . 2009-10-03 16:38 -------- d-----w- c:\program files\iPod
2009-10-03 16:38 . 2009-10-03 16:39 -------- d-----w- c:\program files\iTunes
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\documents and settings\nikki\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\ViiKiiDesktopPlugin
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-19 23:03 . 2009-10-12 04:19 14012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-19 20:39 . 2009-09-19 20:39 -------- d-----w- c:\program files\Safari
2009-09-19 20:36 . 2009-09-19 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 20:33 . 2009-09-19 20:34 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:19 . 2008-07-12 23:57 13664 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 02:28 . 2009-04-25 01:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-12 02:27 . 2009-08-22 02:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 23:14 . 2008-08-30 16:46 -------- d-----w- c:\program files\Google
2009-10-04 00:34 . 2008-07-10 19:41 -------- d-----w- c:\documents and settings\nikki\Application Data\gtk-2.0
2009-10-03 16:38 . 2008-07-12 23:48 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 23:03 . 2008-07-12 23:52 -------- d-----w- c:\documents and settings\nikki\Application Data\Apple Computer
2009-09-07 22:56 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\nikki\Application Data\AVS4YOU
2009-09-07 22:56 . 2009-09-05 20:29 -------- d-----w- c:\program files\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:30 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-31 01:01 . 2009-08-31 01:00 -------- d-----w- c:\documents and settings\nikki\Application Data\ICAClient
2009-08-29 00:42 . 2008-07-12 23:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2008-07-12 23:49 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 22:52 . 2009-08-28 22:52 -------- d-----w- c:\program files\THQICE
2009-08-23 23:58 . 2008-07-11 04:29 -------- d-----w- c:\documents and settings\Guest\Application Data\gtk-2.0
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\nikki\Application Data\Malwarebytes
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 21:54 . 2009-08-06 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-20 23:16 . 2009-08-20 23:16 -------- d-----w- c:\program files\GIMP-2.0
2009-08-18 22:46 . 2009-08-18 22:44 -------- d-----w- c:\documents and settings\nikki\Application Data\AdobeUM
2009-08-16 23:13 . 2009-07-24 18:36 -------- d-----w- c:\program files\Tales of Pirates Online
2009-08-14 16:51 . 2009-08-14 16:51 12328 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 03:11 . 2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 03:11 . 2009-08-06 03:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 03:11 . 2009-08-06 03:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 03:11 . 2009-08-06 03:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 02:52 . 2009-08-06 02:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 02:50 . 2009-08-06 02:50 128 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\fusioncache.dat
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-08-22 02:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-08-22 02:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 05:58 . 2009-07-18 05:58 4096 ----a-w- c:\windows\d3dx.dat
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\27922022 ----



((((((((((((((((((((((((((((( SnapShot@2009-10-12_20.26.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-13 21:15 . 2009-10-13 21:15 16384 c:\windows\temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\nikki\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [2009-9-25 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Microsoft\\Search Enhancement Pack\\SeaPort\\SeaPort.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 10:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 10:11 PM 108552]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/5/2009 10:10 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 10:10 PM 297752]
S2 gupdate1c90abffa25f956;Google Update Service (gupdate1c90abffa25f956);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2008 11:46 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{9387AF0C-9827-4C56-8418-C356C23D5B76}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\nikki\Application Data\Mozilla\Firefox\Profiles\es52l3bd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-15465122 - c:\documents and settings\All Users\Application Data\15465122\15465122.exe
HKLM-Run-winuwided - c:\docume~1\alluse~1\applic~1\ziperame\ziperame.dll
SharedTaskScheduler-{057b1d8b-3cf4-47d0-b86a-a33fb843bb81} - (no file)
SharedTaskScheduler-{537dac85-c9b9-4ea5-bdb4-f4e21b9ffb58} - c:\docume~1\alluse~1\applic~1\ziperame\ziperame.dll
SSODL-fuhehonad-{057b1d8b-3cf4-47d0-b86a-a33fb843bb81} - (no file)
SSODL-kusakekus-{537dac85-c9b9-4ea5-bdb4-f4e21b9ffb58} - c:\docume~1\alluse~1\applic~1\ziperame\ziperame.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-13 16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 21:19
ComboFix2.txt 2009-10-12 20:29

Pre-Run: 23,423,721,472 bytes free
Post-Run: 23,344,427,008 bytes free

247 --- E O F --- 2009-09-20 17:07

descriptionSecurity Tool EmptyRe: Security Tool14th October 2009, 12:42 am

more_horiz
Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\documents and settings\All Users\Application Data\ziperame
    c:\documents and settings\All Users\Application Data\voladeti
    c:\documents and settings\All Users\Application Data\sufokiyu
    c:\documents and settings\All Users\Application Data\seniyuro
    c:\documents and settings\All Users\Application Data\27922022
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Security Tool Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Security Tool Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


==

In no order, please post the ComboFix and Malwarebytes logs in your next reply. Also, please tell me how your computer is running.

descriptionSecurity Tool EmptyRe: Security Tool14th October 2009, 2:37 am

more_horiz
here's the combix log:
ComboFix 09-10-11.03 - nikki 10/13/2009 20:04.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1511 [GMT -5]
Running from: c:\documents and settings\nikki\My Documents\Downloads\svchost.exe.exe
Command switches used :: c:\documents and settings\nikki\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\27922022
c:\documents and settings\All Users\Application Data\seniyuro
c:\documents and settings\All Users\Application Data\seniyuro\seniyuro.exe
c:\documents and settings\All Users\Application Data\sufokiyu
c:\documents and settings\All Users\Application Data\sufokiyu\sufokiyu.dll
c:\documents and settings\All Users\Application Data\voladeti
c:\documents and settings\All Users\Application Data\voladeti\voladeti.exe
c:\documents and settings\All Users\Application Data\ziperame

.
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-13 21:18 . 2009-10-13 21:18 -------- d-----w- c:\windows\LastGood
2009-10-10 23:16 . 2009-10-10 23:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 23:16 . 2009-10-12 22:39 -------- d-----w- c:\documents and settings\nikki\Application Data\skypePM
2009-10-10 23:15 . 2009-10-13 02:19 -------- d-----w- c:\documents and settings\nikki\Application Data\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\program files\Common Files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----r- c:\program files\Skype
2009-10-10 23:14 . 2009-10-10 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 16:38 . 2009-10-03 16:38 -------- d-----w- c:\program files\iPod
2009-10-03 16:38 . 2009-10-03 16:39 -------- d-----w- c:\program files\iTunes
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\documents and settings\nikki\Application Data\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\ViiKiiDesktopPlugin
2009-09-26 00:10 . 2009-09-26 00:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-19 23:03 . 2009-10-12 04:19 14012 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-19 20:39 . 2009-09-19 20:39 -------- d-----w- c:\program files\Safari
2009-09-19 20:36 . 2009-09-19 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 20:33 . 2009-09-19 20:34 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:19 . 2008-07-12 23:57 13664 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 02:28 . 2009-04-25 01:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-12 02:27 . 2009-08-22 02:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 23:14 . 2008-08-30 16:46 -------- d-----w- c:\program files\Google
2009-10-04 00:34 . 2008-07-10 19:41 -------- d-----w- c:\documents and settings\nikki\Application Data\gtk-2.0
2009-10-03 16:38 . 2008-07-12 23:48 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 23:03 . 2008-07-12 23:52 -------- d-----w- c:\documents and settings\nikki\Application Data\Apple Computer
2009-09-07 22:56 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\nikki\Application Data\AVS4YOU
2009-09-07 22:56 . 2009-09-05 20:29 -------- d-----w- c:\program files\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-09-05 20:31 . 2009-09-05 20:30 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-31 01:01 . 2009-08-31 01:00 -------- d-----w- c:\documents and settings\nikki\Application Data\ICAClient
2009-08-29 00:42 . 2008-07-12 23:49 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2008-07-12 23:49 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 22:52 . 2009-08-28 22:52 -------- d-----w- c:\program files\THQICE
2009-08-23 23:58 . 2008-07-11 04:29 -------- d-----w- c:\documents and settings\Guest\Application Data\gtk-2.0
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\nikki\Application Data\Malwarebytes
2009-08-22 02:22 . 2009-08-22 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 21:54 . 2009-08-06 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-20 23:16 . 2009-08-20 23:16 -------- d-----w- c:\program files\GIMP-2.0
2009-08-18 22:46 . 2009-08-18 22:44 -------- d-----w- c:\documents and settings\nikki\Application Data\AdobeUM
2009-08-16 23:13 . 2009-07-24 18:36 -------- d-----w- c:\program files\Tales of Pirates Online
2009-08-14 16:51 . 2009-08-14 16:51 12328 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 03:11 . 2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 03:11 . 2009-08-06 03:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 03:11 . 2009-08-06 03:11 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 03:11 . 2009-08-06 03:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-06 02:52 . 2009-08-06 02:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 02:50 . 2009-08-06 02:50 128 ----a-w- c:\documents and settings\nikki\Local Settings\Application Data\fusioncache.dat
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-08-22 02:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-08-22 02:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 05:58 . 2009-07-18 05:58 4096 ----a-w- c:\windows\d3dx.dat
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_20.26.27 )))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
2009-10-14 01:01 . 2009-10-14 01:01 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_ce8c42a5\System.Drawing.Design.dll
2009-10-14 01:01 . 2009-10-14 01:01 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5252f6e3\CustomMarshalers.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
2009-10-14 01:01 . 2009-10-14 01:01 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_b5b4e99d\System.Drawing.dll
2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
2009-10-14 01:00 . 2009-10-14 01:00 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_58fc7abe\System.dll
2009-10-14 01:01 . 2009-10-14 01:01 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_110447d4\System.Xml.dll
2009-10-14 01:01 . 2009-10-14 01:01 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_a72602ed\System.Windows.Forms.dll
2009-10-14 01:01 . 2009-10-14 01:01 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_443cbdf9\System.Design.dll
2009-10-14 01:01 . 2009-10-14 01:01 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_20ed9b4c\mscorlib.dll
- 2009-09-19 00:57 . 2009-09-19 00:57 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
2009-10-14 01:00 . 2009-10-14 01:00 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
2009-10-14 01:00 . 2009-10-14 01:00 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-09-19 00:57 . 2009-09-19 00:57 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
2009-10-14 01:01 . 2009-10-02 16:01 25198016 c:\windows\system32\MRT.exe
2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\ce56a7.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\nikki\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [2009-9-25 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 03:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Microsoft\\Search Enhancement Pack\\SeaPort\\SeaPort.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2009 10:11 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2009 10:11 PM 108552]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 5:25 PM 65536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/5/2009 10:10 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/5/2009 10:10 PM 297752]
S2 gupdate1c90abffa25f956;Google Update Service (gupdate1c90abffa25f956);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2008 11:46 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 16:46]

2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{9387AF0C-9827-4C56-8418-C356C23D5B76}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\nikki\Application Data\Mozilla\Firefox\Profiles\es52l3bd.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 20:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-14 20:12
ComboFix-quarantined-files.txt 2009-10-14 01:12
ComboFix2.txt 2009-10-13 21:19
ComboFix3.txt 2009-10-12 20:29

Pre-Run: 23,177,990,144 bytes free
Post-Run: 23,146,643,456 bytes free

235 --- E O F --- 2009-10-14 01:02

------------------------------------------------------------------------------------------------
THE MBAM LOG
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\15465122\15465122.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\seniyuro\seniyuro.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\voladeti\voladeti.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\firugoti.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP132\A0087317.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP132\A0087321.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP134\A0087545.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4A0D1951-71BC-4D67-9DE1-F4CF525A2DED}\RP134\A0087547.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

=======
Hello
well my computer is running pretty smooth now, no more pop ups, my display setting does not change anymore, the icons on the desktop are there and the security tool does not pop out anymore. is everything okay now? and can i enable my AVG Anti-virus? Security Tool 643420
Security Tool 517289

descriptionSecurity Tool EmptyRe: Security Tool14th October 2009, 3:14 am

more_horiz
Hi

Go ahead and enable AVG.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


==

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /u

Security Tool Cf310

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

descriptionSecurity Tool EmptyRe: Security Tool14th October 2009, 3:54 am

more_horiz
Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 15
Adobe Flash Player 10
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

descriptionSecurity Tool EmptyRe: Security Tool14th October 2009, 4:08 am

more_horiz
Hi

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

==

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

descriptionSecurity Tool EmptyRe: Security Tool15th October 2009, 12:04 am

more_horiz
hello,
thank you very much for helping fix my computer Big Grin
and i have a question do i have to download the firewall even though i already have one? Let me think

descriptionSecurity Tool EmptyRe: Security Tool15th October 2009, 1:06 am

more_horiz
Nope. One firewall will do. Smile...

descriptionSecurity Tool EmptyRe: Security Tool15th October 2009, 9:03 pm

more_horiz
okay =)
thank you very much for your help Big Grin

descriptionSecurity Tool EmptyRe: Security Tool

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum