System Security et.al.

Part 10

c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\sdfmodifier.xml
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\t2_bg.res
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\theweb.mnu
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\top7.cdf
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\Top7_theweb.mnu
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\tsd_bg.res
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\zango_btn.res
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\2\zango_ie_menu.res
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\avatar.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.idx
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\buttondir.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\cursors.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\default.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\icons2.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\ie_video.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords1.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\layout.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\sales_buttons.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.txt
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\samplegroups2.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\t2_bg.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\top7.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\tsd_bg.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_btn.xip
c:\documents and settings\Nanu\Application Data\Zango\v3.0\Zango\static\DownLoad\zango_ie_menu.xip
c:\documents and settings\Nanu\nah_log.dat
c:\documents and settings\Nanu\nah_temp1.exe
c:\program files\INSTALL.LOG
c:\windows\system32\TDSSmtve.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 13:19 . 2009-01-06 13:19 53,248 --a------ c:\temp\catchme.dll
2009-01-04 22:49 . 2009-01-04 22:49 d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-04 19:38 . 2009-01-04 19:38 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-04 19:09 . 2009-01-04 19:09 d-------- c:\documents and settings\Nanu\Application Data\Malwarebytes
2009-01-04 18:32 . 2009-01-04 19:38 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 18:32 . 2009-01-04 18:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 18:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-04 18:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-04 00:06 . 2009-01-04 00:06 d--h----- c:\windows\PIF
2009-01-03 23:54 . 2009-01-04 17:41 d--h----- C:\$AVG8.VAULT$
2009-01-03 22:02 . 2009-01-06 07:18 d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-03 22:02 . 2009-01-03 22:02 d-------- c:\program files\AVG
2009-01-03 22:02 . 2009-01-06 12:29 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-03 22:02 . 2009-01-04 19:38 98,440 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-03 22:02 . 2009-01-04 19:38 90,632 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-01-03 22:02 . 2009-01-04 19:38 12,936 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-01-03 21:07 . 2009-01-03 22:03 d-------- c:\documents and settings\Administrator
2009-01-03 19:56 . 2009-01-03 19:56 870,128 --a------ c:\windows\SYSTEM32\mcs.rma
2009-01-03 19:56 . 2009-01-03 19:56 4 --a------ c:\windows\SYSTEM32\0624EB
2009-01-02 13:01 . 2009-01-04 17:45 d-------- c:\program files\Windows Live Safety Center
2009-01-02 11:05 . 2009-01-02 11:05 d-------- c:\documents and settings\All Users\Application Data\suspicious_1564938143
2008-12-29 23:06 . 2008-12-29 23:06 d-------- c:\program files\Bonjour
2008-12-23 10:08 . 2008-12-23 10:09 d-------- c:\documents and settings\Nanu\Application Data\Move Networks
2008-12-21 11:09 . 2008-12-21 11:09 45,056 --a------ c:\documents and settings\Nanu\wincgf64.exe
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\SYSTEM32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\SYSTEM32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 03:27 --------- d-----w c:\program files\Java
2009-01-06 03:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 02:29 --------- d-----w c:\program files\Google
2009-01-04 02:13 --------- d-----w c:\documents and settings\Nanu\Application Data\Apple Computer
2009-01-04 02:05 --------- d-----w c:\program files\NStorm
2009-01-04 02:03 --------- d-----w c:\program files\IncrediMail
2009-01-01 00:43 --------- d-----w c:\documents and settings\Nanu\Application Data\WeatherBug
2008-12-27 00:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-05 16:50 --------- d-----w c:\program files\Coupons
2008-11-25 15:47 --------- d-----w c:\program files\iTunes
2008-11-25 15:47 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:38 --------- d-----w c:\program files\iPod
2008-11-25 15:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 14:27 --------- d-----w c:\program files\QuickTime
2008-04-11 04:17 32 ----a-r c:\documents and settings\All Users\hash.dat
2007-11-26 00:25 62,024 -c--a-w c:\documents and settings\Nanu\Application Data\GDIPFONTCACHEV1.DAT
2005-07-16 10:41 41,573 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 10:41 48,223 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 10:41 160,871 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-20 09:06 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.



More to follow

Part 11


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-07-30 1593344]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Schedule"="c:\program files\WinTVR3\Schedule.exe" [2005-09-27 98304]
"Remote"="c:\program files\WinTVR3\Remote.exe" [2005-09-27 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2002-04-16 86016]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-04 1261336]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-20 315392]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2009-01-03 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-01-03 90632]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-04 874776]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-03 231704]
R4 ppsio2;PPDevice;c:\windows\SYSTEM32\DRIVERS\ppsio2.sys [2003-07-29 23200]
S0 bvme;bvme;c:\windows\system32\drivers\Igoxhxj.sys --> c:\windows\system32\drivers\Igoxhxj.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-06 c:\windows\Tasks\bk2.job
- c:\backups\bk2.bat [2008-03-24 22:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ehg-churchilldownsinc.hitbox.com
Trusted Zone: online.musicmatch.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Nanu\Application Data\Mozilla\Firefox\Profiles\qiquwtgl.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.netscape.com
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - prefs.js: network.proxy.type - 4

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

More to follow

Part 12


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 13:19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 13:26:02 - machine was rebooted [Nanu]
ComboFix-quarantined-files.txt 2009-01-06 19:25:31

Pre-Run: 13,629,341,696 bytes free
Post-Run: 13,895,462,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

1368 --- E O F --- 2008-12-19 09:02:39


Finally the end.

BTW, what is the message line limit?

Thanks!

I dunno the message line limit.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::
Driver::
bvme

File::
c:\windows\system32\drivers\Igoxhxj.sys
c:\documents and settings\Nanu\wincgf64.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Here are the results of the second combofix run:

Part 1

ComboFix 09-01-05.05 - Nanu 2009-01-06 20:53:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.395 [GMT -6:00]
Running from: c:\documents and settings\Nanu\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nanu\Desktop\CFscript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Nanu\wincgf64.exe
c:\windows\system32\drivers\Igoxhxj.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nanu\wincgf64.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bvme


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 21:08 . 2009-01-06 21:08 53,248 --a------ c:\temp\catchme.dll
2009-01-04 22:49 . 2009-01-04 22:49 d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-04 19:38 . 2009-01-04 19:38 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-04 19:09 . 2009-01-04 19:09 d-------- c:\documents and settings\Nanu\Application Data\Malwarebytes
2009-01-04 18:32 . 2009-01-04 19:38 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 18:32 . 2009-01-04 18:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 18:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-04 18:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-04 00:06 . 2009-01-04 00:06 d--h----- c:\windows\PIF
2009-01-03 23:54 . 2009-01-04 17:41 d--h----- C:\$AVG8.VAULT$
2009-01-03 22:02 . 2009-01-06 15:18 d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-03 22:02 . 2009-01-03 22:02 d-------- c:\program files\AVG
2009-01-03 22:02 . 2009-01-06 12:29 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-03 22:02 . 2009-01-04 19:38 98,440 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-03 22:02 . 2009-01-04 19:38 90,632 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2009-01-03 22:02 . 2009-01-04 19:38 12,936 --a------ c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys
2009-01-03 21:07 . 2009-01-03 22:03 d-------- c:\documents and settings\Administrator
2009-01-03 19:56 . 2009-01-03 19:56 870,128 --a------ c:\windows\SYSTEM32\mcs.rma
2009-01-03 19:56 . 2009-01-03 19:56 4 --a------ c:\windows\SYSTEM32\0624EB
2009-01-02 13:01 . 2009-01-04 17:45 d-------- c:\program files\Windows Live Safety Center
2009-01-02 11:05 . 2009-01-02 11:05 d-------- c:\documents and settings\All Users\Application Data\suspicious_1564938143
2008-12-29 23:06 . 2008-12-29 23:06 d-------- c:\program files\Bonjour
2008-12-23 10:08 . 2008-12-23 10:09 d-------- c:\documents and settings\Nanu\Application Data\Move Networks
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\SYSTEM32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\SYSTEM32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 03:27 --------- d-----w c:\program files\Java
2009-01-06 03:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 02:29 --------- d-----w c:\program files\Google
2009-01-04 02:13 --------- d-----w c:\documents and settings\Nanu\Application Data\Apple Computer
2009-01-04 02:05 --------- d-----w c:\program files\NStorm
2009-01-04 02:03 --------- d-----w c:\program files\IncrediMail
2009-01-01 00:43 --------- d-----w c:\documents and settings\Nanu\Application Data\WeatherBug
2008-12-27 00:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-05 16:50 --------- d-----w c:\program files\Coupons
2008-11-25 15:47 --------- d-----w c:\program files\iTunes
2008-11-25 15:47 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 15:38 --------- d-----w c:\program files\iPod
2008-11-25 15:37 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 14:27 --------- d-----w c:\program files\QuickTime
2008-04-11 04:17 32 ----a-r c:\documents and settings\All Users\hash.dat
2007-11-26 00:25 62,024 -c--a-w c:\documents and settings\Nanu\Application Data\GDIPFONTCACHEV1.DAT
2005-07-16 10:41 41,573 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 10:41 48,223 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 10:41 160,871 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-20 09:06 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-07-30 1593344]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Schedule"="c:\program files\WinTVR3\Schedule.exe" [2005-09-27 98304]
"Remote"="c:\program files\WinTVR3\Remote.exe" [2005-09-27 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2002-04-16 86016]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-04 1261336]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-20 315392]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\SYSTEM32\Ati2mdxx.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2009-01-03 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-01-03 90632]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-04 874776]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-03 231704]
R4 ppsio2;PPDevice;c:\windows\SYSTEM32\DRIVERS\ppsio2.sys [2003-07-29 23200]

Part 2

.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-06 c:\windows\Tasks\bk2.job
- c:\backups\bk2.bat [2008-03-24 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ehg-churchilldownsinc.hitbox.com
Trusted Zone: online.musicmatch.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Nanu\Application Data\Mozilla\Firefox\Profiles\qiquwtgl.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.netscape.com
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - prefs.js: network.proxy.type - 4

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 21:08:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-06 21:14:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 03:14:28
ComboFix2.txt 2009-01-06 19:26:05

Pre-Run: 13,895,446,528 bytes free
Post-Run: 13,882,540,032 bytes free

244 --- E O F --- 2008-12-19 09:02:39

Looks better now, what problems remain?

As best I can tell, all is well.

I'm curious what threats were present. Can you please comment on them?

Also, was any secure information compromised?

I looked at via notepad, c:\Documents and Settings\Nanu\nah_log.dat in notepad. I think it had the pop server's passwords in it. This was done prior to your involvement and mentioned in my original post.

Belahzur, thanks for all your help! Your time and talent are greatly appreciated.

Hello.
No, nothing was compromised, no backdoor functionality stuff here.

I could see from your DDS log that file this file was present in the find3m report, find3m means files modified, and I checked the file size and compared it to mine, there were different, so I had my suspicion that the file was patched by malware to load the malware.
c:\windows\system32\winlogon.exe

Then I had CFScript remove this driver and file:
c:\windows\system32\drivers\Igoxhxj.sys

I couldn't find anything on it, so chances are it was randomly named and I went with my gut and had CF delete it.

No backdoor functionality is a big relief!

Shall we mark this one solved or is there more to do?

Just Java needs updating, then I'll post some security tips and let you on your way.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Hi there. Here is the JavaRa log:

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Jan 07 20:28:23 2009

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: C:\Program Files\Java Web Start

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\javaw.Exe

Found and removed: SOFTWARE\Classes\JavaPlugin.140_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\JavaSoft\Java2D\1.5.0_04

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_04

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.141_02

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Belahzur,

Thank you for all your help.

It's a big relief having the system back in working order. We will certainly be vigilant about keeping virus/spyware tools up to date.

Thanks again for all that you do for both me and others.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.