Help again, this time I have ONE security thing, Avast ONLY!

Posted 4/29/2009 7:45 AM
#73185
User avatar

Maggie8 Advanced member

Date Joined Nov 2016
Total Posts: 69
ComboFix 09-04-28.02 - Mom 04/29/2009 0:30.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1449 [GMT -7:00]
Running from: c:\documents and settings\Mom\Desktop\FIX\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 14:24 . 2009-04-28 14:24 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-20 11:33 . 2009-04-20 11:33 45920 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-19 00:14 . 2009-04-19 00:14 -------- d-----w c:\program files\KingsIsle Entertainment
2009-04-15 10:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:39 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 10:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 10:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 03:57 . 2007-04-26 21:55 33664 ----a-w c:\windows\system32\drivers\BCMWLNPF.SYS
2009-04-12 03:57 . 2007-06-14 22:57 86016 ----a-w c:\windows\system32\preflib.dll
2009-04-12 03:57 . 2007-04-26 21:55 184320 ----a-w c:\windows\system32\bcmwlu00.exe
2009-04-12 03:57 . 2007-06-14 22:53 44032 ----a-w c:\windows\system32\wltrynt.dll
2009-04-12 03:57 . 2007-04-26 21:55 69632 ----a-w c:\windows\system32\bcmwlpkt.dll
2009-04-12 03:57 . 2007-06-14 22:52 1134592 ----a-w c:\windows\system32\BCMWLTRY.EXE
2009-04-12 03:57 . 2007-06-14 22:45 20480 ----a-w c:\windows\system32\WLTRYSVC.EXE
2009-04-12 03:57 . 2007-04-26 21:55 2129920 ----a-w c:\windows\system32\WLBCGCBPRO731.DLL
2009-04-12 03:57 . 2007-06-14 22:57 757760 ----a-w c:\windows\system32\bcm1xsup.dll
2009-04-12 03:57 . 2007-10-09 21:33 198144 ----a-w c:\windows\system32\drivers\WUSB54GSCV2.sys
2009-04-12 03:57 . 2009-04-12 03:57 -------- d-----w c:\program files\Linksys
2009-04-12 02:22 . 2007-06-14 22:53 700416 ----a-w c:\windows\system32\BCMLogon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 13:36 . 2009-01-28 13:36 60416 --sha-w c:\windows\system32\fazugafi.exe
2009-04-27 07:23 . 2009-02-10 22:26 -------- d-----w c:\program files\Paint Shop Pro 5
2009-04-25 08:24 . 2009-03-25 23:31 714 ----a-w c:\documents and settings\Mom\Application Data\wklnhst.dat
2009-04-20 10:38 . 2009-02-22 02:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 00:14 . 2008-04-24 01:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-15 16:56 . 2008-10-26 03:53 70296 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 22:41 . 2008-10-26 22:57 34 ----a-w c:\documents and settings\Mom\jagex_runescape_preferences.dat
2009-04-06 22:32 . 2009-02-22 02:15 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-02-22 02:15 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 16:23 . 2008-12-26 01:36 -------- d-----w c:\program files\EA Games
2009-03-26 00:37 . 2009-03-26 00:37 -------- d-----w c:\program files\Serif
2009-03-25 23:23 . 2008-04-24 01:16 -------- d-----w c:\program files\Microsoft Works
2009-03-20 06:26 . 2009-03-20 06:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-19 05:29 . 2009-03-19 05:29 -------- d-----w c:\program files\GameSpy Arcade
2009-03-19 05:27 . 2009-03-16 06:42 -------- d-----w c:\program files\Microsoft Games
2009-03-19 05:24 . 2009-03-19 05:24 -------- d-----w c:\program files\DAEMON Tools Lite
2009-03-19 05:21 . 2009-03-19 05:21 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-17 07:22 . 2009-02-27 00:33 -------- d-----w c:\program files\McAfee
2009-03-11 12:27 . 2009-02-23 17:58 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 20:52 . 2009-03-09 20:49 -------- d-----w c:\program files\Playboy
2009-03-08 14:45 . 2009-03-08 14:45 -------- d-----w c:\program files\MSXML 4.0
2009-03-08 11:36 . 2009-03-08 11:36 -------- d-----w c:\program files\Common Files\Kodak
2009-03-08 11:25 . 2009-03-08 07:13 -------- d-----w c:\program files\Kodak
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 09:29 . 2009-03-06 09:29 -------- d-----w c:\program files\Microsoft
2009-03-06 09:29 . 2009-03-06 09:28 -------- d-----w c:\program files\Windows Live
2009-03-06 09:29 . 2009-03-06 09:29 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-06 09:24 . 2009-03-06 09:24 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-05 11:46 . 2009-03-05 11:43 -------- d-----w c:\program files\MyDSC2
2009-03-05 10:44 . 2008-04-24 01:15 -------- d-----w c:\program files\Google
2009-03-05 10:21 . 2009-03-05 10:21 -------- d-----w c:\program files\DC505
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 22:51 . 2004-08-10 17:50 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-23 20:02 . 2004-08-10 18:03 77939 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-23 17:56 . 2009-02-23 17:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-20 18:09 . 2004-08-10 17:51 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 02:52 . 2009-02-07 02:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-10 17:51 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll
2004-04-27 22:19 . 2009-03-17 08:10 3192827 ----a-w c:\program files\haloce.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_07.10.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 07:21 . 2009-04-29 07:21 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
+ 2009-04-29 07:21 . 2009-04-29 07:21 16384 c:\windows\temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-23 136600]
"DigiSrv"="c:\windows\Twain_32\DigiCam\DigiSrv.exe" [2003-08-07 180304]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-07-18 1306624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\EA Games\\Battlefield 1942 Multiplayer Demo\\BF1942Demo.exe"=

R2 gupdate1c99a8d25a3be0;Google Update Service (gupdate1c99a8d25a3be0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-16 7408]
R3 SQTECH913C;DigiCam;c:\windows\system32\DRIVERS\Capt913c.sys [2004-03-17 27632]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-16 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-16 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-07-25 18944]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S2 WUSB54GSC;WUSB54GSC; [x]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [2007-10-09 198144]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-01 18:32]

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 16:44]

2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\5wxad41q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 00:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2668)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-29 0:37
ComboFix-quarantined-files.txt 2009-04-29 07:37
ComboFix2.txt 2009-04-29 07:13
ComboFix3.txt 2008-12-26 10:27
ComboFix4.txt 2008-12-26 09:08
ComboFix5.txt 2009-04-29 07:30

Pre-Run: 119,866,691,584 bytes free
Post-Run: 119,861,235,712 bytes free

210 --- E O F --- 2009-04-28 16:03
****************************************
Malwarebytes' Anti-Malware 1.36
Database version: 2053
Windows 5.1.2600 Service Pack 3

4/28/2009 7:19:14 AM
mbam-log-2009-04-28 (07-19-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 5556
Time elapsed: 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pitevigu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\batusoka.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fahojiku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\modeboho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\halisuse.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a907ea98-3324-47d9-9d4a-cbc1d6109821} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a907ea98-3324-47d9-9d4a-cbc1d6109821} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a907ea98-3324-47d9-9d4a-cbc1d6109821} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\549327dd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm57a01441 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zuhawasoke (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pitevigu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pitevigu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fahojiku.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\batusoka.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\akosutab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fahojiku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\modeboho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\halisuse.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pitevigu.dll (Trojan.Vundo.H) -> Delete on reboot.
*****************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:58 AM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Twain_32\DigiCam\DigiSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mom\Desktop\FIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [DigiSrv] C:\WINDOWS\Twain_32\DigiCam\DigiSrv.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224995547297
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c99a8d25a3be0) (gupdate1c99a8d25a3be0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe

--
End of file - 7913 bytes
***************************************
Windows keeps shutting off and giving me a blue screen saying it had to shut off. Ran stuff in Safe Mode. Is it clean? Thanks Touch.
~Margie
Posted 4/29/2009 12:54 PM
#73192
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Delete this file:
c:\windows\system32\fazugafi.exe

Reboot.

Still got blue Screens ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 4/30/2009 5:06 AM
#73197
User avatar

Maggie8 Advanced member

Date Joined Nov 2016
Total Posts: 69
Cool, so far so good. I got rid of a lot of it on my own, getting lots of practice!
I don't understand why Avast gives me a warning, then says it deleted the virus, but then I run a check and I'll have a lot of "found" items.
Even with just one security thing, I STILL get viruses. GRRR.
Thanks, Touch.
Posted 4/30/2009 11:43 AM
#73200
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Where are the viruses located - Filename/s and path ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 5/3/2009 5:25 PM
#73275
User avatar

Maggie8 Advanced member

Date Joined Nov 2016
Total Posts: 69
I'm not sure, it keeps (Avast) popping up and saying "Virus Detected" and that it recommends "Move to Chest" which I do. The blue screens have stopped, but everyday I keep getting these "Virus Detected" things.
ComboFix 09-04-28.02 - Mom 05/03/2009 10:05.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1526 [GMT -7:00]
Running from: c:\documents and settings\Mom\Desktop\FIX\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090502-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-5-3 )))))))))))))))))))))))))))))))
.

2009-05-03 10:07 . 2000-07-15 07:00 101888 ----a-w c:\windows\system32\VB6STKIT.DLL
2009-05-03 10:07 . 2009-05-03 10:48 -------- d-----w c:\program files\FriendBlasterPro
2009-05-01 18:05 . 2009-05-02 02:31 -------- d-----w c:\documents and settings\Mom\Application Data\LimeWire
2009-05-01 18:05 . 2009-05-02 02:30 -------- d-----w c:\program files\LimeWire
2009-05-01 16:54 . 2009-05-01 16:57 -------- d-----w C:\markSR
2009-04-30 20:03 . 2009-05-01 14:32 -------- d-----w c:\documents and settings\Mom\Local Settings\Application Data\PMB Files
2009-04-30 20:03 . 2009-04-30 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-04-30 20:02 . 2009-04-30 20:02 -------- d-----w c:\program files\Pando Networks
2009-04-28 14:24 . 2009-04-28 14:24 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-20 11:33 . 2009-04-20 11:33 45920 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-19 00:14 . 2009-04-19 00:14 -------- d-----w c:\program files\KingsIsle Entertainment
2009-04-15 10:39 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:39 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 10:39 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:39 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 10:39 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:39 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:39 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:39 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:39 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:39 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 03:57 . 2007-04-26 21:55 33664 ----a-w c:\windows\system32\drivers\BCMWLNPF.SYS
2009-04-12 03:57 . 2007-06-14 22:57 86016 ----a-w c:\windows\system32\preflib.dll
2009-04-12 03:57 . 2007-04-26 21:55 184320 ----a-w c:\windows\system32\bcmwlu00.exe
2009-04-12 03:57 . 2007-06-14 22:53 44032 ----a-w c:\windows\system32\wltrynt.dll
2009-04-12 03:57 . 2007-04-26 21:55 69632 ----a-w c:\windows\system32\bcmwlpkt.dll
2009-04-12 03:57 . 2007-06-14 22:52 1134592 ----a-w c:\windows\system32\BCMWLTRY.EXE
2009-04-12 03:57 . 2007-06-14 22:45 20480 ----a-w c:\windows\system32\WLTRYSVC.EXE
2009-04-12 03:57 . 2007-04-26 21:55 2129920 ----a-w c:\windows\system32\WLBCGCBPRO731.DLL
2009-04-12 03:57 . 2007-06-14 22:57 757760 ----a-w c:\windows\system32\bcm1xsup.dll
2009-04-12 03:57 . 2007-10-09 21:33 198144 ----a-w c:\windows\system32\drivers\WUSB54GSCV2.sys
2009-04-12 03:57 . 2009-04-12 03:57 -------- d-----w c:\program files\Linksys
2009-04-12 02:22 . 2007-06-14 22:53 700416 ----a-w c:\windows\system32\BCMLogon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 11:41 . 2009-03-25 23:31 952 ----a-w c:\documents and settings\Mom\Application Data\wklnhst.dat
2009-04-30 20:09 . 2009-03-16 06:42 -------- d-----w c:\program files\Microsoft Games
2009-04-30 20:08 . 2008-12-26 01:36 -------- d-----w c:\program files\EA Games
2009-04-30 20:08 . 2008-04-24 01:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 07:23 . 2009-02-10 22:26 -------- d-----w c:\program files\Paint Shop Pro 5
2009-04-20 10:38 . 2009-02-22 02:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 16:56 . 2008-10-26 03:53 70296 ----a-w c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 22:41 . 2008-10-26 22:57 34 ----a-w c:\documents and settings\Mom\jagex_runescape_preferences.dat
2009-04-06 22:32 . 2009-02-22 02:15 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-02-22 02:15 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 00:37 . 2009-03-26 00:37 -------- d-----w c:\program files\Serif
2009-03-25 23:23 . 2008-04-24 01:16 -------- d-----w c:\program files\Microsoft Works
2009-03-20 06:26 . 2009-03-20 06:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-19 05:29 . 2009-03-19 05:29 -------- d-----w c:\program files\GameSpy Arcade
2009-03-19 05:24 . 2009-03-19 05:24 -------- d-----w c:\program files\DAEMON Tools Lite
2009-03-19 05:21 . 2009-03-19 05:21 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-17 07:22 . 2009-02-27 00:33 -------- d-----w c:\program files\McAfee
2009-03-11 12:27 . 2009-02-23 17:58 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 20:52 . 2009-03-09 20:49 -------- d-----w c:\program files\Playboy
2009-03-08 14:45 . 2009-03-08 14:45 -------- d-----w c:\program files\MSXML 4.0
2009-03-08 11:36 . 2009-03-08 11:36 -------- d-----w c:\program files\Common Files\Kodak
2009-03-08 11:25 . 2009-03-08 07:13 -------- d-----w c:\program files\Kodak
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 09:29 . 2009-03-06 09:29 -------- d-----w c:\program files\Microsoft
2009-03-06 09:29 . 2009-03-06 09:28 -------- d-----w c:\program files\Windows Live
2009-03-06 09:29 . 2009-03-06 09:29 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-06 09:24 . 2009-03-06 09:24 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-05 11:46 . 2009-03-05 11:43 -------- d-----w c:\program files\MyDSC2
2009-03-05 10:44 . 2008-04-24 01:15 -------- d-----w c:\program files\Google
2009-03-05 10:21 . 2009-03-05 10:21 -------- d-----w c:\program files\DC505
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 22:51 . 2004-08-10 17:50 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-23 20:02 . 2004-08-10 18:03 77939 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-23 17:56 . 2009-02-23 17:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-20 18:09 . 2004-08-10 17:51 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 02:52 . 2009-02-07 02:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-10 17:51 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll
2004-04-27 22:19 . 2009-03-17 08:10 3192827 ----a-w c:\program files\haloce.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_07.10.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 16:23 . 2009-05-03 16:23 16384 c:\windows\temp\Perflib_Perfdata_7f8.dat
+ 2009-05-03 16:23 . 2009-05-03 16:23 16384 c:\windows\temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-23 136600]
"DigiSrv"="c:\windows\Twain_32\DigiCam\DigiSrv.exe" [2003-08-07 180304]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-07-18 1306624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57175:TCP"= 57175:TCP:Pando Media Booster
"57175:UDP"= 57175:UDP:Pando Media Booster

R2 gupdate1c99a8d25a3be0;Google Update Service (gupdate1c99a8d25a3be0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-16 7408]
R3 SQTECH913C;DigiCam;c:\windows\system32\DRIVERS\Capt913c.sys [2004-03-17 27632]
R3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2.sys [2007-10-09 198144]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-16 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-16 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-07-25 18944]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S2 WUSB54GSC;WUSB54GSC; [x]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-01 18:32]

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 16:44]

2009-05-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Mom\Application Data\Mozilla\Firefox\Profiles\5wxad41q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 10:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2644)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-03 10:11
ComboFix-quarantined-files.txt 2009-05-03 17:11
ComboFix2.txt 2009-04-29 07:37
ComboFix3.txt 2009-04-29 07:13
ComboFix4.txt 2008-12-26 10:27
ComboFix5.txt 2009-05-03 17:05

Pre-Run: 119,549,882,368 bytes free
Post-Run: 119,548,866,560 bytes free

217 --- E O F --- 2009-05-01 06:18
*********************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:30 AM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Twain_32\DigiCam\DigiSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mom\Desktop\FIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [DigiSrv] C:\WINDOWS\Twain_32\DigiCam\DigiSrv.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224995547297
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c99a8d25a3be0) (gupdate1c99a8d25a3be0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe

--
End of file - 7763 bytes
Posted 5/3/2009 5:28 PM
#73276
User avatar

Maggie8 Advanced member

Date Joined Nov 2016
Total Posts: 69
I forgot one thing, I did notice one of them said "Disable Windows Security", Avast suggested "Move to Chest" and I did. I can't find anything about it now.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, January 19, 2017, 11:46 AM (GMT +1)
There are a total of 61,162 posts in 13,449 threads.
In the last 3 days there were 1 new threads and 5 reply posts.

Who's online

This forum has 37,989 registered members. Please welcome our newest member, Weiwei.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.