I have a Virus and need some help

My other thread got closed, so this is just a continuation.

Here is my hijackthis logfile. Echoreply helped me already, and i hope that person or anyone can help once again. Thanks..

Echoreply, i just ran hjt and this is the logfile that came up. I just copied and pasted it here...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:02 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alsfastball.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8b9684d9-7885-4b81-9aae-0b73d41a49da} - C:\WINDOWS\system32\clcsftpq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: gooochi browser optimizer - {c772b7a4-5ba5-7690-5799-ee305aa66a54} - C:\WINDOWS\system32\{732e4169-817f-c089-7414-a77b7aa5bcde}.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{D7-70-09-90-DW}] C:\windows\system32\jqwnw64k.exe DWram
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [70bd703f] rundll32.exe "C:\WINDOWS\system32\jietdbkv.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://zeker11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.pure-energy.ca/tsweb/msrdp.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: ssqNDsro - ssqNDsro.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11130 bytes

 

ok we will continue in this thread:

first we will use hjt, then get another download to run.
first hjt:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: gooochi browser optimizer - {c772b7a4-5ba5-7690-5799-ee305aa66a54} - C:\WINDOWS\system32\{732e4169-817f-c089-7414-a77b7aa5bcde}.dll

O4 - HKLM\..\Run: [{D7-70-09-90-DW}] C:\windows\system32\jqwnw64k.exe DWram

O4 - HKLM\..\Run: [70bd703f] rundll32.exe "C:\WINDOWS\system32\jietdbkv.dll",b
---------------------
next lets see what combofix can dig up:

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:


1. * Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
* Click on this link below to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
* Remember to re enable the protection again afterwards before connecting to the net

link on how to disable different AV and antimalware apps
http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

* IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
* If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
------------------
post the combofix log please

echoreply

 

Here is my ComboFix Log File..



ComboFix 08-04-24.1 - Blair's settings 2008-04-25 19:47:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -2.5:30]
Running from: C:\Documents and Settings\Blair's settings\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cpmrotate.dll
C:\WINDOWS\system32\gkdyvfvj.dll
C:\WINDOWS\system32\jQBLUvut.ini
C:\WINDOWS\system32\jQBLUvut.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wetplnyw.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 23:10 . 2008-04-24 23:10 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Malwarebytes
2008-04-24 23:08 . 2008-04-24 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 23:07 . 2008-04-24 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:23 . 2008-04-23 18:23 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Comodo
2008-04-23 18:22 . 2008-04-23 18:22 <DIR> d-------- C:\Program Files\COMODO
2008-04-23 18:22 . 2008-04-23 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-04-23 18:22 . 2008-04-23 18:22 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-04-23 18:22 . 2008-04-23 18:22 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-04-23 18:22 . 2008-04-23 18:22 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-23 18:14 . 2008-04-23 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-23 18:09 . 2008-04-23 18:09 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-23 18:09 . 2008-04-23 18:11 <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 18:07 . 2008-04-23 18:07 2,751,368 --a------ C:\Program Files\ccsetup206.exe
2008-04-23 15:32 . 2008-04-23 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 23:35 . 2008-04-25 17:18 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-22 23:23 . 2008-04-25 08:00 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-22 23:22 . 2008-04-22 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-22 23:15 . 2008-04-22 23:15 38,337,440 --a------ C:\Program Files\avg75free_524a1289.exe
2008-04-22 15:43 . 2008-04-22 22:59 1,541,613 --ahs---- C:\WINDOWS\system32\vkbdteij.ini
2008-04-21 11:22 . 2008-04-21 11:22 399,410 --a------ C:\WINDOWS\system32\g59.exe
2008-04-21 09:10 . 2008-04-22 15:42 1,541,201 --ahs---- C:\WINDOWS\system32\abcihrtu.ini
2008-04-21 09:04 . 2008-04-24 15:43 109,738 --a------ C:\WINDOWS\BM738e43a3.xml
2008-04-20 21:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 20:55 . 2008-04-20 20:55 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:52 . 2008-04-20 20:52 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-20 20:51 . 2008-04-23 03:21 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-20 20:51 . 2008-04-23 03:21 <DIR> d-------- C:\WINDOWS\system32\migNT
2008-04-20 20:51 . 2008-04-20 20:52 <DIR> d-------- C:\WINDOWS\system32\inf1
2008-04-20 20:51 . 2008-04-20 20:51 <DIR> d-------- C:\Temp\berDrv11
2008-04-20 20:51 . 2008-04-25 19:49 <DIR> d-------- C:\Temp
2008-04-20 20:51 . 2008-04-20 20:51 298,306 --a------ C:\WINDOWS\system32\gside.exe
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iTunes
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iPod
2008-04-17 15:15 . 2008-04-17 15:17 <DIR> d-------- C:\Program Files\QuickTime
2008-04-11 13:16 . 2008-04-25 08:30 334,848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-03-31 18:55 . 2008-03-31 18:55 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 18:55 . 2008-03-31 18:55 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 18:55 . 2008-03-31 18:55 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 18:55 . 2008-03-31 18:55 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 00:59 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\BitTorrent
2008-04-23 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-23 00:50 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\LimeWire
2008-04-21 00:20 --------- d-----w C:\Program Files\Java
2008-04-18 00:13 --------- d-----w C:\Program Files\DivX
2008-04-17 17:54 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-21 02:05 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-02-21 02:05 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-02-07 20:39 2,400,784 ----a-w C:\Program Files\WLinstaller.exe
2008-01-29 14:32 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-23 23:30 18,432 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb41.dat
2007-02-22 23:58 374 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb6334.dat
2007-02-22 22:54 538 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb8467.dat
2006-12-01 13:14 36,464 ----a-w C:\Documents and Settings\Blair's settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-13 16:46 15,032,616 ----a-w C:\Program Files\DivXInstaller.exe
2006-07-13 15:30 24,070,456 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2006-07-12 12:33 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2007-12-10 01:54 56 --sh--r C:\WINDOWS\system32\6928444DAA.sys
2007-02-06 13:49 88 --sh--r C:\WINDOWS\system32\AA4D442869.sys
2007-12-10 01:54 5,538 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b9684d9-7885-4b81-9aae-0b73d41a49da}]
C:\WINDOWS\system32\clcsftpq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 13:54 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 17:37 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 23:19 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 23:16 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 23:20 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 21:18 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 17:38 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 02:00 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:49 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:35 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 13:14 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 13:14 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-24 17:09 169472]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-22 23:22 579584]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-23 18:22 1572608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-22 23:22 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-24 16:52:39 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNDsro]
ssqNDsro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-23 18:22]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-23 18:22]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 17:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 17:56:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN39F3F3SY6B.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3600#CN39F3F3SY6B
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 20:03:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 56

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-25 20:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 22:39:06

Pre-Run: 20,791,513,088 bytes free
Post-Run: 21,635,604,480 bytes free

206 --- E O F --- 2008-04-09 01:54:41

 

need to get some files checked out.
to help show all files, do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

see if you can locate these two in the system 32 dir:
C:\WINDOWS\system32

6928444DAA.sys
AA4D442869.sys

if so go to this website below, click the browse button to search for the files again, then click the send button to upload them, you can copy/paste the results in your reply.
website:
http://www.virustotal.com/
------------------------------

 

I cannot locate those two at all.

 

ok, one more download to get.

download Gmer to desktop:

http://www.gmer.net/index.php

unzip it to a folder and click the icon to run the application. Select the Rootkit/Malware tab and click the scan button near the bottom.
after the scan select the copy button, open notepad and paste (edit>paste) the log in. name and save the txt file somewhere and post it in next reply.

 

I tried posting the gmer log file a few times the last few days, but the page would never load up. What should i do?

 

hi,

did you try saving it first to your hard drive as a txt file in notepad. then try copying/pasting the saved .txt file.

back to combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

FILE::
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\clcsftpq.dll 
C:\WINDOWS\system32\vbzip10.dll 
C:\WINDOWS\system32\vkbdteij.ini 
C:\Temp\berDrv11 
C:\WINDOWS\system32\6928444DAA.sys 
C:\WINDOWS\system32\AA4D442869.sys 

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop:
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

 

Here is my hjt logfile.. i can't seem to find my combofix logfile.. I dont think it popped up when combofix was done scanning..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alsfastball.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8b9684d9-7885-4b81-9aae-0b73d41a49da} - C:\WINDOWS\system32\clcsftpq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://zeker11.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.pure-energy.ca/tsweb/msrdp.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53852.cab
O20 - Winlogon Notify: ssqNDsro - ssqNDsro.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10712 bytes

 

you looked here for the log?

C:\ComboFix.txt

 

ComboFix 08-04-24.1 - Blair's settings 2008-04-29 21:29:59.3 - NTFSx86
Running from: C:\Documents and Settings\Blair's settings\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blair's settings\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Temp\berDrv11
C:\WINDOWS\system32\6928444DAA.sys
C:\WINDOWS\system32\AA4D442869.sys
C:\WINDOWS\system32\clcsftpq.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vkbdteij.ini
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\6928444DAA.sys
C:\WINDOWS\system32\AA4D442869.sys
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vkbdteij.ini
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-26 12:06 . 2008-04-26 12:06 250 --a------ C:\WINDOWS\gmer.ini
2008-04-24 23:10 . 2008-04-24 23:10 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Malwarebytes
2008-04-24 23:08 . 2008-04-24 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 23:07 . 2008-04-24 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:23 . 2008-04-23 18:23 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Comodo
2008-04-23 18:22 . 2008-04-23 18:22 <DIR> d-------- C:\Program Files\COMODO
2008-04-23 18:22 . 2008-04-23 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-04-23 18:22 . 2008-04-23 18:22 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-04-23 18:22 . 2008-04-23 18:22 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-04-23 18:22 . 2008-04-23 18:22 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-23 18:14 . 2008-04-23 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-23 18:09 . 2008-04-23 18:09 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-23 18:09 . 2008-04-23 18:11 <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 18:07 . 2008-04-23 18:07 2,751,368 --a------ C:\Program Files\ccsetup206.exe
2008-04-23 15:32 . 2008-04-23 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 23:35 . 2008-04-25 17:18 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-22 23:23 . 2008-04-29 08:00 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-22 23:22 . 2008-04-22 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-22 23:15 . 2008-04-22 23:15 38,337,440 --a------ C:\Program Files\avg75free_524a1289.exe
2008-04-21 11:22 . 2008-04-21 11:22 399,410 --a------ C:\WINDOWS\system32\g59.exe
2008-04-21 09:10 . 2008-04-22 15:42 1,541,201 --ahs---- C:\WINDOWS\system32\abcihrtu.ini
2008-04-21 09:04 . 2008-04-24 15:43 109,738 --a------ C:\WINDOWS\BM738e43a3.xml
2008-04-20 21:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 20:51 . 2008-04-23 03:21 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-20 20:51 . 2008-04-23 03:21 <DIR> d-------- C:\WINDOWS\system32\migNT
2008-04-20 20:51 . 2008-04-20 20:52 <DIR> d-------- C:\WINDOWS\system32\inf1
2008-04-20 20:51 . 2008-04-20 20:51 <DIR> d-------- C:\Temp\berDrv11
2008-04-20 20:51 . 2008-04-25 19:49 <DIR> d-------- C:\Temp
2008-04-20 20:51 . 2008-04-20 20:51 298,306 --a------ C:\WINDOWS\system32\gside.exe
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iTunes
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iPod
2008-04-17 15:15 . 2008-04-17 15:17 <DIR> d-------- C:\Program Files\QuickTime
2008-04-11 13:16 . 2008-04-25 08:30 334,848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-03-31 18:55 . 2008-03-31 18:55 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 18:55 . 2008-03-31 18:55 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 18:55 . 2008-03-31 18:55 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 18:55 . 2008-03-31 18:55 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 00:59 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\BitTorrent
2008-04-23 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-23 00:50 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\LimeWire
2008-04-21 00:20 --------- d-----w C:\Program Files\Java
2008-04-18 00:13 --------- d-----w C:\Program Files\DivX
2008-04-17 17:54 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-21 02:05 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-02-21 02:05 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-02-07 20:39 2,400,784 ----a-w C:\Program Files\WLinstaller.exe
2008-01-29 14:32 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-23 23:30 18,432 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb41.dat
2007-02-22 23:58 374 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb6334.dat
2007-02-22 22:54 538 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb8467.dat
2006-12-01 13:14 36,464 ----a-w C:\Documents and Settings\Blair's settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-13 16:46 15,032,616 ----a-w C:\Program Files\DivXInstaller.exe
2006-07-13 15:30 24,070,456 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2006-07-12 12:33 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2007-12-10 01:54 5,538 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_20.07.52.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 22:30:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 11:42:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 14:35:13 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 22:59:06 761,856 ----a-r C:\WINDOWS\gmer.exe
+ 2008-04-26 14:35:17 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b9684d9-7885-4b81-9aae-0b73d41a49da}]
C:\WINDOWS\system32\clcsftpq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 13:54 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 17:37 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 23:19 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 23:16 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 23:20 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 21:18 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 17:38 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 02:00 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:49 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:35 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 13:14 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 13:14 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-24 17:09 169472]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-22 23:22 579584]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-23 18:22 1572608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-22 23:22 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-24 16:52:39 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNDsro]
ssqNDsro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-23 18:22]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-23 18:22]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 21:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 17:56:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN39F3F3SY6B.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3600#CN39F3F3SY6B
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 21:34:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

here is my combofix log... had to do the scan again for the logfile to come up


PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-29 21:37:19
ComboFix-quarantined-files.txt 2008-04-30 00:06:25
ComboFix2.txt 2008-04-25 22:39:40

Pre-Run: 21,537,886,208 bytes free
Post-Run: 21,525,790,720 bytes free

201 --- E O F --- 2008-04-09 01:54:41

 

ok good thanks for the info..

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O2 - BHO: (no name) - {8b9684d9-7885-4b81-9aae-0b73d41a49da} - C:\WINDOWS\system32\clcsftpq.dll (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (file missing) (HKCU)

O20 - Winlogon Notify: ssqNDsro - ssqNDsro.dll (file missing)

---------------
we will use combofix again, so like last time;
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

FILE::
C:\WINDOWS\system32\g59.exe 
C:\WINDOWS\system32\abcihrtu.ini 
C:\WINDOWS\system32\gside.exe 
C:\WINDOWS\system32\myss_sb.dll 

FOLDER::
C:\WINDOWS\system32\xcsDd18 
C:\WINDOWS\system32\migNT 
C:\WINDOWS\system32\inf1 

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop:
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log

hows it looking on your end now?

 

Here is the logfile...

Its looking real good on my end. I appreciate everything


ComboFix 08-04-24.1 - Blair's settings 2008-04-30 1:26:43.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.140 [GMT -2.5:30]
Running from: C:\Documents and Settings\Blair's settings\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Blair's settings\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\abcihrtu.ini
C:\WINDOWS\system32\g59.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\myss_sb.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\abcihrtu.ini
C:\WINDOWS\system32\g59.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\inf1
C:\WINDOWS\system32\migNT
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\xcsDd18

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-26 12:06 . 2008-04-26 12:06 250 --a------ C:\WINDOWS\gmer.ini
2008-04-24 23:10 . 2008-04-24 23:10 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Malwarebytes
2008-04-24 23:08 . 2008-04-24 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 23:07 . 2008-04-24 23:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:23 . 2008-04-23 18:23 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\Comodo
2008-04-23 18:22 . 2008-04-23 18:22 <DIR> d-------- C:\Program Files\COMODO
2008-04-23 18:22 . 2008-04-23 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-04-23 18:22 . 2008-04-23 18:22 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-04-23 18:22 . 2008-04-23 18:22 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-04-23 18:22 . 2008-04-23 18:22 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-23 18:09 . 2008-04-29 22:44 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-23 18:09 . 2008-04-23 18:11 <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 18:07 . 2008-04-23 18:07 2,751,368 --a------ C:\Program Files\ccsetup206.exe
2008-04-23 15:32 . 2008-04-23 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 23:35 . 2008-04-25 17:18 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-22 23:23 . 2008-04-29 08:00 <DIR> d-------- C:\Documents and Settings\Blair's settings\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-22 23:22 . 2008-04-22 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-22 23:22 . 2008-04-22 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-22 23:15 . 2008-04-22 23:15 38,337,440 --a------ C:\Program Files\avg75free_524a1289.exe
2008-04-21 09:04 . 2008-04-24 15:43 109,738 --a------ C:\WINDOWS\BM738e43a3.xml
2008-04-20 21:48 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 20:51 . 2008-04-20 20:51 <DIR> d-------- C:\Temp\berDrv11
2008-04-20 20:51 . 2008-04-25 19:49 <DIR> d-------- C:\Temp
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iTunes
2008-04-17 15:20 . 2008-04-17 15:20 <DIR> d-------- C:\Program Files\iPod
2008-04-17 15:15 . 2008-04-17 15:17 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 18:55 . 2008-03-31 18:55 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 18:55 . 2008-03-31 18:55 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 18:55 . 2008-03-31 18:55 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 18:55 . 2008-03-31 18:55 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 18:55 . 2008-03-31 18:55 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-24 17:15 . 2008-03-24 17:15 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-21 18:00 . 2008-03-21 18:00 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 18:00 . 2008-03-21 18:00 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-21 18:00 . 2008-03-21 18:00 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-21 18:00 . 2008-03-21 18:00 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-21 18:00 . 2008-03-21 18:00 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 00:59 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\BitTorrent
2008-04-23 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-23 00:50 --------- d-----w C:\Documents and Settings\Blair's settings\Application Data\LimeWire
2008-04-21 00:20 --------- d-----w C:\Program Files\Java
2008-04-18 00:13 --------- d-----w C:\Program Files\DivX
2008-04-17 17:54 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-21 02:05 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-02-21 02:05 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-02-07 20:39 2,400,784 ----a-w C:\Program Files\WLinstaller.exe
2008-01-29 14:32 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2007-02-23 23:30 18,432 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb41.dat
2007-02-22 23:58 374 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb6334.dat
2007-02-22 22:54 538 ----a-w C:\Documents and Settings\Blair's settings\Application Data\internaldb8467.dat
2006-12-01 13:14 36,464 ----a-w C:\Documents and Settings\Blair's settings\Application Data\GDIPFONTCACHEV1.DAT
2006-07-13 16:46 15,032,616 ----a-w C:\Program Files\DivXInstaller.exe
2006-07-13 15:30 24,070,456 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2006-07-12 12:33 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2007-12-10 01:54 5,538 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_20.07.52.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 22:30:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 01:39:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 14:35:13 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 22:59:06 761,856 ----a-r C:\WINDOWS\gmer.exe
+ 2008-04-26 14:35:17 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 13:54 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 17:37 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 23:19 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 23:16 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 23:20 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 21:18 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 17:38 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 02:00 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:49 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:35 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 13:14 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 13:14 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-24 17:09 169472]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-22 23:22 579584]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-23 18:22 1572608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-22 23:22 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-24 16:52:39 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-23 18:22]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-23 18:22]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 21:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 17:56:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN39F3F3SY6B.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3600#CN39F3F3SY6B
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 01:32:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Blair's settings\Local Settings\Application Data\Microsoft\Messenger\blairezekiel@hotmail.com\SharingMetadata\Working\database_8070_BD73_70BD_7090\$db_clean$ 0 bytes

scan completed successfully
hidden files: 57

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-30 1:36:45
ComboFix-quarantined-files.txt 2008-04-30 04:06:35
ComboFix2.txt 2008-04-30 00:07:20
ComboFix3.txt 2008-04-25 22:39:40

Pre-Run: 21,498,322,944 bytes free
Post-Run: 21,498,986,496 bytes free

193 --- E O F --- 2008-04-09 01:54:41

 

ok good, please run malwarebytes once more after checking for any updates. post the log. like last time

 

Malwarebytes' Anti-Malware 1.11
Database version: 679

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 77736
Time elapsed: 1 hour(s), 42 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP549\A0076310.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.

 

ok good thanks for the info.

you can delete combofix like this;
start>run and type in combofix /u (click ok)
there is a space after the x and before the /

you can delete the gmer .exe

check your java version: how and why:

Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/installed.jsp

system restore:the how and why:
One of the features of Windows ME,XP and Vista is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

always check for updates before you use malwarebytes to do a scan.
atfcleaner;
go for keeping temps, cookies etc cleaned out;
http://www.majorgeeks.com/ATF_Cleaner_d4949.html

happy surfing

 

hi does anybody know were i can get a free antivirus program i have trojens and others my computer is going so slow can someone help quick