My Anti Spyware

by **nina** » Thu Jul 29, 2010 9:06 pm

Hello, I am posting a HJT log that I just did. Realized today that my computer is infected with Security Master AV. It is only on my husband's desktop, strangely, not nime. I have followed alot of your advice already, ran Malwarebytes, TDSSKiller, have Cyber Defender also running. Just installed and ran the HJT scan. Every time I run a scan, remove a bunch of crap and restart, the SMAV reinstalls itself on my husband's desktop and in his list of programs in his start menu. Not on mine though. I have also gone into the: start-run-wbemtest-root\security center-SELECT * FROM AntiVirus Product- and deleted the SMAV from the log there, where it had been listed. Hope all that makes sense, I am very confused!. Here is my log from HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:33 PM, on 29/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberDefender\AntiSpyware\CDLauncherWS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay103.hotmail.msn.com/c ... 33&fti=yes
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: CyberDefender Link Patrol - {DD662A0C-12FE-4b38-BA53-247F7EC82F46} - C:\Documents and Settings\Nina\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: CyberDefender Link Patrol - {DD662A0C-12FE-4b38-BA53-247F7EC82F46} - C:\Documents and Settings\Nina\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [byyxussys] rundll32.exe "efddaw.dll",s
O4 - HKLM\..\Run: [ssturraudio] rundll32.exe "khghhg.dll",s
O4 - HKLM\..\Run: [tusttraudio] rundll32.exe "khghhg.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\_cdas2.exe" /minimize
O4 - HKCU\..\Run: [mlifcyaudio] rundll32.exe "khghhg.dll",s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [mlmmlmsys] rundll32.exe "efddaw.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ddayaaaudio] rundll32.exe "khghhg.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail ... nPUpld.cab
O16 - DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - http://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
O16 - DPF: {76716694-EADA-4810-8C3B-4826328A317F} (SmartCouponPrinter Control) - http://content.dll1.com/Connectus/Smart ... 080612.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b55579.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://evideo.ufc.com/ufc/cabfiles/Entr ... Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe (file missing)
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberDefender Launcher (CDLauncher) - CyberDefender Corp. - C:\Program Files\CyberDefender\AntiSpyware\CDLauncherWS.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - Unknown owner - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: FSMA - Unknown owner - C:\Program Files\Shaw Secure\Common\FSMA32.EXE (file missing)
O23 - Service: F-Secure ORSP Client (FSORSPClient) - Unknown owner - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: vseamps - Authentium, Inc - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
O23 - Service: vsedsps - Authentium, Inc - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
O23 - Service: vseqrts - Authentium, Inc - C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe

--
End of file - 13198 bytes

by **12056** » Thu Jul 29, 2010 9:36 pm

Please re-run HijackThis and check the boxes next to:

O4 - HKLM\..\Run: [byyxussys] rundll32.exe "efddaw.dll",s
O4 - HKLM\..\Run: [ssturraudio] rundll32.exe "khghhg.dll",s
O4 - HKLM\..\Run: [tusttraudio] rundll32.exe "khghhg.dll",s
O4 - HKCU\..\Run: [mlifcyaudio] rundll32.exe "khghhg.dll",s
O4 - HKUS\S-1-5-18\..\Run: [mlmmlmsys] rundll32.exe "efddaw.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ddayaaaudio] rundll32.exe "khghhg.dll",s (User 'SYSTEM')

Then Click "Fix Checked Items", once HijackThis is finished removing them, restart your computer.

CyberDefender = ROUGE, you should remove it! If you have purchased it, please notify your bank to credit back your account, or place a stop payment.

I noticed that you had more than one "on-access" scanner running at the same time, this is NOT Recommended and does NOT give you more protection.
Please select one of the following to be your "on-access" scanner, and 1-2 to be "on-demand" scanners.

Ad-Aware (Recommended for your "on-demand" scanner)
Authentium (Recommended for your "on-access" scanner)
F-Secure (Suggest you remove and use the above scanners)

Next,

If you have previously downloaded ComboFix, please delete that version now.

Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.
When the tool is finished, it will produce a log for you.If the log does not automatically open, then it can be found at %systemdrive%\combofix.txt (typically C:\combofix.txt).

If ComboFix will not run, please rename it to myapp.exe and try again!

Post back with a combofix log.

by **nina** » Thu Jul 29, 2010 9:53 pm

Thank you so much. I will try that stuff right now. Also, I have no idea what Authentium is. I am trying to find it now so that I can get rid of it. We had been using F-Secure on our computer last year, before we moved, but I had believed it was uninstalled. I will get rid of that one now as well. Thanks again for your help. As you can probably tell, I am not as well versed as I should be on this computer. I will also dump the Cyber Defender and post again when I have a combofix log.
Nina

by **12056** » Thu Jul 29, 2010 10:18 pm

nina wrote:Thank you so much. I will try that stuff right now. Also, I have no idea what Authentium is. I am trying to find it now so that I can get rid of it. We had been using F-Secure on our computer last year, before we moved, but I had believed it was uninstalled. I will get rid of that one now as well. Thanks again for your help. As you can probably tell, I am not as well versed as I should be on this computer. I will also dump the Cyber Defender and post again when I have a combofix log.
Nina

Authentium is legit, you can keep it if you'd like...If you plan on going with another company you can go ahead and un-install it. You need to have 1 "on-access" scanner though.
Yes, dump CyberDefender, and F-Secure (if in fact you keep Authentium or if you gonna get something else).

Your choice!

by **nina** » Thu Jul 29, 2010 11:56 pm

Hi again,
Ok, so I got rid of F-Secure and Cyber Defender. I couldn't get rid of the Authentium, but after reading your last reply, I won't go overboard trying to figure that out right now and will continue with the problem at hand.

The following is the log from Combofix. I noticed that it says something about Shaw Secure at the beginning, which is troubling because I got rid of all the F-Secure remnants and believed it to be all gone.
Anyways, here's the log. Thank you again for your help with this.

Nina

ComboFix 10-07-29.01 - Nina 29/07/2010 19:19:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.614 [GMT -4:00]
Running from: c:\documents and settings\Nina\Desktop\myapp.exe
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\77b219c
c:\documents and settings\All Users\Application Data\77b219c\SM77b2_231.exe
c:\documents and settings\Nina\GoToAssistDownloadHelper.exe
c:\documents and settings\Peter\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Master AV.lnk
c:\documents and settings\Peter\Application Data\Security Master AV
c:\documents and settings\Peter\Application Data\Security Master AV\Instructions.ini
c:\documents and settings\Peter\Start Menu\Security Master AV.lnk
c:\windows\system32\efddaw.dll
c:\windows\system32\khghhg.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-08-16 16:24 . 2010-08-16 16:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-16 16:23 . 2010-08-16 16:23 -------- d-----w- C:\4d58c86a75ccb2b5058378eb63f7
2010-07-29 20:32 . 2010-07-29 20:32 -------- d-----w- c:\program files\Trend Micro
2010-07-29 18:24 . 2010-07-29 18:24 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-07-29 16:22 . 2010-07-29 18:16 -------- d-----w- C:\vseqrntn.bin
2010-07-29 16:19 . 2010-07-29 16:19 -------- d-----w- c:\documents and settings\Nina\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 16:13 . 2010-07-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 15:12 . 2010-07-29 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 02:55 . 2010-07-29 02:54 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-07-29 02:55 . 2010-07-29 02:55 -------- d-----w- c:\program files\Common Files\Authentium
2010-07-27 01:15 . 2010-07-27 01:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMRHNCFAV
2010-07-20 14:59 . 2010-07-25 23:18 -------- d-----w- c:\documents and settings\Nina\Application Data\DVD Flick
2010-07-20 14:59 . 2010-07-20 14:59 -------- d-----w- c:\program files\DVD Flick
2010-07-20 14:59 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-07-14 05:47 . 2010-06-14 14:31 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 16:34 . 2010-08-16 16:34 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-16 16:23 . 2006-06-18 05:11 -------- d-----w- c:\documents and settings\Peter\Application Data\Azureus
2010-07-29 22:16 . 2006-09-16 04:26 -------- d-----w- c:\documents and settings\Nina\Application Data\F-Secure
2010-07-28 23:53 . 2006-06-27 04:43 -------- d-----w- c:\program files\Google
2010-07-26 03:14 . 2006-06-19 06:40 -------- d-----w- c:\documents and settings\Nina\Application Data\Azureus
2010-07-20 15:30 . 2006-06-16 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-20 15:00 . 2008-01-16 00:33 -------- d-----w- c:\program files\Chabner
2010-06-10 07:37 . 2008-07-27 08:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2006-06-18 04:11 . 2006-06-18 04:11 251 -c--a-w- c:\program files\wt3d.ini
2006-10-19 06:36 . 2006-07-04 17:36 56 -csh--r- c:\windows\system32\473C570D4A.sys
2006-07-30 17:58 . 2006-06-15 05:49 88 -csh--r- c:\windows\system32\4A0D573C47.sys
2006-10-19 06:36 . 2006-06-15 05:49 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-13 122368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-8 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-16 21:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64642:TCP"= 64642:TCP:Azureus

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/05/2009 2:11 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1029456]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [08/04/2010 4:46 PM 117288]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [08/04/2010 4:46 PM 117288]
R2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [08/04/2010 4:46 PM 154152]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/07/2010 7:53 PM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [15/06/2006 1:23 AM 20160]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [22/01/2010 3:10 AM 14424]
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:11]

2010-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {76716694-EADA-4810-8C3B-4826328A317F} - hxxp://content.dll1.com/Connectus/Smart ... 080612.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-Locked - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{DD662A0C-12FE-4B38-BA53-247F7EC82F46} - (no file)
HKCU-Run-ssqnooaudio - khghhg.dll
HKLM-Run-wvwtqqaudio - khghhg.dll
HKLM-Run-vttrstsys - efddaw.dll
HKU-Default-Run-tuttroaudio - khghhg.dll
HKU-Default-Run-ljkljgsys - efddaw.dll
SafeBoot-klmdb.sys
AddRemove-12133444-BF36-4d4e-B7FB-A3424C645DE4 - c:\program files\GemMaster\uninstallgemmaster.exe
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
AddRemove-F-Secure Internet Shield - c:\program files\Shaw Secure\Uninstall\fsuninst.exe
AddRemove-F-Secure Spam Control - c:\program files\Shaw Secure\Uninstall\fsuninst.exe
AddRemove-F-Secure Spam Scanner - c:\program files\Shaw Secure\Uninstall\fsuninst.exe
AddRemove-F-Secure Web Filter - c:\program files\Shaw Secure\Uninstall\fsuninst.exe
AddRemove-News Service - c:\program files\Shaw Secure\fsuninst.exe
AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-218764237-3462503935-3443511502-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(504)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************

by **12056** » Fri Jul 30, 2010 2:24 am

Please open Notepad and copy/paste this code into notepad:

Code: Select all: http://myantispyware.com/forum/post22209.html Collect:: c:\windows\system32\473C570D4A.sys c:\windows\system32\4A0D573C47.sys KillAll:: Driver:: c:\windows\system32\drivers\CDAVFS.sys c:\windows\system32\473C570D4A.sys c:\windows\system32\4A0D573C47.sys

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Make sure your AV is disabled while we do this.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will send some info on infected files to the ComboFix server, and then repair your infections. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

by **nina** » Fri Jul 30, 2010 4:40 pm

Ok, I disabled the antivirus programs, except for Authentium. Very confusing: found the source file but there is no .exe file in there. No way that I can find to start or stop program, it's not listed when I go into "add/remove programs" and when I try to delete it, I can't. Also, it was created yesterday, so it came in with something else, and that worries me.
Anyway, I disabled Ad-Aware, copied the CFScript.txt, put it on desktop and into Combofix and this is the log:

ComboFix 10-07-29.04 - Nina 30/07/2010 11:26:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.601 [GMT -4:00]
Running from: c:\documents and settings\Nina\Desktop\myapp.exe
Command switches used :: c:\documents and settings\Nina\Desktop\CFScript.txt
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

file zipped: c:\windows\system32\473C570D4A.sys
file zipped: c:\windows\system32\4A0D573C47.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\473C570D4A.sys
c:\windows\system32\4A0D573C47.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-08-16 16:24 . 2010-08-16 16:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-16 16:23 . 2010-08-16 16:23 -------- d-----w- C:\4d58c86a75ccb2b5058378eb63f7
2010-07-29 20:32 . 2010-07-29 20:32 -------- d-----w- c:\program files\Trend Micro
2010-07-29 18:24 . 2010-07-29 18:24 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-07-29 16:22 . 2010-07-29 18:16 -------- d-----w- C:\vseqrntn.bin
2010-07-29 16:19 . 2010-07-29 16:19 -------- d-----w- c:\documents and settings\Nina\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 16:13 . 2010-07-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 15:12 . 2010-07-29 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 02:55 . 2010-07-29 02:54 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-07-29 02:55 . 2010-07-29 02:55 -------- d-----w- c:\program files\Common Files\Authentium
2010-07-27 01:15 . 2010-07-27 01:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMRHNCFAV
2010-07-20 14:59 . 2010-07-25 23:18 -------- d-----w- c:\documents and settings\Nina\Application Data\DVD Flick
2010-07-20 14:59 . 2010-07-20 14:59 -------- d-----w- c:\program files\DVD Flick
2010-07-20 14:59 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-07-14 05:47 . 2010-06-14 14:31 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 16:34 . 2010-08-16 16:34 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-16 16:23 . 2006-06-18 05:11 -------- d-----w- c:\documents and settings\Peter\Application Data\Azureus
2010-07-29 22:16 . 2006-09-16 04:26 -------- d-----w- c:\documents and settings\Nina\Application Data\F-Secure
2010-07-28 23:53 . 2006-06-27 04:43 -------- d-----w- c:\program files\Google
2010-07-26 03:14 . 2006-06-19 06:40 -------- d-----w- c:\documents and settings\Nina\Application Data\Azureus
2010-07-20 15:30 . 2006-06-16 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-20 15:00 . 2008-01-16 00:33 -------- d-----w- c:\program files\Chabner
2010-06-10 07:37 . 2008-07-27 08:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 15:46 . 2010-05-27 15:46 503808 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcp71.dll
2010-05-27 15:46 . 2010-05-27 15:46 499712 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\jmc.dll
2010-05-27 15:46 . 2010-05-27 15:46 348160 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcr71.dll
2010-05-23 21:03 . 2010-05-23 21:03 503808 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcp71.dll
2010-05-23 21:03 . 2010-05-23 21:03 499712 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\jmc.dll
2010-05-23 21:03 . 2010-05-23 21:03 348160 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcr71.dll
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2006-06-18 04:11 . 2006-06-18 04:11 251 -c--a-w- c:\program files\wt3d.ini
2006-10-19 06:36 . 2006-06-15 05:49 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-13 122368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-8 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-16 21:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64642:TCP"= 64642:TCP:Azureus

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/05/2009 2:11 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1029456]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [08/04/2010 4:46 PM 117288]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [08/04/2010 4:46 PM 117288]
R2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [08/04/2010 4:46 PM 154152]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/07/2010 7:53 PM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [15/06/2006 1:23 AM 20160]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [22/01/2010 3:10 AM 14424]
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:11]

2010-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {76716694-EADA-4810-8C3B-4826328A317F} - hxxp://content.dll1.com/Connectus/Smart ... 080612.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 11:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-218764237-3462503935-3443511502-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-30 12:00:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-30 16:00
ComboFix2.txt 2010-07-29 23:43

Pre-Run: 71,113,596,928 bytes free
Post-Run: 71,598,977,024 bytes free

- - End Of File - - 916EFC3BD2C004C589C2F4B3107A60B2

by **nina** » Fri Jul 30, 2010 7:05 pm

Other Information:

I just logged onto my husband's desktop and the message "RUNDLL Error loading khghhg.dll The specified module could not be found" came up immediately.
Then the screen went blue and told me that a problem has been detected and Windows has been shut down to prevent damage. It suggested that I restart or, had I seen this msg before, disable or uninstall any antivirus utilities, check hard drive configuration and check for any updated drivers and then run CHKDSK/F to check for hard drive corruption then restart.
When I restarted, I got a microsoft error message that told me that I had received this message because a device driver installed on your computer caused Windows to stop unexpectedly. This type of error is referred to as a "stop error" and requires you to restart your computer.
It suggests that I download the Dell Driver Reset Tool to fix problems caused by corrupt or updated device drivers in Microsoft Windows XP. Says that it can only reload or refresh device drivers already installed on my computer but that it does not download or update device drivers.

Question: should I download the Dell Driver Reset Tool and run it?

by **12056** » Fri Jul 30, 2010 10:18 pm

Yes, I'm not sure what has happened.

by **nina** » Sat Jul 31, 2010 12:39 am

Hi, So I reinstalled Dell Driver Reset Tool.
Restarted after install.
Opened infected profile (my husband's) and immediately the RUNDLL error loading khghhg.dll message came up again.
Then the blue screen came up again telling me that a problem was detected and Windows had to shut down to prevent damage.
Upon restart, RUNDLL error came up again.
Did RUN CHKDSK/F, verification completed.
Searched khghhg.dll in all files and folders. Found that this file was quarantined by Combofix.
Went into safe mode, deleted Authentium succesfully, ran Combofix again (log below), ran another Malwarebytes' scan-came up with 3 files that I removed.
ComboFix 10-07-29.04 - Nina 30/07/2010 19:42:10.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.432 [GMT -4:00]
Running from: c:\documents and settings\Nina\Desktop\myapp.exe
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-08-16 16:24 . 2010-08-16 16:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-16 16:23 . 2010-08-16 16:23 -------- d-----w- C:\4d58c86a75ccb2b5058378eb63f7
2010-07-30 17:57 . 2010-07-30 22:53 69456 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-29 20:32 . 2010-07-29 20:32 -------- d-----w- c:\program files\Trend Micro
2010-07-29 18:24 . 2010-07-29 18:24 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-07-29 16:22 . 2010-07-29 18:16 -------- d-----w- C:\vseqrntn.bin
2010-07-29 16:19 . 2010-07-29 16:19 -------- d-----w- c:\documents and settings\Nina\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 16:13 . 2010-07-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 15:12 . 2010-07-29 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 02:55 . 2010-07-29 02:54 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-07-27 01:15 . 2010-07-27 01:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMRHNCFAV
2010-07-20 14:59 . 2010-07-25 23:18 -------- d-----w- c:\documents and settings\Nina\Application Data\DVD Flick
2010-07-20 14:59 . 2010-07-20 14:59 -------- d-----w- c:\program files\DVD Flick
2010-07-20 14:59 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-07-14 05:47 . 2010-06-14 14:31 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 16:34 . 2010-08-16 16:34 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-16 16:23 . 2006-06-18 05:11 -------- d-----w- c:\documents and settings\Peter\Application Data\Azureus
2010-07-29 22:16 . 2006-09-16 04:26 -------- d-----w- c:\documents and settings\Nina\Application Data\F-Secure
2010-07-28 23:53 . 2006-06-27 04:43 -------- d-----w- c:\program files\Google
2010-07-26 03:14 . 2006-06-19 06:40 -------- d-----w- c:\documents and settings\Nina\Application Data\Azureus
2010-07-20 15:30 . 2006-06-16 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-20 15:00 . 2008-01-16 00:33 -------- d-----w- c:\program files\Chabner
2010-06-14 14:31 . 2005-08-16 09:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 07:37 . 2008-07-27 08:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 15:46 . 2010-05-27 15:46 503808 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcp71.dll
2010-05-27 15:46 . 2010-05-27 15:46 499712 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\jmc.dll
2010-05-27 15:46 . 2010-05-27 15:46 348160 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcr71.dll
2010-05-23 21:03 . 2010-05-23 21:03 503808 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcp71.dll
2010-05-23 21:03 . 2010-05-23 21:03 499712 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\jmc.dll
2010-05-23 21:03 . 2010-05-23 21:03 348160 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcr71.dll
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2006-06-18 04:11 . 2006-06-18 04:11 251 -c--a-w- c:\program files\wt3d.ini
2006-10-19 06:36 . 2006-06-15 05:49 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-13 122368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-8 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-16 21:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64642:TCP"= 64642:TCP:Azureus

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/05/2009 2:11 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1029456]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/07/2010 7:53 PM 136176]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [15/06/2006 1:23 AM 20160]
S3 klmd24;klmd24;c:\windows\system32\drivers\klmd.sys [30/07/2010 1:57 PM 69456]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [22/01/2010 3:10 AM 14424]
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:11]

2010-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {76716694-EADA-4810-8C3B-4826328A317F} - hxxp://content.dll1.com/Connectus/Smart ... 080612.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmd24.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-218764237-3462503935-3443511502-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(236)
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll
c:\windows\system32\l3codecp.acm
c:\windows\system32\DivXa32.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\IEFRAME.dll
c:\windows\system32\aviwrap.dll
c:\windows\system32\IMC32.ACM
c:\windows\system32\vorbis.acm
c:\windows\system32\qmpeg.acm
c:\windows\system32\ac3acm.acm

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-07-30 19:59:07
ComboFix-quarantined-files.txt 2010-07-30 23:59
ComboFix2.txt 2010-07-30 16:00
ComboFix3.txt 2010-07-29 23:43

Pre-Run: 71,581,691,904 bytes free
Post-Run: 71,640,907,776 bytes free

- - End Of File - - 83BC7037A0F0BC6DD923B3097304E3A7

by **12056** » Sat Jul 31, 2010 1:21 am

Okay, I think I found what was causing the error, and an infection I missed!

Please open Notepad and copy/paste this code into notepad:

Code: Select all: http://myantispyware.com/forum/post22209.html Collect:: c:\windows\system32\drivers\klmd.sys C:\vseqrntn.bin KillAll:: Registry:: [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys] Driver:: klmd24

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Make sure your AV is disabled while we do this.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will send some info on infected files to the ComboFix server, and then repair your infections. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

------------

Did you try to remove these entries that I wanted you to remove in an earlier post, this is causing the RUNDLL error?

O4 - HKLM\..\Run: [byyxussys] rundll32.exe "efddaw.dll",s
O4 - HKLM\..\Run: [ssturraudio] rundll32.exe "khghhg.dll",s
O4 - HKLM\..\Run: [tusttraudio] rundll32.exe "khghhg.dll",s
O4 - HKCU\..\Run: [mlifcyaudio] rundll32.exe "khghhg.dll",s
O4 - HKUS\S-1-5-18\..\Run: [mlmmlmsys] rundll32.exe "efddaw.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ddayaaaudio] rundll32.exe "khghhg.dll",s (User 'SYSTEM')

by **nina** » Sat Jul 31, 2010 10:38 pm

Hello,
First off, yes I did remove those earlier entries that you wanted you to remove in an earlier post. I am posting the Combofix log that I performed earlier after dragging the CFScript.txt into ComboFix.exe.
ComboFix 10-07-29.04 - Nina 31/07/2010 10:57:31.4.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.807 [GMT -4:00]
Running from: c:\documents and settings\Nina\Desktop\myapp.exe
Command switches used :: c:\documents and settings\Nina\Desktop\CFScript.txt
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

file zipped: c:\windows\system32\drivers\klmd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\klmd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KLMD24
-------\Service_klmd24

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-08-16 16:24 . 2010-08-16 16:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-16 16:23 . 2010-08-16 16:23 -------- d-----w- C:\4d58c86a75ccb2b5058378eb63f7
2010-07-31 01:17 . 2010-07-31 01:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-31 01:17 . 2010-07-31 01:17 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-31 01:17 . 2010-07-31 01:17 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-31 01:17 . 2010-07-31 01:17 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-31 01:17 . 2010-07-31 12:54 -------- d-----w- c:\windows\system32\drivers\Avg
2010-07-31 01:13 . 2010-07-31 01:13 -------- d-----w- c:\program files\AVG
2010-07-31 01:13 . 2010-07-31 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-31 00:51 . 2010-07-31 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-07-31 00:50 . 2010-07-31 00:51 -------- d-----w- c:\program files\Security Task Manager
2010-07-31 00:49 . 2010-07-31 00:49 -------- d-----w- c:\program files\WinDirStat
2010-07-31 00:42 . 2010-07-31 00:42 -------- d-----w- c:\documents and settings\Nina\Local Settings\Application Data\Mozilla
2010-07-29 20:32 . 2010-07-29 20:32 -------- d-----w- c:\program files\Trend Micro
2010-07-29 18:24 . 2010-07-29 18:24 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-07-29 16:22 . 2010-07-29 18:16 -------- d-----w- C:\vseqrntn.bin
2010-07-29 16:19 . 2010-07-29 16:19 -------- d-----w- c:\documents and settings\Nina\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 16:13 . 2010-07-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 16:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 15:12 . 2010-07-29 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 02:55 . 2010-07-29 02:54 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-07-27 01:15 . 2010-07-27 01:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMRHNCFAV
2010-07-20 14:59 . 2010-07-25 23:18 -------- d-----w- c:\documents and settings\Nina\Application Data\DVD Flick
2010-07-20 14:59 . 2010-07-20 14:59 -------- d-----w- c:\program files\DVD Flick
2010-07-20 14:59 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-07-14 05:47 . 2010-06-14 14:31 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 16:34 . 2010-08-16 16:34 5488 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-08-16 16:23 . 2006-06-18 05:11 -------- d-----w- c:\documents and settings\Peter\Application Data\Azureus
2010-07-31 12:53 . 2010-07-31 12:53 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-31 12:53 . 2010-07-31 12:53 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-31 12:53 . 2010-07-31 12:53 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-31 12:53 . 2010-07-31 12:53 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-31 00:51 . 2010-07-31 00:51 151 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11.dll
2010-07-31 00:51 . 2010-07-31 00:51 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2894BB3325CD68840AB34F5C8CB0EE98.dll
2010-07-31 00:51 . 2010-07-31 00:51 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B59D.dll
2010-07-31 00:51 . 2010-07-31 00:51 75 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F9ACB2AC6655084791DF7CD39837632.dll
2010-07-31 00:51 . 2010-07-31 00:51 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1FFEDB53016A65940AD05154C3113659.dll
2010-07-31 00:51 . 2010-07-31 00:51 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_18555481990E8AB4CBB63FB4F26006C0.dll
2010-07-31 00:51 . 2010-07-31 00:51 29 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_184994D06C2252B4A82CD6F3C688F59B.dll
2010-07-31 00:51 . 2010-07-31 00:51 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll
2010-07-31 00:51 . 2010-07-31 00:51 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2010-07-29 22:16 . 2006-09-16 04:26 -------- d-----w- c:\documents and settings\Nina\Application Data\F-Secure
2010-07-28 23:53 . 2006-06-27 04:43 -------- d-----w- c:\program files\Google
2010-07-26 03:14 . 2006-06-19 06:40 -------- d-----w- c:\documents and settings\Nina\Application Data\Azureus
2010-07-20 15:30 . 2006-06-16 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-20 15:00 . 2008-01-16 00:33 -------- d-----w- c:\program files\Chabner
2010-06-14 14:31 . 2005-08-16 09:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 07:37 . 2008-07-27 08:56 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 15:46 . 2010-05-27 15:46 503808 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcp71.dll
2010-05-27 15:46 . 2010-05-27 15:46 499712 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\jmc.dll
2010-05-27 15:46 . 2010-05-27 15:46 348160 ----a-w- c:\documents and settings\Nina\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-262fa917-n\msvcr71.dll
2010-05-23 21:03 . 2010-05-23 21:03 503808 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcp71.dll
2010-05-23 21:03 . 2010-05-23 21:03 499712 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\jmc.dll
2010-05-23 21:03 . 2010-05-23 21:03 348160 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d954a52-n\msvcr71.dll
2010-05-06 10:41 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2006-06-18 04:11 . 2006-06-18 04:11 251 -c--a-w- c:\program files\wt3d.ini
2006-10-19 06:36 . 2006-06-15 05:49 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-15 524632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-13 122368]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-8 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-31 01:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-16 21:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-31 01:16 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"avg9wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64642:TCP"= 64642:TCP:Azureus

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/05/2009 2:11 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/07/2010 9:17 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30/07/2010 9:17 PM 243024]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/07/2010 7:53 PM 136176]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [15/06/2006 1:23 AM 20160]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [22/01/2010 3:10 AM 14424]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [30/07/2010 9:15 PM 308136]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:11]

2010-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-28 23:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {76716694-EADA-4810-8C3B-4826328A317F} - hxxp://content.dll1.com/Connectus/Smart ... 080612.cab
FF - ProfilePath - c:\documents and settings\Nina\Application Data\Mozilla\Firefox\Profiles\jh8vjceg.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-218764237-3462503935-3443511502-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-31 11:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 15:18
ComboFix2.txt 2010-07-30 23:59
ComboFix3.txt 2010-07-30 16:00
ComboFix4.txt 2010-07-29 23:43

Pre-Run: 71,139,999,744 bytes free
Post-Run: 71,230,377,984 bytes free

- - End Of File - - 9C3F611F7A20EA80E9CBD127D741D3CB

by **nina** » Sat Jul 31, 2010 10:42 pm

also forgot to mention that Combofix has quarantined all Security Master AV files.

by **12056** » Sat Jul 31, 2010 11:44 pm

Good, Glad to hear that!

Please uninstall ComboFix:

1. Click START, then RUN, then TYPE: combofix /uninstall
2. Click "OK" and wait for a dialog box that says Combofix has been removed successfully.

by **nina** » Sun Aug 01, 2010 4:41 pm

I am still getting the RUNDLL Error loading khghhg.dll message when I open up my husband's desktop. I know that this file is associated with Security Master and has been quarantined by Combofix, but I don't understand why it is still trying to open this file on start up. I am hesitant to remove Combofix until I can figure this out. Any ideas?

My Anti Spyware

can't get rid of Security Master AV on my computer

can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Re: can't get rid of Security Master AV on my computer

Who is online