Combofix, Mal and hijack Logs

guyeatsoctopus · 11-07-2009, 02:24 AM

So as of three days ago I believe, somewhere sometime I got Antivirus Pro and Fake Windows Defender on my Dell Vista. Annoying as hades. Thanks for any help!!

I was using spydoctor originally and it found some stuff and removed it, but there were some files that if I tried to remove, it would go blue screen and reboot. Even when I didn't run anything, after about 15min the machine would go blue screen and reboot. Since I ran combofix, it seems fine, but Hijack found some more stuff, but I didn't do anything with it. Just got the Log Files to post here.

guyeatsoctopus · 11-07-2009, 02:25 AM

Combofix Part 1:

ComboFix 09-11-06.03 - Sayed 11/06/2009 23:46.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3316.2480 [GMT -6:00]
Running from: c:\users\Sayed\Desktop\FFDL\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2347180839-3205931739-3509662-500
c:\$recycle.bin\S-1-5-21-271563636-3281760848-3984571709-500

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!Sys tem32!cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 06:01 . 2009-11-07 06:04 -------- d-----w- c:\users\Sayed\AppData\Local\temp
2009-11-07 06:01 . 2009-11-07 06:01 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\temp
2009-11-07 06:01 . 2009-11-07 06:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-05 05:49 . 2009-11-05 05:49 -------- d-----w- c:\users\Sayed\AppData\Roaming\PC Tools
2009-11-05 05:49 . 2009-11-05 05:49 -------- d-----w- c:\programdata\PC Tools
2009-11-05 05:25 . 2009-11-05 05:25 10 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\SM.exe
2009-11-05 05:16 . 2009-11-05 05:16 57 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\energy.sys
2009-11-05 05:16 . 2009-11-05 05:16 15 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\kernel32.drv
2009-11-05 05:15 . 2009-11-05 05:15 -------- d-----w- c:\users\Sayed\AppData\Roaming\Malwarebytes
2009-11-05 05:14 . 2009-11-05 05:14 -------- d-----w- c:\programdata\Malwarebytes
2009-11-05 05:14 . 2009-11-07 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 04:51 . 2009-11-05 04:51 43 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\std.sys
2009-11-05 04:49 . 2009-11-05 04:49 -------- d-----w- c:\users\Sayed\AppData\Local\jqvmgb
2009-11-05 04:49 . 2009-11-05 04:49 -------- d-----w- c:\windows\Sun
2009-11-05 04:34 . 2009-11-07 05:25 0 ----a-r- c:\windows\win32k.sys
2009-11-05 02:54 . 2009-11-05 06:08 -------- d-sh--w- c:\programdata\8867ed7
2009-11-03 02:31 . 2009-11-04 01:37 -------- d-----w- C:\$AVG
2009-11-03 02:30 . 2009-11-03 02:30 4096 d-----w- c:\programdata\avg9
2009-11-01 16:20 . 2009-11-01 16:20 -------- d-----w- c:\program files\iPod
2009-11-01 16:20 . 2009-11-01 16:21 4096 d-----w- c:\program files\iTunes
2009-11-01 16:17 . 2009-11-01 16:17 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 00:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 00:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 22:31 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-26 22:31 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-26 22:31 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-26 22:31 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 22:30 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-26 22:30 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-26 22:30 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 22:30 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-26 22:30 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-16 23:43 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 23:43 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-16 23:43 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-16 23:43 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-16 23:43 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-16 23:43 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-16 23:38 . 2009-10-16 23:38 -------- d-----w- c:\users\Sayed\AppData\Local\AIM
2009-10-16 23:38 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 23:37 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 23:35 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-07 06:05 . 2009-03-13 23:55 4096 d-----w- c:\users\Sayed\AppData\Roaming\DNA
2009-11-07 05:23 . 2009-11-05 05:49 40960 d-----w- c:\program files\Spyware Doctor
2009-11-05 05:52 . 2009-11-05 05:49 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-05 05:18 . 2009-05-31 16:24 4096 d-----w- c:\programdata\Yahoo! Companion
2009-11-05 02:56 . 2009-11-05 02:55 -------- d-sh--w- c:\users\Sayed\AppData\Roaming\Windows System Defender
2009-11-04 01:46 . 2008-10-08 13:34 4096 d-----w- c:\program files\Google
2009-11-03 02:31 . 2009-04-01 03:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:31 . 2008-10-10 00:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:31 . 2008-10-10 00:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 02:30 . 2008-10-10 00:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30 . 2008-10-10 00:31 -------- d-----w- c:\program files\AVG
2009-11-01 16:20 . 2008-10-13 18:55 -------- d-----w- c:\program files\Common Files\Apple
2009-10-29 01:04 . 2009-11-05 02:55 722424 ----a-w- c:\programdata\8867ed7\mozcrt19.dll
2009-10-29 01:04 . 2009-11-05 02:55 457720 ----a-w- c:\programdata\8867ed7\sqlite3.dll
2009-10-17 02:26 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-08 17:31 . 2009-11-05 05:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31 . 2009-11-05 05:52 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31 . 2009-11-05 05:52 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31 . 2009-11-05 05:52 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31 . 2009-11-05 05:49 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19 . 2009-11-05 05:52 1152470 ----a-w- c:\windows\UDB.zip
2009-10-01 15:29 . 2009-10-04 15:57 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 01:25 . 2009-08-28 03:37 177024 ----a-w- c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\FlashGot.exe
2009-09-24 14:55 . 2009-11-05 05:50 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-09-24 14:55 . 2009-11-05 05:50 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-23 22:10 . 2009-11-05 05:49 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-16 09:20 . 2009-11-05 05:49 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 12:20 . 2009-11-05 05:49 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 08:12 . 2009-11-05 05:49 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 07:01 . 2009-11-05 05:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-14 02:25 . 2009-09-14 02:25 -------- d-----w- c:\programdata\McAfee Security Scan
2009-09-12 05:16 . 2009-08-07 23:31 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-11 03:51 . 2008-10-13 19:00 4096 d-----w- c:\users\Sayed\AppData\Roaming\Apple Computer
2009-09-11 03:38 . 2009-09-11 03:38 8192 d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 03:37 . 2009-09-11 03:37 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 03:35 . 2009-09-11 03:34 4096 d-----w- c:\program files\QuickTime
2009-09-09 06:32 . 2009-09-09 06:32 -------- d-----w- c:\users\Sayed\AppData\Roaming\Media Player Classic
2009-09-03 15:45 . 2009-11-05 05:49 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39 . 2009-09-02 23:59 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 23:59 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 23:42 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 23:42 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 17:07 . 2009-09-11 03:26 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-11 03:26 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-11 03:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-11 03:26 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-11 03:26 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-11 03:26 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-11 03:26 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-11 03:26 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-11 03:26 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-11 03:26 10240 ----a-w- c:\windows\system32\finger.exe
2008-10-08 16:10 . 2008-10-08 16:09 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

guyeatsoctopus · 11-07-2009, 02:26 AM

Combofix Part 2:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"BitTorrent DNA"="c:\users\Sayed\Program Files\DNA\btdna.exe" [2009-10-09 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"imxmpxoj"="c:\users\Sayed\AppData\Local\jqvmgb\cg uxsysguard.exe" [2009-11-05 258048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-08 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-02-12 133656]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-03 2010904]
"combofix"="c:\combofix\CF1544.exe" [2009-11-07 318976]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-14 4452352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

R2 gupdate1c94f86d167d379;Google Update Service (gupdate1c94f86d167d379);c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 133104]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-03 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-03 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-11-03 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-03 285392]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-10-08 112592]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 05:21]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 05:21]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*Yahoo!
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4081008
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*Yahoo!
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Sayed\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\users\Sayed\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Aim6 - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-07 00:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m siserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-271563636-3281760848-3984571709-1001\Software\SecuROM\License information*]
"datasecu"=hex:45,b5,1b,07,ec,82,2f,bd,42,67,20,56 ,d3,d6,19,55,e9,02,46,63,08,
61,1e,db,03,84,9a,2b,e3,65,38,42,26,79,24,a0,fc,c1 ,9b,08,17,61,2b,13,ab,ca,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49 ,64,ac,f8,d9
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-11-07 0:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 06:15

Pre-Run: 18,847,903,744 bytes free
Post-Run: 21,005,979,648 bytes free

- - End Of File - - AD535E9B20BD46ED5BB392616F324A83

guyeatsoctopus · 11-07-2009, 02:27 AM

Then I did Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6001 Service Pack 1

11/7/2009 12:32:05 AM
mbam-log-2009-11-07 (00-31-55).txt

Scan type: Quick Scan
Objects scanned: 88300
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\imxmpxoj (Trojan.FakeAlert.N) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Micros oft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=220&q={searchTerms}) Good: (Google) -> No action taken.

Folders Infected:
C:\ProgramData\WSDDSys (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender (Rogue.WindowsSystemDefender) -> No action taken.

Files Infected:
C:\ProgramData\WSDDSys\wsd.cfg (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender\cookies.sqlite (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender\Instructions.ini (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Windows System Defender.lnk (Rogue.WindowsSystemDefender) -> No action taken.
C:\Windows\win32k.sys (Trojan.Dropper) -> No action taken.
C:\Users\Sayed\AppData\Local\jqvmgb\cguxsysguard.e xe (Trojan.FakeAlert.N) -> No action taken.

guyeatsoctopus · 11-07-2009, 02:28 AM

Then I did Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:48 AM, on 11/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Users\Sayed\Program Files\DNA\btdna.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Sayed\Desktop\FFDL\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Personalized Start Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInsta nce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Sayed\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [imxmpxoj] C:\Users\Sayed\AppData\Local\jqvmgb\cguxsysguard.e xe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c94f86d167d379) (gupdate1c94f86d167d379) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8559 bytes

guyeatsoctopus · 11-07-2009, 04:13 AM

were my other posts not approved? I posted four more after this one with my logs

guyeatsoctopus · 11-07-2009, 04:17 AM

Here we go again. First Run was Combofix (2 different posts, to long):

ComboFix 09-11-06.03 - Sayed 11/06/2009 23:46.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3316.2480 [GMT -6:00]
Running from: c:\users\Sayed\Desktop\FFDL\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2347180839-3205931739-3509662-500
c:\$recycle.bin\S-1-5-21-271563636-3281760848-3984571709-500

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!Sys tem32!cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 06:01 . 2009-11-07 06:04 -------- d-----w- c:\users\Sayed\AppData\Local\temp
2009-11-07 06:01 . 2009-11-07 06:01 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\L ocal\temp
2009-11-07 06:01 . 2009-11-07 06:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-05 05:49 . 2009-11-05 05:49 -------- d-----w- c:\users\Sayed\AppData\Roaming\PC Tools
2009-11-05 05:49 . 2009-11-05 05:49 -------- d-----w- c:\programdata\PC Tools
2009-11-05 05:25 . 2009-11-05 05:25 10 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\SM.exe
2009-11-05 05:16 . 2009-11-05 05:16 57 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\energy.sys
2009-11-05 05:16 . 2009-11-05 05:16 15 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\kernel32.drv
2009-11-05 05:15 . 2009-11-05 05:15 -------- d-----w- c:\users\Sayed\AppData\Roaming\Malwarebytes
2009-11-05 05:14 . 2009-11-05 05:14 -------- d-----w- c:\programdata\Malwarebytes
2009-11-05 05:14 . 2009-11-07 03:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 04:51 . 2009-11-05 04:51 43 ----a-w- c:\users\Sayed\AppData\Roaming\Microsoft\Windows\R ecent\std.sys
2009-11-05 04:49 . 2009-11-05 04:49 -------- d-----w- c:\users\Sayed\AppData\Local\jqvmgb
2009-11-05 04:49 . 2009-11-05 04:49 -------- d-----w- c:\windows\Sun
2009-11-05 04:34 . 2009-11-07 05:25 0 ----a-r- c:\windows\win32k.sys
2009-11-05 02:54 . 2009-11-05 06:08 -------- d-sh--w- c:\programdata\8867ed7
2009-11-03 02:31 . 2009-11-04 01:37 -------- d-----w- C:\$AVG
2009-11-03 02:30 . 2009-11-03 02:30 4096 d-----w- c:\programdata\avg9
2009-11-01 16:20 . 2009-11-01 16:20 -------- d-----w- c:\program files\iPod
2009-11-01 16:20 . 2009-11-01 16:21 4096 d-----w- c:\program files\iTunes
2009-11-01 16:17 . 2009-11-01 16:17 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 00:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 00:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 22:31 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-26 22:31 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-26 22:31 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-26 22:31 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 22:30 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-26 22:30 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-26 22:30 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 22:30 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-26 22:30 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-16 23:43 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 23:43 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-16 23:43 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-16 23:43 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-16 23:43 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-16 23:43 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-16 23:38 . 2009-10-16 23:38 -------- d-----w- c:\users\Sayed\AppData\Local\AIM
2009-10-16 23:38 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 23:37 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 23:35 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-07 06:05 . 2009-03-13 23:55 4096 d-----w- c:\users\Sayed\AppData\Roaming\DNA
2009-11-07 05:23 . 2009-11-05 05:49 40960 d-----w- c:\program files\Spyware Doctor
2009-11-05 05:52 . 2009-11-05 05:49 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-05 05:18 . 2009-05-31 16:24 4096 d-----w- c:\programdata\Yahoo! Companion
2009-11-05 02:56 . 2009-11-05 02:55 -------- d-sh--w- c:\users\Sayed\AppData\Roaming\Windows System Defender
2009-11-04 01:46 . 2008-10-08 13:34 4096 d-----w- c:\program files\Google
2009-11-03 02:31 . 2009-04-01 03:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:31 . 2008-10-10 00:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:31 . 2008-10-10 00:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 02:30 . 2008-10-10 00:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30 . 2008-10-10 00:31 -------- d-----w- c:\program files\AVG
2009-11-01 16:20 . 2008-10-13 18:55 -------- d-----w- c:\program files\Common Files\Apple
2009-10-29 01:04 . 2009-11-05 02:55 722424 ----a-w- c:\programdata\8867ed7\mozcrt19.dll
2009-10-29 01:04 . 2009-11-05 02:55 457720 ----a-w- c:\programdata\8867ed7\sqlite3.dll
2009-10-17 02:26 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-08 17:31 . 2009-11-05 05:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 17:31 . 2009-11-05 05:52 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 17:31 . 2009-11-05 05:52 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 17:31 . 2009-11-05 05:52 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 22:31 . 2009-11-05 05:49 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 20:19 . 2009-11-05 05:52 1152470 ----a-w- c:\windows\UDB.zip
2009-10-01 15:29 . 2009-10-04 15:57 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 01:25 . 2009-08-28 03:37 177024 ----a-w- c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\FlashGot.exe
2009-09-24 14:55 . 2009-11-05 05:50 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-09-24 14:55 . 2009-11-05 05:50 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-23 22:10 . 2009-11-05 05:49 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-16 09:20 . 2009-11-05 05:49 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 12:20 . 2009-11-05 05:49 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 08:12 . 2009-11-05 05:49 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 07:01 . 2009-11-05 05:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-14 02:25 . 2009-09-14 02:25 -------- d-----w- c:\programdata\McAfee Security Scan
2009-09-12 05:16 . 2009-08-07 23:31 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-11 03:51 . 2008-10-13 19:00 4096 d-----w- c:\users\Sayed\AppData\Roaming\Apple Computer
2009-09-11 03:38 . 2009-09-11 03:38 8192 d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 03:37 . 2009-09-11 03:37 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 03:35 . 2009-09-11 03:34 4096 d-----w- c:\program files\QuickTime
2009-09-09 06:32 . 2009-09-09 06:32 -------- d-----w- c:\users\Sayed\AppData\Roaming\Media Player Classic
2009-09-03 15:45 . 2009-11-05 05:49 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39 . 2009-09-02 23:59 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 23:59 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 23:42 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 23:42 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 17:07 . 2009-09-11 03:26 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-11 03:26 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-11 03:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-11 03:26 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-11 03:26 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-11 03:26 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-11 03:26 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-11 03:26 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-11 03:26 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-11 03:26 10240 ----a-w- c:\windows\system32\finger.exe
2008-10-08 16:10 . 2008-10-08 16:09 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

guyeatsoctopus · 11-07-2009, 04:18 AM

Combofix part 2:

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"BitTorrent DNA"="c:\users\Sayed\Program Files\DNA\btdna.exe" [2009-10-09 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"imxmpxoj"="c:\users\Sayed\AppData\Local\jqvmgb\cg uxsysguard.exe" [2009-11-05 258048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-08 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-02-12 133656]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-03 2010904]
"combofix"="c:\combofix\CF1544.exe" [2009-11-07 318976]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-14 4452352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

R2 gupdate1c94f86d167d379;Google Update Service (gupdate1c94f86d167d379);c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 133104]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-03 333192]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-03 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-11-03 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-03 285392]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-10-08 112592]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 05:21]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-26 05:21]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*Yahoo!
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4081008
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*Yahoo!
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\users\Sayed\AppData\Roaming\Mozilla\Firefox\Pro files\45ouq7ww.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Sayed\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\users\Sayed\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Aim6 - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-07 00:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m siserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-271563636-3281760848-3984571709-1001\Software\SecuROM\License information*]
"datasecu"=hex:45,b5,1b,07,ec,82,2f,bd,42,67,20,56 ,d3,d6,19,55,e9,02,46,63,08,
61,1e,db,03,84,9a,2b,e3,65,38,42,26,79,24,a0,fc,c1 ,9b,08,17,61,2b,13,ab,ca,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49 ,64,ac,f8,d9
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-11-07 0:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 06:15

Pre-Run: 18,847,903,744 bytes free
Post-Run: 21,005,979,648 bytes free

- - End Of File - - AD535E9B20BD46ED5BB392616F324A83

guyeatsoctopus · 11-07-2009, 04:19 AM

Then Malware:

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6001 Service Pack 1

11/7/2009 12:32:05 AM
mbam-log-2009-11-07 (00-31-55).txt

Scan type: Quick Scan
Objects scanned: 88300
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\imxmpxoj (Trojan.FakeAlert.N) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Micros oft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=220&q={searchTerms}) Good: (Google) -> No action taken.

Folders Infected:
C:\ProgramData\WSDDSys (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender (Rogue.WindowsSystemDefender) -> No action taken.

Files Infected:
C:\ProgramData\WSDDSys\wsd.cfg (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender\cookies.sqlite (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Windows System Defender\Instructions.ini (Rogue.WindowsSystemDefender) -> No action taken.
C:\Users\Sayed\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Windows System Defender.lnk (Rogue.WindowsSystemDefender) -> No action taken.
C:\Windows\win32k.sys (Trojan.Dropper) -> No action taken.
C:\Users\Sayed\AppData\Local\jqvmgb\cguxsysguard.e xe (Trojan.FakeAlert.N) -> No action taken.

guyeatsoctopus · 11-07-2009, 04:20 AM

Then hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:48 AM, on 11/7/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Users\Sayed\Program Files\DNA\btdna.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Sayed\Desktop\FFDL\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInsta nce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Sayed\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [imxmpxoj] C:\Users\Sayed\AppData\Local\jqvmgb\cguxsysguard.e xe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c94f86d167d379) (gupdate1c94f86d167d379) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8575 bytes

Thanks. Sorry if I posted these logs twice.

Member Login