SystemSecurity and others, HJT log included

**Sevyrd** · 30-06-2009

I installed the Avira Antivir on it and was able to scan it in safe mode and it found 20 more infections. It seems like everytime I run either Spybot, Ad Aware, Malware Bytes, Avira, and I also tried an online one Eset, the all find different infections that the others aren't, however I still can't completely clean it.

One issue I'm having now is when I try to run Avira in normal mode, I get a blue screen of death. The first time I forgot what the error was, but the second time was MEMORY_MANAGEMENT and this time was INTERNAL_POWER_ERROR. I also notice that my Physical Memory usage is almost peaked at all times, not sure if that is common or not. Could it be the infection has done damage to the laptop itself?

**Neal** · 01-07-2009

It sounds like something pretty serious is going on.

Give me a new combofix log please.

**Sevyrd** · 01-07-2009

Here's the new combofix log.

ComboFix 09-06-29.07 - Bridget 06/30/2009 19:40.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.324 [GMT -4:00]
Running from: c:\users\Bridget\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 23:48 . 2009-06-30 23:48 -------- d-----w- c:\users\Bridget\AppData\Local\temp
2009-06-30 02:47 . 2007-09-26 10:47 172032 ----a-w- c:\windows\system32\igfxres.dll
2009-06-29 04:56 . 2006-10-12 16:29 83504 ----a-w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-29 04:42 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-29 04:42 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-29 04:42 . 2009-06-29 04:42 -------- d-----w- c:\programdata\Avira
2009-06-29 04:42 . 2009-06-29 04:42 -------- d-----w- c:\program files\Avira
2009-06-29 00:03 . 2009-06-29 00:03 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-06-28 23:55 . 2009-06-28 23:55 -------- d-----w- c:\program files\ESET
2009-06-23 04:30 . 2009-06-23 03:40 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-23 03:39 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-23 03:39 . 2009-06-23 03:40 -------- d-----w- c:\programdata\Lavasoft
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\users\Bridget\AppData\Roaming\Malwarebytes
2009-06-22 20:50 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\programdata\Malwarebytes
2009-06-22 20:50 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 20:33 . 2009-06-22 20:33 -------- d-----w- c:\users\Bridget\AppData\Roaming\AVG8
2009-06-22 20:08 . 2009-06-23 03:39 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-21 23:00 . 2009-06-21 23:00 -------- d-----w- c:\program files\CCleaner
2009-06-21 22:38 . 2009-06-21 22:38 -------- d-----w- c:\users\Bridget\AppData\Local\Symantec
2009-06-21 15:14 . 2009-06-21 15:14 -------- d-----w- c:\users\Bridget\AppData\Local\Downloaded Installations
2009-06-21 15:14 . 2009-06-22 20:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-21 15:14 . 2009-06-22 20:32 -------- d-----w- c:\programdata\Symantec
2009-06-21 15:14 . 2009-06-22 20:32 -------- d-----w- c:\programdata\Norton
2009-06-21 15:09 . 2009-06-21 15:14 -------- d-----w- c:\programdata\NortonInstaller
2009-06-21 15:08 . 2009-06-21 15:11 -------- d-----w- c:\users\Bridget\AppData\Roaming\GetRightToGo
2009-06-20 02:06 . 2009-06-29 03:59 -------- d-----w- c:\programdata\14104854
2009-06-20 02:06 . 2009-06-22 21:43 -------- d-----w- c:\programdata\94114846
2009-06-13 15:06 . 2009-04-30 12:42 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-13 15:06 . 2009-04-30 12:06 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-13 15:06 . 2009-04-30 12:02 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-09 01:25 . 1998-10-02 23:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-06-09 01:03 . 2009-06-09 01:05 -------- d-----w- c:\users\Bridget\.gimp-2.6
2009-06-09 01:02 . 2009-06-09 01:03 -------- d-----w- c:\users\Bridget\.gegl-0.0
2009-06-09 01:00 . 2009-06-22 22:01 -------- d-----w- c:\users\Bridget\AppData\Local\WeatherBug
2009-06-09 01:00 . 2009-06-09 01:00 -------- d-----w- c:\users\Bridget\AppData\Roaming\WeatherBug
2009-06-09 00:58 . 2009-06-09 00:58 -------- d-----w- c:\program files\Gimp-2.0
2009-06-09 00:57 . 2006-10-09 17:06 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL
2009-06-09 00:57 . 2006-05-17 12:40 393216 ----a-w- c:\windows\system32\WINLCTL5.DLL
2009-06-09 00:57 . 2009-06-09 01:01 -------- d-----w- c:\programdata\Yahoo! Companion
2009-06-05 19:23 . 2009-06-05 19:23 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Brow se\NetTVResources.dll
2009-06-02 01:00 . 2009-06-02 01:00 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-29 04:57 . 2007-12-25 15:59 -------- d-----w- c:\program files\AIM6
2009-06-29 04:57 . 2009-06-29 04:57 -------- d-----w- c:\programdata\AOL Downloads
2009-06-29 04:48 . 2007-12-17 01:53 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-29 04:37 . 2009-03-05 23:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-22 20:41 . 2008-12-28 00:36 -------- d-----w- c:\program files\QuickTime
2009-06-22 02:29 . 2007-12-17 01:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 15:20 . 2007-12-17 02:05 -------- d-----w- c:\programdata\McAfee
2009-06-20 02:18 . 2007-12-17 02:09 -------- d-----w- c:\program files\Google
2009-06-09 00:59 . 2008-01-08 03:01 -------- d-----w- c:\program files\Yahoo!
2009-06-08 11:23 . 2008-02-03 22:59 680 ----a-w- c:\users\Bridget\AppData\Local\d3d9caps.dat
2009-06-06 14:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-19 05:35 . 2009-06-29 04:57 11568 ----a-w- c:\programdata\AOL Downloads\SUD4426\tbinst.dll
2009-04-24 16:22 . 2009-06-10 08:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:14 . 2009-06-10 08:53 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-04-24 16:14 . 2009-06-10 08:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 16:11 . 2009-06-10 08:53 72704 ----a-w- c:\windows\system32\admparse.dll
2009-04-24 13:53 . 2009-06-10 08:53 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-24 12:25 . 2009-06-10 08:53 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-04-23 13:01 . 2009-06-10 08:53 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:56 . 2009-06-10 08:53 696832 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 12:04 . 2009-06-10 08:53 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-04-19 16:00 . 2007-12-25 15:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-04-19 16:00 . 2007-12-25 15:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-19 16:00 . 2007-12-25 15:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-04-19 16:00 . 2007-12-25 15:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-04-19 16:00 . 2007-12-25 15:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-12-17 09:34 . 2007-12-17 09:19 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-26_00.46.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-17 01:53 . 2009-06-30 03:51 51258 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-30 23:35 62242 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2007-12-25 21:30 . 2009-06-30 23:35 14196 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1144824207-4129929840-64229563-1000_UserData.bin
+ 2009-06-29 04:42 . 2009-05-11 14:12 28520 c:\windows\System32\drivers\ssmdrv.sys
- 2006-11-02 13:02 . 2009-06-26 00:21 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-06-30 23:35 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-06-30 23:35 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-06-26 00:21 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-06-30 23:35 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2006-11-02 13:02 . 2009-06-26 00:21 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2007-12-26 08:25 . 2009-06-29 04:00 2718 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2007-12-26 08:25 . 2009-06-08 01:43 2718 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-06-30 03:48 . 2009-06-30 23:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-06-26 00:36 . 2009-06-26 00:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2009-06-30 03:48 . 2009-06-30 23:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
- 2009-06-26 00:36 . 2009-06-26 00:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-12-18 50528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-12-17 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-09-26 129560]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-23 518488]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-16 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{D630A083-851D-4FDD-A224-876EFDBC9B45}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C50C4214-EFFB-472F-8D46-A921DBD60710}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{E292CF8C-EC52-4E2E-B0E9-1C14F7131945}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{C8B72F99-0245-4D72-BD74-C0E834310796}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine. exe:Cyberlink Media Server Browser Engine
"{4824AEB0-8366-406D-B367-0396EBE6767A}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe: CyberLink Media Server
"{CE439947-2A3A-432F-99AE-316596DB9A3C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2F22316C-0CEB-4257-9A11-220530D9682A}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CF09F1AD-757C-4C88-8134-1E1F4D3E655C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D7C2F5AE-FE64-4272-BCC7-18AB7EF91E19}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{16A58F07-D94F-4876-9178-091511B344A4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A0F73B1-FCDD-484F-836D-FDAA434B4D6F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{98C80F99-8E94-4975-80F3-5960377A1A00}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5B42B0F5-2343-4B3C-88F1-DAFD1199FE84}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{EE88E786-24C9-426F-8874-436FDDEB7DB4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ABA8CDEF-7E81-40D8-AE31-7B10AC786324}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [6/22/2009 11:40 PM 64160]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [12/16/2007 9:40 PM 73728]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/29/2009 12:42 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1003344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [3/5/2009 7:36 PM 1153368]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\program files\eAcceleration\Framework\eac_svc.exe" --> c:\program files\eAcceleration\Framework\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\program files\eAcceleration\Framework\eac_productsvc.exe" --> c:\program files\eAcceleration\Framework\eac_productsvc.exe [?]
S4 StopSign Update Manager;StopSign Update Manager;"c:\program files\Common Files\eAcceleration\eacsvc.exe" --> c:\program files\Common Files\eAcceleration\eacsvc.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071217
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Bridget\AppData\Roaming\Mozilla\Firefox\P rofiles\wyamwjcq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&") ;
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&a ppver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-30 19:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP0000006ADF4EAB686509DFFA 524288 bytes executable

scan completed successfully
hidden files: 1

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-30 19:51
ComboFix-quarantined-files.txt 2009-06-30 23:51
ComboFix2.txt 2009-06-29 04:28
ComboFix3.txt 2009-06-26 00:51

Pre-Run: 41,473,552,384 bytes free
Post-Run: 41,293,000,704 bytes free

234 --- E O F --- 2009-06-26 00:50

**Neal** · 02-07-2009

Nothing there, unfortunately.

Do an online scan (scan only tool) with Kaspersky WebScanner
[Internet Explorer required]

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the results of the scan back here please and a new hijackthis log.

**Sevyrd** · 03-07-2009

Ok the scan just finished. When I tried to save the log file it only saved it as a website, not a text file, so i tried to copy everything from the site, hopefully this is good enough:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 3, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 03, 2009 05

57
Records in database: 2417205

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 124256
Threat name 2
Infected objects 5
Suspicious objects 0
Duration of the scan 02:38:16

File name Threat name Threats count
C:\Qoobox\Quarantine\C\Windows\System32\SKYNETqime uonh.dll.vir Infected: Trojan.Win32.Monder.gen 1

C:\Users\Bridget\Documents\LimeWire\Incomplete\Pre view-T-3515162-dance - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Incomplete\Pre view-T-3515163-rock da mic dirty - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Saved\dance - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Saved\falling soliders dirty.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

The selected area was scanned.

And also as requested, here is the next HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:51 AM, on 7/3/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - Unknown owner - C:\Program Files\eAcceleration\Framework\eac_svc.exe (file missing)
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - Unknown owner - C:\Program Files\eAcceleration\Framework\eac_productsvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8612 bytes

**Neal** · 03-07-2009

this is quarantine folder from combofix:

C:\Qoobox\Quarantine\C\Windows\System32\SKYNETqime uonh.dll.vir Infected: Trojan.Win32.Monder.gen 1

The others need to be deleted by you:

C:\Users\Bridget\Documents\LimeWire\Incomplete\Pre view-T-3515162-dance - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Incomplete\Pre view-T-3515163-rock da mic dirty - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Saved\dance - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Users\Bridget\Documents\LimeWire\Saved\falling soliders dirty.wma Infected: Trojan-Downloader.WMA.Wimad.n 1 [/b]

Good ol file shareing, sooner or later your going to get infected

Let me know after getting rid of those things if it is better please.

SystemSecurity and others, HJT log included

Re: SystemSecurity and others, HJT log included

Similar Threads

1st post. HJT log included

help me please (hijack included)

help! hijackthis log included

I need help... HijackThis log included...

Please Help Me Out! - Logs included