[Resolved] Malware all over my computer. HJT logs Pls help.

  1. 03-10-2009  #1
    FreakY
    FreakY is offline Valued Member

    [Resolved] Malware all over my computer. HJT logs Pls help.

    Hey guys. First of all, thanks for taking the time to read this.

    Problem is, my (my dad's) computer got infected by several malware.
    -The computer's been running slow and takes a long time to boot (getting rid of malware is my priority, we could workout this in depth later).
    -When i started firefox it opened the homepage as well as another website classified as "unsafe", I had the Avast antivirus but it wasn't updated because my license ran out.
    -So I downloaded AVG free edition and I did a full scan in Safe Mode, it found some viruses.
    -After that, I restarted and I did a Spybot S&D scan and "I fixed all the problems found".
    -Later, I left safe mode and I started my Windows XP in <normal mode>.
    -I realized that I couldn't get my Wireless to work (didn't try ethernet though because I didn't had a cable at that time). I restarted in safe mode with Networking and I couldn't get the wireless to work.

    -Then I had to use System Restore to get it working again. I'm afraid the viruses/spyware (malware) are still here...


    I hope this HijackThis scan log will help. I also added the "uninstall list" log from HijackThis.

    Thanks in advance.
    -FreakY

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:01:57 AM, on 10/3/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\DOCUME~1\Menendez\LOCALS~1\Temp\RtkBtMnt.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Docum ents and Settings\Menendez\qmtwvh.exe \s
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\iexplorer72.exe
    O4 - HKLM\..\Run: [Window Proxy Service] C:\WINDOWS\System32\winpsvc.exe
    O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe
    O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
    O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\Menendez\restorer32_a.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\iexplorer72.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - spyware blocker all for auto at browsergate.com (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - spyware blocker all for auto at browsergate.com (file missing)
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: auras - {f0d4f88e-e1f8-460f-a41c-6cfb7f73af79} - C:\WINDOWS\system32\xskmoqx.dll (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Windows Server IP Verification Service (LSIVS) - Unknown owner - C:\WINDOWS\system32\lsivs.exe (file missing)
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 6663 bytes

    =====================
    =====================
    =====================

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 8.1.2
    Apple Software Update
    Ask Toolbar
    Bonjour
    Broadcom 802.11 Network Adapter
    Combined Community Codec Pack 2008-01-24
    Critical Update for Windows Media Player 11 (KB959772)
    Flickr Uploadr 3.1.3
    Google Talk (remove only)
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Internet Service
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 Redistributable
    Microsoft WinUsb 1.0
    Mozilla Firefox (3.0.14)
    MSXML 6 Service Pack 2 (KB954459)
    Nero Suite
    PowerDVD
    QuickTime
    Realtek AC'97 Audio
    RemoveIT Pro v4 - SE
    Secure Browsing
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    SiS VGA Utilities
    SiSAGP driver
    Skype™ 3.8
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    VideoLAN VLC media player 0.8.6e
    Web Application
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinRAR archiver
    Zune
    Zune
    Zune Language Pack (ES)
    Zune Language Pack (FR)

  3. 04-10-2009  #2
    broni
    broni is offline Senior Member
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  4. 06-10-2009  #3
    FreakY
    FreakY is offline Valued Member
    Hello Broni, thanks for replying and sorry for the delayed response.

    I followed the steps but the internet didn't work so I did a system restore. Though, here's the HJT and Combofix logs before the system restore. In the end of this post I added a HJT log after the system restore (just in case it's useful).

    COMBOFIX

    ComboFix 09-10-04.01 - Menendez 10/05/2009 17:31.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.81 [GMT -8:00]
    Running from: c:\documents and settings\Menendez\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Menendez\Application Data\Microsoft\Clip Organizer\mstore10.mgc
    c:\documents and settings\Menendez\Application Data\Microsoft\Clip Organizer\Offic10.MGC
    c:\documents and settings\Menendez\oashdihasidhasuidhiasdhiashdiuas dhasd
    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield
    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield. lnk
    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk
    c:\program files\AntiSpywareShield
    c:\program files\AntiSpywareShield\AntiSpywareShield.lic
    c:\program files\AntiSpywareShield\AntiSpywareShield1.ad
    c:\program files\AntiSpywareShield\Uninstall.exe
    c:\program files\VirusHeat 4.3
    c:\program files\VirusHeat 4.3\vpp.ini
    c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851
    c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950
    c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
    c:\recycler\S-1-5-21-3924760050-5479214402-049354625-1441
    c:\recycler\S-1-5-21-5335840985-9248784781-353337287-2592
    c:\recycler\S-1-5-21-5412976693-2312741135-626942539-3767
    c:\recycler\S-1-5-21-5850021785-8784855588-571017503-6119
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232\Desktop.ini
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232\mwau.exe
    c:\recycler\S-1-5-21-7244758626-3278823189-634519906-3965
    c:\recycler\S-1-5-21-790525478-1897051121-682003330-1001
    c:\recycler\S-1-5-21-8738800444-6979139400-148606359-3769
    c:\recycler\S-1-5-21-9177887857-7661164564-498233425-5652
    c:\windows\hosts
    c:\windows\iexplorer7.exe
    c:\windows\Installer\206071c.msi
    c:\windows\Installer\2060720.msi
    c:\windows\Installer\b33eb.msi
    c:\windows\system32\msvcrt2.dll
    c:\windows\system32\secupdat.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_BNDMSS
    -------\Legacy_LSIVS
    -------\Service_LSIVS
    -------\Service_Passthru


    ((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
    .

    2009-10-02 05:40 . 2009-10-02 05:40 -------- d-----w- c:\windows\system32\wbem\Repository
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\Menendez\Application Data\AVG7
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\AVG7
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg7
    2009-10-02 05:36 . 2009-10-02 05:36 -------- d-----w- c:\program files\AskSBar
    2009-10-01 03:34 . 2009-10-01 04:05 -------- d-----w- C:\$AVG8.VAULT$
    2009-10-01 02:34 . 2009-10-01 02:34 -------- d-----w- c:\windows\system32\drivers\Avg(2)
    2009-10-01 02:34 . 2009-10-02 05:37 -------- d-----w- c:\program files\AVG(2)
    2009-10-01 02:34 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8(2)
    2009-10-01 02:17 . 2009-10-01 02:17 -------- d-----w- C:\AVGTemp
    2009-10-01 00:58 . 2009-10-01 00:58 -------- d-----w- c:\documents and settings\Menendez\Application Data\AVG8
    2009-10-01 00:32 . 2009-10-01 00:32 67072 ----a-w- c:\windows\system32\mbciae.exe
    2009-10-01 00:16 . 2009-10-01 00:16 -------- d-----w- c:\documents and settings\Menendez\Application Data\Panda Security
    2009-10-01 00:09 . 2009-10-01 00:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panda Security
    2009-09-30 23:46 . 2009-09-30 23:46 67072 ----a-w- c:\windows\system32\dsof.exe
    2009-09-30 06:13 . 2009-09-30 06:13 67072 ----a-w- c:\windows\system32\mdgvrr.exe
    2009-09-30 05:40 . 2009-09-30 05:40 67072 ----a-w- c:\windows\system32\dsibm.exe
    2009-09-29 22:53 . 2009-09-29 22:53 67072 ----a-w- c:\windows\system32\jwxrmta.exe
    2009-09-27 17:03 . 2009-09-27 17:03 -------- d-----w- c:\documents and settings\Menendez\Local Settings\Application Data\PCHealth
    2009-09-26 18:33 . 2009-09-26 21:07 140288 ----a-w- C:\up2.exe
    2009-09-26 03:29 . 2009-09-26 03:29 -------- d-----w- C:\834633b4e8885c17f623e4b8
    2009-09-26 03:28 . 2009-09-26 03:29 -------- d-----w- C:\d4ed617d8788bf68ce70a613ea
    2009-09-21 22:33 . 2009-09-21 22:33 33440 ----a-w- c:\windows\system32\drivers\dobelbez.sys
    2009-09-21 22:20 . 2009-09-21 22:20 33440 ----a-w- c:\windows\system32\drivers\hwvkknrf.sys
    2009-09-21 22:16 . 2009-09-21 22:17 -------- d-----w- C:\68e627b4e9040d007e
    2009-09-21 22:15 . 2009-09-21 22:16 -------- d-----w- C:\4cfd8036aa8d22e57950ff43bd
    2009-09-21 22:13 . 2009-09-21 22:13 12288 ---ha-w- c:\documents and settings\Menendez\qmtwvh.exe
    2009-09-21 22:13 . 2009-09-21 22:13 50944 ----a-w- c:\windows\system32\drivers\ndisvvan.sys
    2009-09-19 17:23 . 2009-09-19 17:24 -------- d-----w- C:\c24c7f79fbe67519e653d0
    2009-09-19 17:23 . 2009-09-19 17:23 -------- d-----w- C:\0da9e216b2d6b7837f15cc0c9c7c

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2009-10-02 05:36 . 2008-03-03 08:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-10-02 05:36 . 2008-03-03 08:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2009-09-01 03:42 . 2008-02-03 20:30 85496 ----a-w- c:\documents and settings\Menendez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-23 09:55 . 2008-08-17 01:10 -------- d-----w- c:\documents and settings\Menendez\Application Data\Skype
    2009-08-23 09:44 . 2008-08-17 01:13 -------- d-----w- c:\documents and settings\Menendez\Application Data\skypePM
    2009-08-15 04:07 . 2009-08-15 04:07 -------- d-----w- c:\program files\MSBuild
    2009-08-15 04:07 . 2009-08-15 04:07 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-15 03:57 . 2009-08-15 03:57 -------- d-----w- c:\program files\MSXML 6.0
    2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 07:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-03-04 66912]

    [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
    2008-03-04 06:25 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
    "SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-01 577536]
    "SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-25 49152]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-2-1 331776]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\dobelbez.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=
    "poxy4.exe"= poxy4.exe:LSIVS
    "skp66.exe"= skp66.exe:BNDMSS
    "ud32.exe"= ud32.exe:BNDMSS
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\WINDOWS\\system32\\jwxrmta.exe"=
    "c:\\WINDOWS\\system32\\dsibm.exe"=
    "c:\\WINDOWS\\system32\\mdgvrr.exe"=
    "c:\\WINDOWS\\system32\\dsof.exe"=

    R0 dobelbez;dobelbez;c:\windows\system32\drivers\dobe lbez.sys [9/21/2009 2:33 PM 33440]
    S3 hwvkknrf;hwvkknrf;c:\windows\system32\drivers\hwvk knrf.sys [9/21/2009 2:20 PM 33440]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Menendez\Application Data\Mozilla\Firefox\Profiles\94wlakj8.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-restorer32_a - c:\documents and settings\Menendez\restorer32_a.exe
    HKLM-Run-Microsoft Driver Setup - c:\windows\iexplorer72.exe
    HKLM-Run-Window Proxy Service - c:\windows\System32\winpsvc.exe
    HKLM-Run-restorer32_a - c:\windows\system32\restorer32_a.exe
    HKLM-Run-Windows Network Firewall - c:\windows\system32\firewall.exe
    HKLM-Run-Microsoft(R) System Manager - c:\windows\system32\sysmgr.exe
    AddRemove-Secure Browsing - c:\program files\NetProject\sbun.exe
    AddRemove-Web Application - c:\program files\NetProject\waun.exe



    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-10-05 17:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):79,2d,fb,6b,6a,0e,84,28,12,31,aa,5 8,77,57,e3,fc,64,07,dd,fd,e7,
    cb,f7,38,f0,ab,59,b1,90,f4,1b,61,a9,4f,bc,c7,25,2b ,9c,29,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9259ea 1-4baa-40fe-a6be-5331616f9785}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000070
    "Therad"=dword:0000002a
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe ,41,71,cb,3f,46,a4,7c,ab,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(332)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(2736)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\BCMWLTRY.EXE
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\ZuneBusEnum.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\WLTRAY.EXE
    c:\windows\system32\rundll32.exe
    c:\docume~1\Menendez\LOCALS~1\temp\RtkBtMnt.EXE
    .
    ************************************************** ************************
    .
    Completion time: 2009-10-06 17:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-10-06 01:52

    Pre-Run: 7,742,382,080 bytes free
    Post-Run: 8,917,037,056 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect

    227 --- E O F --- 2009-10-05 20:36


    HJT (AFTER COMBOFIX, BEFORE SYSTEM RESTORE)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:54:46 PM, on 10/5/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\DOCUME~1\Menendez\LOCALS~1\Temp\RtkBtMnt.EXE
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 5042 bytes


    HJT (AFTER COMBOFIX, AFTER SYSTEM RESTORE)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:07:36 PM, on 10/5/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\DOCUME~1\Menendez\LOCALS~1\Temp\RtkBtMnt.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Docum ents and Settings\Menendez\qmtwvh.exe \s
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\iexplorer72.exe
    O4 - HKLM\..\Run: [Window Proxy Service] C:\WINDOWS\System32\winpsvc.exe
    O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe
    O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
    O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\Menendez\restorer32_a.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\iexplorer72.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - spyware blocker pussy all for at browsergate.com (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - spyware blocker pussy all for at browsergate.com (file missing)
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: auras - {f0d4f88e-e1f8-460f-a41c-6cfb7f73af79} - C:\WINDOWS\system32\xskmoqx.dll (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Windows Server IP Verification Service (LSIVS) - Unknown owner - C:\WINDOWS\system32\lsivs.exe (file missing)
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 6702 bytes
  5. 06-10-2009  #4
    broni
    broni is offline Senior Member
    Though, here's the HJT and Combofix logs before the system restore
    This won't do.
    I need you to re-run Combofix and HJT.
    DO NOT make any other changes.
    By using system restore, we'll be going back and forth.
    Whatever Combofix removes, it'll be back by using system restore.
  6. 06-10-2009  #5
    FreakY
    FreakY is offline Valued Member
    Quote Originally Posted by broni View Post
    then restart your computer to restore back your connection.
    I'm so sorry, I got your message wrong. I thought that you meant: if there's no internet conection, restore (system restore). I'll run Combofix right away.
  7. 06-10-2009  #6
    FreakY
    FreakY is offline Valued Member
    I scanned with Combofix again, restarted a couple of times but i couldnt connect to the internet though my wireless adapter was working fine.

    Tomorrow ill have access to another computer with internet so ill send the logs through that computer and see what we can do. Thx.
  8. 06-10-2009  #7
    broni
    broni is offline Senior Member
    That's a good idea, so I can see what was removed.
    I'd also like you to see, if you can connect when hard-wired.
  9. 06-10-2009  #8
    FreakY
    FreakY is offline Valued Member
    Here they are.

    ComboFix 09-10-05.01 - Menendez 10/06/2009 13:43.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.11 [GMT -8:00]
    Running from: c:\documents and settings\Menendez\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield
    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield. lnk
    c:\documents and settings\Menendez\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk
    c:\program files\AntiSpywareShield
    c:\program files\AntiSpywareShield\AntiSpywareShield.lic
    c:\program files\AntiSpywareShield\Uninstall.exe
    c:\program files\VirusHeat 4.3
    c:\program files\VirusHeat 4.3\vpp.ini
    c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851
    c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0950
    c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
    c:\recycler\S-1-5-21-3924760050-5479214402-049354625-1441
    c:\recycler\S-1-5-21-5335840985-9248784781-353337287-2592
    c:\recycler\S-1-5-21-5412976693-2312741135-626942539-3767
    c:\recycler\S-1-5-21-5850021785-8784855588-571017503-6119
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232\Desktop.ini
    c:\recycler\S-1-5-21-6054712288-9262315425-357839721-3232\mwau.exe
    c:\recycler\S-1-5-21-7244758626-3278823189-634519906-3965
    c:\recycler\S-1-5-21-790525478-1897051121-682003330-1001
    c:\recycler\S-1-5-21-8738800444-6979139400-148606359-3769
    c:\recycler\S-1-5-21-9177887857-7661164564-498233425-5652
    c:\windows\iexplorer7.exe
    c:\windows\Installer\206071c.msi
    c:\windows\Installer\2060720.msi
    c:\windows\Installer\b33eb.msi
    c:\windows\system32\msvcrt2.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_BNDMSS
    -------\Legacy_LSIVS
    -------\Service_LSIVS
    -------\Service_Passthru


    ((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
    .

    2009-10-06 04:47 . 2009-10-06 04:47 -------- d-----w- c:\windows\system32\wbem\Repository
    2009-10-06 04:01 . 2009-10-06 04:46 -------- d-----w- C:\cmdcons(2)
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\Menendez\Application Data\AVG7
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\AVG7
    2009-10-02 05:37 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg7
    2009-10-02 05:36 . 2009-10-02 05:36 -------- d-----w- c:\program files\AskSBar
    2009-10-01 03:34 . 2009-10-01 04:05 -------- d-----w- C:\$AVG8.VAULT$
    2009-10-01 02:34 . 2009-10-01 02:34 -------- d-----w- c:\windows\system32\drivers\Avg(2)
    2009-10-01 02:34 . 2009-10-02 05:37 -------- d-----w- c:\program files\AVG(2)
    2009-10-01 02:34 . 2009-10-02 05:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8(2)
    2009-10-01 02:17 . 2009-10-01 02:17 -------- d-----w- C:\AVGTemp
    2009-10-01 00:58 . 2009-10-01 00:58 -------- d-----w- c:\documents and settings\Menendez\Application Data\AVG8
    2009-10-01 00:32 . 2009-10-01 00:32 67072 ----a-w- c:\windows\system32\mbciae.exe
    2009-10-01 00:16 . 2009-10-01 00:16 -------- d-----w- c:\documents and settings\Menendez\Application Data\Panda Security
    2009-10-01 00:09 . 2009-10-01 00:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Panda Security
    2009-09-30 23:46 . 2009-09-30 23:46 67072 ----a-w- c:\windows\system32\dsof.exe
    2009-09-30 06:13 . 2009-09-30 06:13 67072 ----a-w- c:\windows\system32\mdgvrr.exe
    2009-09-30 05:40 . 2009-09-30 05:40 67072 ----a-w- c:\windows\system32\dsibm.exe
    2009-09-29 22:53 . 2009-09-29 22:53 67072 ----a-w- c:\windows\system32\jwxrmta.exe
    2009-09-27 17:03 . 2009-09-27 17:03 -------- d-----w- c:\documents and settings\Menendez\Local Settings\Application Data\PCHealth
    2009-09-26 18:33 . 2009-09-26 21:07 140288 ----a-w- C:\up2.exe
    2009-09-26 03:29 . 2009-09-26 03:29 -------- d-----w- C:\834633b4e8885c17f623e4b8
    2009-09-26 03:28 . 2009-09-26 03:29 -------- d-----w- C:\d4ed617d8788bf68ce70a613ea
    2009-09-21 22:33 . 2009-09-21 22:33 33440 ----a-w- c:\windows\system32\drivers\dobelbez.sys
    2009-09-21 22:20 . 2009-09-21 22:20 33440 ----a-w- c:\windows\system32\drivers\hwvkknrf.sys
    2009-09-21 22:16 . 2009-09-21 22:17 -------- d-----w- C:\68e627b4e9040d007e
    2009-09-21 22:15 . 2009-09-21 22:16 -------- d-----w- C:\4cfd8036aa8d22e57950ff43bd
    2009-09-21 22:13 . 2009-09-21 22:13 12288 ---ha-w- c:\documents and settings\Menendez\qmtwvh.exe
    2009-09-21 22:13 . 2009-09-21 22:13 50944 ----a-w- c:\windows\system32\drivers\ndisvvan.sys
    2009-09-19 17:23 . 2009-09-19 17:24 -------- d-----w- C:\c24c7f79fbe67519e653d0
    2009-09-19 17:23 . 2009-09-19 17:23 -------- d-----w- C:\0da9e216b2d6b7837f15cc0c9c7c

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2009-10-02 05:36 . 2008-03-03 08:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-10-02 05:36 . 2008-03-03 08:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2009-09-01 03:42 . 2008-02-03 20:30 85496 ----a-w- c:\documents and settings\Menendez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-23 09:55 . 2008-08-17 01:10 -------- d-----w- c:\documents and settings\Menendez\Application Data\Skype
    2009-08-23 09:44 . 2008-08-17 01:13 -------- d-----w- c:\documents and settings\Menendez\Application Data\skypePM
    2009-08-15 04:07 . 2009-08-15 04:07 -------- d-----w- c:\program files\MSBuild
    2009-08-15 04:07 . 2009-08-15 04:07 -------- d-----w- c:\program files\Reference Assemblies
    2009-08-15 03:57 . 2009-08-15 03:57 -------- d-----w- c:\program files\MSXML 6.0
    2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-14 07:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-03-04 66912]

    [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
    2008-03-04 06:25 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "restorer32_a"="c:\documents and settings\Menendez\restorer32_a.exe" [BU]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
    "SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
    "Microsoft Driver Setup"="c:\windows\iexplorer72.exe" [BU]
    "Window Proxy Service"="c:\windows\System32\winpsvc.exe" [BU]
    "restorer32_a"="c:\windows\system32\restorer32_a.e xe" [BU]
    "Windows Network Firewall"="c:\windows\system32\firewall.exe" [BU]
    "Microsoft(R) System Manager"="c:\windows\system32\sysmgr.exe" [BU]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-01 577536]
    "SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-02-25 49152]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-2-1 331776]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\dobelbez.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=
    "poxy4.exe"= poxy4.exe:LSIVS
    "skp66.exe"= skp66.exe:BNDMSS
    "ud32.exe"= ud32.exe:BNDMSS
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\WINDOWS\\system32\\jwxrmta.exe"=
    "c:\\WINDOWS\\system32\\dsibm.exe"=
    "c:\\WINDOWS\\system32\\mdgvrr.exe"=
    "c:\\WINDOWS\\system32\\dsof.exe"=

    R0 dobelbez;dobelbez;c:\windows\system32\drivers\dobe lbez.sys [9/21/2009 2:33 PM 33440]
    S3 hwvkknrf;hwvkknrf;c:\windows\system32\drivers\hwvk knrf.sys [9/21/2009 2:20 PM 33440]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Menendez\Application Data\Mozilla\Firefox\Profiles\94wlakj8.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
    .

    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-10-06 13:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):79,2d,fb,6b,6a,0e,84,28,12,31,aa,5 8,77,57,e3,fc,64,07,dd,fd,e7,
    cb,f7,38,f0,ab,59,b1,90,f4,1b,61,a9,4f,bc,c7,25,2b ,9c,29,00,00,00,00,00,00,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f9259ea 1-4baa-40fe-a6be-5331616f9785}]
    @Denied: (Full) (Everyone)
    "Model"=dword:00000070
    "Therad"=dword:0000002a
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5 ,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe ,41,71,cb,3f,46,a4,7c,ab,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(328)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(3044)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\BCMWLTRY.EXE
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\ZuneBusEnum.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\WLTRAY.EXE
    c:\windows\system32\rundll32.exe
    c:\docume~1\Menendez\LOCALS~1\temp\RtkBtMnt.EXE
    .
    ************************************************** ************************
    .
    Completion time: 2009-10-06 14:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-10-06 22:04
    ComboFix2.txt 2009-10-06 01:53

    Pre-Run: 8,572,358,656 bytes free
    Post-Run: 8,503,181,312 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect

    220 --- E O F --- 2009-10-03 08:15

    =======================================
    =======================================

    HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:05:19 PM, on 10/6/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\DOCUME~1\Menendez\LOCALS~1\Temp\RtkBtMnt.EXE
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\iexplorer72.exe
    O4 - HKLM\..\Run: [Window Proxy Service] C:\WINDOWS\System32\winpsvc.exe
    O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe
    O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe
    O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
    O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\Menendez\restorer32_a.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 5470 bytes
  10. 06-10-2009  #9
    broni
    broni is offline Senior Member
    Before we do anything...is the wireless gone again after running Combofix?
    How about wired connection?
  11. 06-10-2009  #10
    FreakY
    FreakY is offline Valued Member
    Save 20% on AVG Internet Security 2012 Suite!
    Sorry I didn't reported that.

    Negative, neither wireless nor wired connections will connect to the internet.
+ Reply to Thread
Page 1 of 4 1 2 3 4 LastLast
« [Active] Unable to find a keylogger | [Active] just cleaning things up a little »