Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Virus Packed.Protector.C Windowssystem32dllcashecdrom.sys23rd January 2010, 12:41 am

I have a viruses
Packed.Protector.C
Windows\system32\dllcache\cdrom.sys
System Volume Information\_restore{C43C72E6-B5D5-4A2B-822E-A58C130FF25A}\RP473\A0065681.sys

Trojan horse injector.EZ
Windows\system32\imPlayok.exe

Trojan horse BackDoor.Generic12.GOG.dropper
Windows\system32\264577.exe
\474222.exe
\523963.exe
\602369.exe
\88793.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:18 PM, on 1/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\ofps.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Rick Toby\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Rick Toby\budmcut.exe \s
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [cjhd] C:\WINDOWS\system32\cjhd.exe \u
O4 - HKLM\..\Run: [imPlayok] C:\WINDOWS\system32\imPlayok.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tovedadok] Rundll32.exe "c:\windows\system32\mikusedi.dll",a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [imPlayok] C:\Documents and Settings\Rick Toby\imPlayok.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169430814609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169430878437
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.57.20.46:1497/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} (Drag and Drop Uploader Control) - http://www.betterphoto.com/_shared/uploadImageDragDrop/DragAndDropUploader2.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0BEB0F8-FBA3-4394-A65F-9C4F453152D4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\0023.DLL c:\windows\system32\mikusedi.dll,yerodovo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: johayuket - {8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
O22 - SharedTaskScheduler: jugezatag - {8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1ca11eb9c8a20f) (gupdate1ca11eb9c8a20f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Network Discovery Service - Unknown owner - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9831 bytes

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 1:43 am

Hello.

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys CF_download_FF$

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys CF_download_rename$

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Cf410$
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Cf510$
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys DXwU4$
$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys VvYDg$

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 2:51 am

ComboFix 10-01-21.08 - Rick Toby 01/22/2010 20:31:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.607 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ozewaxu.inf
c:\documents and settings\All Users\Documents\kyhit.vbs
c:\documents and settings\All Users\Documents\owab.reg
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Rick Toby\Local Settings\Application Data\ulydoto.bat
c:\documents and settings\Rick Toby\My Documents\ZbThumbnail.info
c:\documents and settings\Rick Toby\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Common Files\zyqimi.bat
c:\program files\driver
c:\windows\010112010146118114.dat
c:\windows\system32\797114.exe
c:\windows\system32\fidebipi.dll
c:\windows\system32\isocolygu.vbs
c:\windows\system32\mikusedi.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\nevikegu.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\orybabujy.vbs
c:\windows\system32\setihuni.dll
c:\windows\system32\terrapof32
c:\windows\system32\terrapof32\efwef23.gds
c:\windows\system32\terrapof32\g45hged.gdp
c:\windows\system32\yerodovo.dll
c:\windows\Tasks.\AntiSpywareBot Scheduled Scan.job
c:\windows\Tasks\smumiqbz.job
c:\windows\Tasks.\AntispywareBot Scheduled Scan.job . . . . failed to delete

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEP_SEARCH_SERVICE

((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-20 02:59 . 2010-01-21 15:46 -------- d-----w- c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 17:55 . 2010-01-22 17:55 61 ----a-w- c:\windows\system32\drivers\OLD135.tmp
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-27 21:35 . 2009-08-27 21:35 11673 ----a-w- c:\program files\Common Files\wajonuse.pif
2009-08-27 15:33 . 2009-08-27 15:33 16136 ----a-w- c:\program files\Common Files\kodykyrige.sys
2009-08-27 14:13 . 2009-08-27 14:13 13798 ----a-w- c:\program files\Common Files\iluqu.dat
2009-08-27 14:13 . 2009-08-27 14:13 13509 ----a-w- c:\program files\Common Files\ucydady.pif
2009-08-27 14:13 . 2009-08-27 14:13 10924 ----a-w- c:\program files\Common Files\yjukum.bin
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\gedofano.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\gibuzufo.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\jelukahu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\kupuweyo.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\suhireje.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\system32\tidowove.dll
1601-01-01 00:03 . 1601-01-01 00:03 96256 --sha-w- c:\windows\system32\vupivino.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bee58bc8-335e-4df7-88e5-bf0f41fd44a3}]
1601-01-01 00:03 51712 --sha-w- c:\windows\system32\kupuweyo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cjhd"="c:\windows\system32\cjhd.exe \u" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - hxxp://www.betterphoto.com/_shared/uploadImageDragDrop/DragAndDropUploader2.cab
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-imPlayok - c:\documents and settings\Rick Toby\imPlayok.exe
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
HKLM-Run-imPlayok - c:\windows\system32\imPlayok.exe
HKLM-Run-NWEReboot - (no file)
HKLM-Run-tovedadok - c:\windows\system32\mikusedi.dll
HKLM-Run-wehidanayo - setihuni.dll
SharedTaskScheduler-{8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
SSODL-johayuket-{8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
AddRemove-HijackThis - c:\documents and settings\Rick Toby\Desktop\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-22 20:48:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 02:48

Pre-Run: 53,689,765,888 bytes free
Post-Run: 53,753,991,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 59843159AFE3C79104A17C6AC9330045

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 11:50 pm

Hello.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\OLD135.tmp
c:\program files\Common Files\wajonuse.pif
c:\program files\Common Files\kodykyrige.sys
c:\program files\Common Files\iluqu.dat
c:\program files\Common Files\ucydady.pif
c:\program files\Common Files\yjukum.bin
c:\windows\system32\gedofano.dll.tmp
c:\windows\system32\gibuzufo.dll
c:\windows\system32\jelukahu.dll.tmp
c:\windows\system32\kupuweyo.dll
c:\windows\system32\suhireje.dll.tmp
c:\windows\system32\tidowove.dll
c:\windows\system32\vupivino.dll

Folder::
c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bee58bc8-335e-4df7-88e5-bf0f41fd44a3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cjhd"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
Save this as CFScript.txt, in the same location as ComboFix.exe

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Cfscriptb4i$
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys24th January 2010, 4:13 am

Thanks for all the Help so far!!!!

ComboFix 10-01-21.08 - Rick Toby 01/23/2010 21:56:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.443 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rick Toby\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

FILE ::
"c:\program files\Common Files\iluqu.dat"
"c:\program files\Common Files\kodykyrige.sys"
"c:\program files\Common Files\ucydady.pif"
"c:\program files\Common Files\wajonuse.pif"
"c:\program files\Common Files\yjukum.bin"
"c:\windows\system32\drivers\OLD135.tmp"
"c:\windows\system32\gedofano.dll.tmp"
"c:\windows\system32\gibuzufo.dll"
"c:\windows\system32\jelukahu.dll.tmp"
"c:\windows\system32\kupuweyo.dll"
"c:\windows\system32\suhireje.dll.tmp"
"c:\windows\system32\tidowove.dll"
"c:\windows\system32\vupivino.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul
c:\program files\Common Files\iluqu.dat
c:\program files\Common Files\kodykyrige.sys
c:\program files\Common Files\ucydady.pif
c:\program files\Common Files\wajonuse.pif
c:\program files\Common Files\yjukum.bin
c:\windows\system32\drivers\OLD135.tmp
c:\windows\system32\gedofano.dll.tmp
c:\windows\system32\gibuzufo.dll
c:\windows\system32\jelukahu.dll.tmp
c:\windows\system32\kupuweyo.dll
c:\windows\system32\suhireje.dll.tmp
c:\windows\system32\tidowove.dll
c:\windows\system32\vupivino.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-23_02.39.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-23 15:41 . 2010-01-23 15:41 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
+ 2010-01-24 04:03 . 2010-01-24 04:03 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 71904 c:\windows\system32\perfc009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 71904 c:\windows\system32\perfc009.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 444028 c:\windows\system32\perfh009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 444028 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"wehidanayo"="setihuni.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - hxxp://www.betterphoto.com/_shared/uploadImageDragDrop/DragAndDropUploader2.cab
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3804)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-23 22:07:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 04:07
ComboFix2.txt 2010-01-23 02:48

Pre-Run: 52,093,620,224 bytes free
Post-Run: 52,046,442,496 bytes free

- - End Of File - - E52D19131B3BEC7304027CD4B2B5EBE4

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys24th January 2010, 6:00 pm

Hmm.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wehidanayo"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-
Save this as CFScript.txt, in the same location as ComboFix.exe

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Cfscriptb4i$
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 1:17 am

Here is the combofix log.

ComboFix 10-01-21.08 - Rick Toby 01/24/2010 18:23:38.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.556 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rick Toby\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-23_02.39.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-24 23:53 . 2010-01-24 23:53 16384 c:\windows\Temp\Perflib_Perfdata_7d0.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 71904 c:\windows\system32\perfc009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 71904 c:\windows\system32\perfc009.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 444028 c:\windows\system32\perfh009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 444028 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - hxxp://www.betterphoto.com/_shared/uploadImageDragDrop/DragAndDropUploader2.cab
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2728)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-24 18:31:03
ComboFix-quarantined-files.txt 2010-01-25 00:31
ComboFix2.txt 2010-01-24 04:07
ComboFix3.txt 2010-01-23 02:48

Pre-Run: 52,134,498,304 bytes free
Post-Run: 52,087,984,128 bytes free

- - End Of File - - EEDCA53095123D0E41522E9A79328B8F

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 1:35 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 4:16 pm

Everything seems to be running just fine. I will do a complete virus scan of the computer. If there are any problems I will post them in a reply in this post. If everything is OK, I would like to thank you for all your help. I could not have fixed this on my own. Where did you receive the training for this? You guys are great. Thanks Belahzur!!!

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 9:59 pm

I was trained at an online forum, but we also now have our own online school, we are offering anyone a chance to learn this too.

$Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys Empty$ Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 11:35 pm

Thanks Belahzur problem solved. I will check on that training.

Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

descriptionVirus Packed.Protector.C Windowssystem32dllcashecdrom.sys23rd January 2010, 12:41 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 1:43 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 2:51 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys23rd January 2010, 11:50 pm

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys24th January 2010, 4:13 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys24th January 2010, 6:00 pm

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 1:17 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 1:35 am

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 4:16 pm

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 9:59 pm

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys25th January 2010, 11:35 pm

descriptionRe: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys