Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows update redirects to google


  • This topic is locked This topic is locked
9 replies to this topic

#1 zigzag8336

zigzag8336

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 12 January 2009 - 11:35 PM

ok, well I seem to have been infected with something weird that I can't get rid of. I have tried ad-aware and removed everything that came up, but I'm still having problems.
When I try to go to http://windowsupdate.microsoft.com/, I am redirected to google.com
Also, when I use a search engine, sometimes the results redirect to other search engines, but when I type the address in manually it goes directly to the correct site. It only does this with certain search results though, not all, and http://windowsupdate.microsoft.com/ always redirects to google.com no matter if I search for it or if I type it in manually.

The main problem I have though, is that I cant download anything from microsoft.com. I click the link, it opens a new window and tries to connect to download.microsoft.com, then I get a page cannot be displayed error. Please help me, it would be greatly appreciated.

BTW, I noticed that in the DDS.txt report, AVG Internet Security shows up as my antivirus and AVG Firewall shows up as my firewall, but this is incorrect because I have uninstalled both of these, so I don't know why it showed up in the DDS report. Maybe it has something to do with my problem?

DDS.txt Report:

DDS (Ver_09-01-07.01) - NTFSx86  
Run by Francis at 23:22:51.42 on Mon 01/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1439 [GMT -5:00]

AV: AVG Internet Security *On-access scanning disabled* (Outdated)
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Documents and Settings\Francis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: System=kdtbk.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [c:\windows\system32\kdtbk.exe] c:\windows\system32\kdtbk.exe
mRun: [RivaTunerStartupDaemon] "c:\program files\riva tuner\RivaTuner.exe" /S
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\francis\startm~1\programs\startup\shortc~1.lnk - c:\windows\system32\taskmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
TCP: NameServer = 85.255.113.94;85.255.112.225
TCP: {54D2F437-1B74-492D-B436-6A3BB2455716} = 85.255.113.94;85.255.112.225
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\francis\applic~1\mozilla\firefox\profiles\k3kpjqhu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-17 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-17 98440]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-17 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-17 90632]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-17 29208]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-10-31 38560]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-17 231704]
R4 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2008-12-17 1212184]
R4 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-17 29208]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-22 27904]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-11-2 7548]

=============== Created Last 30 ================

2009-01-07 03:06	33,846	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2009-01-07 03:06	3,400	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-01-07 03:05	33,846	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2009-01-07 03:05	2,987	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-01-07 03:02	33,846	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-07 03:02	<DIR>	--d-----	c:\docume~1\francis\applic~1\AccurateRip
2009-01-07 03:02	10,886,008	a-------	c:\windows\system32\SpoonUninstall.exe
2009-01-07 03:02	13,785	a-------	c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-01-07 03:02	<DIR>	--d-----	c:\program files\Illustrate
2008-12-31 08:59	24,872	a-------	c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-30 18:53	103,360	a-------	c:\windows\system32\drivers\AnyDVD.sys
2008-12-27 02:58	<DIR>	--d-----	c:\program files\SlySoft
2008-12-22 19:30	69	a-------	c:\windows\NeroDigital.ini
2008-12-22 19:27	2,283,027	a-------	c:\windows\system32\x264vfw.dll
2008-12-22 19:27	1,294,336	a-------	c:\windows\system32\vorbis.acm
2008-12-22 19:27	630,784	a-------	c:\windows\system32\vp7vfw.dll
2008-12-22 19:27	391,680	a-------	c:\windows\system32\I263_32.drv
2008-12-22 19:27	287,744	a-------	c:\windows\system32\divxa32.acm
2008-12-22 19:27	232,448	a-------	c:\windows\system32\mp3fhg.acm
2008-12-22 19:27	39,936	a-------	c:\windows\system32\huffyuv.dll
2008-12-22 18:54	221,184	a-------	c:\windows\system32\wmpns.dll
2008-12-22 18:54	23,392	a-------	c:\windows\system32\nscompat.tlb
2008-12-22 18:54	16,832	a-------	c:\windows\system32\amcompat.tlb
2008-12-19 02:15	<DIR>	--d-----	c:\program files\Lavasoft
2008-12-19 02:15	<DIR>	--d-----	c:\program files\common files\Wise Installation Wizard
2008-12-19 02:11	<DIR>	--d-----	c:\program files\Trend Micro
2008-12-18 22:52	<DIR>	--d-----	c:\program files\StarCraft
2008-12-18 16:56	<DIR>	--d-----	c:\program files\AviSynth 2.5
2008-12-18 16:55	<DIR>	--d-----	c:\program files\Avi2Dvd
2008-12-18 16:55	<DIR>	--d-----	c:\program files\AVI 2 DVD
2008-12-18 04:30	<DIR>	--d-----	c:\program files\Nero
2008-12-18 04:10	<DIR>	--d-----	c:\docume~1\francis\applic~1\DVD Flick
2008-12-18 00:24	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\WEBREG
2008-12-17 17:58	<DIR>	--d-----	c:\program files\common files\HP
2008-12-17 17:58	<DIR>	--d-----	c:\program files\common files\Hewlett-Packard
2008-12-17 17:57	16,496	a----r--	c:\windows\system32\drivers\HPZipr12.sys
2008-12-17 17:57	49,920	a----r--	c:\windows\system32\drivers\HPZid412.sys
2008-12-17 17:57	21,568	a----r--	c:\windows\system32\drivers\HPZius12.sys
2008-12-17 17:57	267,864	a----r--	c:\windows\system32\hpzids01.dll
2008-12-17 17:57	118,272	a-------	c:\windows\system32\hpz3l5ha.dll
2008-12-17 17:56	958,464	a----r--	c:\windows\system32\hpotiop4.dll
2008-12-17 17:56	675,840	a----r--	c:\windows\system32\hpowiax4.dll
2008-12-17 17:56	364,544	a----r--	c:\windows\system32\hppldcoi.dll
2008-12-17 17:56	303,104	a----r--	c:\windows\system32\hpovst11.dll
2008-12-17 17:56	15,104	ac------	c:\windows\system32\dllcache\usbscan.sys
2008-12-17 17:56	15,104	a-------	c:\windows\system32\drivers\usbscan.sys
2008-12-17 17:53	139,785	a-------	c:\windows\hpoins15.dat
2008-12-17 17:53	1,039	--------	c:\windows\hpomdl15.dat
2008-12-17 17:50	25,856	ac------	c:\windows\system32\dllcache\usbprint.sys
2008-12-17 17:50	25,856	a-------	c:\windows\system32\drivers\usbprint.sys
2008-12-17 02:01	<DIR>	--d-h---	C:\$AVG8.VAULT$
2008-12-17 01:30	12,936	a-------	c:\windows\system32\drivers\avgrkx86.sys
2008-12-17 01:30	10,520	a-------	c:\windows\system32\avgrsstx.dll
2008-12-17 01:30	<DIR>	--d-----	c:\windows\system32\drivers\Avg
2008-12-17 01:30	98,440	a-------	c:\windows\system32\drivers\avgldx86.sys
2008-12-17 01:30	90,632	a-------	c:\windows\system32\drivers\avgtdix.sys
2008-12-17 01:29	50,968	a-------	c:\windows\system32\avgfwdx.dll
2008-12-17 01:29	29,208	a-------	c:\windows\system32\drivers\avgfwdx.sys
2008-12-17 01:29	<DIR>	--d-----	c:\program files\AVG
2008-12-17 01:29	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\avg8
2008-12-16 04:11	<DIR>	--d-----	c:\documents and settings\francis\.housecall6.6
2008-12-16 03:18	<DIR>	--d-----	c:\program files\common files\Blizzard Entertainment
2008-12-14 23:14	410,984	a-------	c:\windows\system32\deploytk.dll
2008-12-14 23:14	73,728	a-------	c:\windows\system32\javacpl.cpl
2008-12-14 00:56	54,156	a---h---	c:\windows\QTFont.qfn
2008-12-14 00:56	1,409	a-------	c:\windows\QTFont.for

==================== Find3M  ====================

2008-12-13 04:29	0	a---h---	c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 04:29	0	a---h---	c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-11-24 09:32	57,344	a-------	c:\windows\system32\ff_vfw.dll
2008-11-22 19:41	27,904	a-------	c:\windows\system32\drivers\ndisprot.sys
2008-11-20 02:32	22,328	a-------	c:\windows\system32\drivers\PnkBstrK.sys
2008-11-20 02:32	22,328	a-------	c:\docume~1\francis\applic~1\PnkBstrK.sys
2008-11-20 02:32	103,736	a-------	c:\windows\system32\PnkBstrB.exe
2008-11-20 02:32	669,184	a-------	c:\windows\system32\pbsvc.exe
2008-11-20 02:32	66,872	a-------	c:\windows\system32\PnkBstrA.exe
2008-11-19 12:21	93,128	a-------	c:\windows\system32\ElbyCDIO.dll
2008-11-07 15:41	107,888	a-------	c:\windows\system32\CmdLineExt.dll
2008-11-05 07:25	409,600	a-------	c:\windows\system32\wrap_oal.dll
2008-11-05 07:25	114,688	a-------	c:\windows\system32\OpenAL32.dll
2008-11-03 14:47	86,327	a-------	c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-01 17:09	31,744	a-------	c:\windows\system32\5Jdqq22S.exe
2008-10-31 13:36	315,392	a-------	c:\windows\HideWin.exe
2008-10-28 17:36	823,296	a-------	c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36	823,296	a-------	c:\windows\system32\divx_xx07.dll
2008-10-28 17:35	815,104	a-------	c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35	802,816	a-------	c:\windows\system32\divx_xx11.dll
2008-10-28 17:35	684,032	a-------	c:\windows\system32\DivX.dll
2008-10-27 10:04	514,384	a-------	c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04	235,856	a-------	c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04	23,376	a-------	c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04	70,992	a-------	c:\windows\system32\XAPOFX1_2.dll

============= FINISH: 23:23:06.85 ===============

Will run HijackThis and post logs upon request. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 13 January 2009 - 02:31 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,zigzag8336. :thumbsup:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Step2

Please close all browsers and other windows while running GooredFix.
  • Please download GooredFix and save it to your Desktop.
  • Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.


Step3

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

@Echo off
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\look.txt
START C:\look.txt

Name the file as check.bat, making sure save as type is set to " All Files ". It should look like Posted Image
Double click on check.bat & allow it to run. Copy and paste the content in your next reply (If the file does not open please check here for the file C:\look.txt.).


In your next reply, please post back:

1.Goored log
2.Look.txt
3.RSIT log.txt and info.txt.

Do not post your logs in the code box.Thanks.

Edited by sundavis, 13 January 2009 - 02:32 AM.


#3 zigzag8336

zigzag8336
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 13 January 2009 - 05:18 AM

First off, I would like to say thank you sundavis for taking your time to help me with my problem, I really appreciate it.

Step 1:
I actually wasn't able to run RSIT.exe
After clicking continue at the disclaimer screen I got this error:
Posted Image

Step 2:
I ran Gooredfix.exe as instructed, here is the log:

GooredFix v1.81 by jpshortstuff
Log created at 05:06 on 13/01/2009 running Option #1 (Francis)
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Step 3:
Created check.bat and ran it, here are the contents of Look.txt:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
VIDC.XVID REG_SZ xvidvfw.dll
VIDC.YV12 REG_SZ yv12vfw.dll
msacm.ac3filter REG_SZ ac3filter.acm
VIDC.FFDS REG_SZ ff_vfw.dll
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
wave1 REG_SZ wdmaud.drv
midi1 REG_SZ wdmaud.drv
mixer1 REG_SZ wdmaud.drv
aux REG_SZ wdmaud.drv
wave2 REG_SZ wdmaud.drv
midi2 REG_SZ wdmaud.drv
mixer2 REG_SZ wdmaud.drv
wave3 REG_SZ wdmaud.drv
midi3 REG_SZ wdmaud.drv
mixer3 REG_SZ wdmaud.drv
vidc.DIVX REG_SZ DivX.dll
vidc.VP60 REG_SZ vp6vfw.dll
vidc.VP61 REG_SZ vp6vfw.dll
VIDC.AP41 REG_SZ APmpg4v1.dll
VIDC.MPG4 REG_SZ APmpg4v1.dll
VIDC.MP42 REG_SZ APmpg4v1.dll
VIDC.DIV3 REG_SZ APmpg4v1.dll
VIDC.DIV4 REG_SZ APmpg4v1.dll
VIDC.MP43 REG_SZ APmpg4v1.dll
msacm.ac3acm REG_SZ ac3acm.acm
msacm.lameacm REG_SZ lameACM.acm
VIDC.VP62 REG_SZ vp6vfw.dll
VIDC.VP70 REG_SZ vp7vfw.dll
msacm.l3fhg REG_SZ mp3fhg.acm
msacm.divxa32 REG_SZ divxa32.acm
msacm.vorbis REG_SZ vorbis.acm
VIDC.X264 REG_SZ x264vfw.dll
VIDC.HFYU REG_SZ huffyuv.dll
vidc.i263 REG_SZ i263_32.drv

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 15 January 2009 - 02:42 PM

Hi zigzag8336,


I notice there is sign of one P2P (Person to Person) File Sharing Program on your computer. Even if you are using a "safe" P2P program, it is only the program that is safe.
You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
You are well advised to remove it via Control Panel > Add/Remove Programs.

uTorrent


As to AVG Internet Security leftovers, Please go to Here to download AVG Remover utility which removes all parts of AVG Internet Security leftovers on your computer, including registry items, installation and user files on your disk, etc. This clean process may damage the integrity of AVG8. You are well advised to remove all the AVG products with no internet access. After clean reinstalling AVG8, have internet plug-in and update your virus definitions.

After that, please do the following:

Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.Combofix log
2.New HJT log

#5 zigzag8336

zigzag8336
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 15 January 2009 - 05:03 PM

OK, I tried to install the AVG Remover utility but when I clicked the link it gave me a page cannot be displayed error, but we'll get back to that later.

Step 1:

Ran Combofix and installed the recovery console. Combofix detected and removed a rootkit, and some other malware, as you will see in the log.

Combofix Log:

ComboFix 09-01-13.04 - Francis 2009-01-15 16:33:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1682 [GMT -5:00]
Running from: c:\documents and settings\Francis\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Outdated)
FW: AVG Firewall *enabled*
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Francis\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\Daniel\Daniel's Documents\Downloaded Files\DAEMON.Tools.Pro.Advanced.v4.10.218.0\BlackFinal\Desktop_.ini
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\windows\system32\5Jdqq22S.exe.a_a
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\msqpdxpcuuktkl.sys
c:\windows\system32\hpowiax4.dll
c:\windows\system32\kdtbk.exe
c:\windows\system32\msqpdxwgqeirxy.dll
c:\windows\system32\MTX0CI.dll
c:\windows\system32\mypath0079.dll
c:\windows\Temp\tmp3.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-13 04:49 . 2009-01-13 04:49 <DIR> d-------- C:\rsit
2009-01-07 03:06 . 2009-01-07 03:06 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2009-01-07 03:06 . 2009-01-07 03:06 3,400 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-01-07 03:05 . 2009-01-07 03:05 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2009-01-07 03:05 . 2009-01-07 03:05 2,987 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-01-07 03:02 . 2009-01-07 03:02 <DIR> d-------- c:\program files\Illustrate
2009-01-07 03:02 . 2009-01-07 03:02 <DIR> d-------- c:\documents and settings\Francis\Application Data\AccurateRip
2009-01-07 03:02 . 2009-01-07 03:06 10,886,008 --a------ c:\windows\system32\SpoonUninstall.exe
2009-01-07 03:02 . 2009-01-07 03:02 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-07 03:02 . 2009-01-07 03:02 13,785 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-12-31 08:59 . 2008-12-31 08:59 24,872 --a------ c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-30 18:53 . 2008-12-30 18:53 103,360 --a------ c:\windows\system32\drivers\AnyDVD.sys
2008-12-27 03:04 . 2008-12-27 03:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
2008-12-27 02:58 . 2008-12-28 01:28 <DIR> d-------- c:\program files\SlySoft
2008-12-22 19:30 . 2009-01-09 01:34 69 --a------ c:\windows\NeroDigital.ini
2008-12-22 19:27 . 2008-11-25 03:45 2,283,027 --a------ c:\windows\system32\x264vfw.dll
2008-12-22 19:27 . 2002-07-07 17:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2008-12-22 19:27 . 2006-04-02 07:47 630,784 --a------ c:\windows\system32\vp7vfw.dll
2008-12-22 19:27 . 1997-04-07 12:19 391,680 --a------ c:\windows\system32\I263_32.drv
2008-12-22 19:27 . 2001-02-24 20:19 287,744 --a------ c:\windows\system32\divxa32.acm
2008-12-22 19:27 . 2006-10-18 13:05 232,448 --a------ c:\windows\system32\mp3fhg.acm
2008-12-22 19:27 . 2004-05-18 13:16 39,936 --a------ c:\windows\system32\huffyuv.dll
2008-12-22 18:54 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-22 18:54 . 2008-12-22 18:54 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-22 18:54 . 2008-12-22 18:54 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-19 02:15 . 2008-12-19 02:15 <DIR> d-------- c:\program files\Lavasoft
2008-12-19 02:15 . 2008-12-19 02:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 02:15 . 2008-12-19 02:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-19 02:11 . 2008-12-19 02:11 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 22:52 . 2008-12-19 00:03 <DIR> d-------- c:\program files\StarCraft
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-18 16:55 . 2008-12-18 19:33 <DIR> d-------- c:\program files\Avi2Dvd
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\program files\AVI 2 DVD
2008-12-18 04:32 . 2008-12-18 04:32 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-18 04:30 . 2008-12-18 04:33 <DIR> d-------- c:\program files\Nero
2008-12-18 04:10 . 2008-12-18 04:10 <DIR> d-------- c:\documents and settings\Francis\Application Data\DVD Flick
2008-12-18 04:10 . 2008-12-23 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-18 01:46 . 2008-12-18 01:46 <DIR> d-------- c:\documents and settings\Francis\Application Data\Apple Computer
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 00:24 . 2008-12-18 00:24 <DIR> d-------- c:\documents and settings\Francis\Application Data\HP
2008-12-18 00:24 . 2008-12-18 00:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2008-12-17 18:00 . 2008-12-17 18:00 <DIR> d-------- c:\documents and settings\Francis\Application Data\HPAppData
2008-12-17 17:59 . 2008-12-17 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-17 17:59 . 2008-12-17 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Common Files\HP
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-17 17:57 . 2008-12-17 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-17 17:57 . 2007-03-30 10:29 267,864 -ra------ c:\windows\system32\hpzids01.dll
2008-12-17 17:57 . 2007-03-28 14:01 118,272 --a------ c:\windows\system32\hpz3l5ha.dll
2008-12-17 17:57 . 2007-03-07 23:20 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-17 17:57 . 2007-03-07 23:20 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-12-17 17:57 . 2007-03-07 23:20 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-17 17:56 . 2007-03-17 01:39 958,464 -ra------ c:\windows\system32\hpotiop4.dll
2008-12-17 17:56 . 2007-03-07 23:20 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-12-17 17:56 . 2007-03-17 01:39 303,104 -ra------ c:\windows\system32\hpovst11.dll
2008-12-17 17:56 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-17 17:56 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-17 17:53 . 2008-12-17 18:01 139,785 --a------ c:\windows\hpoins15.dat
2008-12-17 17:53 . 2007-06-05 18:04 1,039 --------- c:\windows\hpomdl15.dat
2008-12-17 17:50 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-17 17:50 . 2008-04-13 13:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-17 02:01 . 2008-12-17 12:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-17 01:30 . 2008-12-17 01:30 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-17 01:30 . 2008-12-17 01:30 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-17 01:30 . 2008-12-17 01:30 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-17 01:30 . 2008-12-17 01:30 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-17 01:30 . 2008-12-17 01:30 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-17 01:29 . 2008-12-17 01:29 <DIR> d-------- c:\program files\AVG
2008-12-17 01:29 . 2008-12-18 00:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-17 01:29 . 2008-12-17 01:29 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-12-17 01:29 . 2008-12-17 01:29 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-12-16 04:11 . 2008-12-16 05:09 <DIR> d-------- c:\documents and settings\Francis\.housecall6.6
2008-12-16 03:18 . 2008-12-18 23:00 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 21:30 --------- d-----w c:\documents and settings\Francis\Application Data\uTorrent
2009-01-15 08:15 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-23 00:27 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-18 06:33 --------- d-----w c:\program files\QuickTime
2008-12-18 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-17 23:00 --------- d-----w c:\program files\HP
2008-12-17 07:06 --------- d-----w c:\program files\3GP Video Converter
2008-12-15 04:14 --------- d-----w c:\program files\Java
2008-12-13 09:38 --------- d-----w c:\program files\Xilisoft
2008-12-13 09:30 --------- d-----w c:\program files\Zune
2008-12-13 09:29 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-13 09:29 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 08:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-10 05:55 --------- d-----w c:\documents and settings\Francis\Application Data\Media Player Classic
2008-11-23 07:01 --------- d-----w c:\program files\DirectX
2008-11-23 06:52 --------- d-----w c:\documents and settings\Francis\Application Data\DivX
2008-11-23 04:25 --------- d-----w c:\program files\WinRAR 3.80 Professional
2008-11-23 04:24 --------- d-----w c:\program files\EA GAMES
2008-11-23 01:25 --------- d-----w c:\program files\Crysis Benchmark tool
2008-11-23 00:51 --------- d-----w c:\program files\Riva Tuner
2008-11-23 00:41 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-20 21:23 --------- d-----w c:\program files\Reference Assemblies
2008-11-20 21:23 --------- d-----w c:\program files\MSBuild
2008-11-20 21:08 --------- d-----w c:\program files\PowerStrip
2008-11-20 07:33 --------- d-----w c:\program files\GameSpy
2008-11-20 07:32 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-20 07:32 22,328 ----a-w c:\documents and settings\Francis\Application Data\PnkBstrK.sys
2008-11-20 07:21 --------- d-----w c:\program files\Electronic Arts
2008-11-17 07:17 --------- d-----w c:\program files\CPU-Z
2008-10-31 18:36 315,392 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-06 270128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-12-16 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2006-11-02 528384]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RivaTunerStartupDaemon"="c:\program files\Riva Tuner\RivaTuner.exe" [2008-09-16 2715648]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-17 1235736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-12-15 c:\windows\system32\VTTrayp.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]

c:\documents and settings\Francis\Start Menu\Programs\Startup\
Shortcut to taskmgr.exe.lnk - c:\windows\system32\taskmgr.exe [2004-08-04 135680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-17 01:30 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.AP41"= APmpg4v1.dll
"VIDC.MPG4"= APmpg4v1.dll
"VIDC.MP42"= APmpg4v1.dll
"VIDC.DIV3"= APmpg4v1.dll
"VIDC.DIV4"= APmpg4v1.dll
"VIDC.MP43"= APmpg4v1.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54156:TCP"= 54156:TCP:54156
"54156:UDP"= 54156:UDP:54156
"6112:TCP"= 6112:TCP:port 6112 TCP
"6112:UDP"= 6112:UDP:port 6112 UDP

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-17 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-17 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-17 90632]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-17 29208]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-10-31 38560]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-17 231704]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2008-12-17 1212184]
R4 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-17 29208]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-22 27904]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-11-02 7548]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\kdtbk.exe - c:\windows\system32\kdtbk.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Francis\Application Data\Mozilla\Firefox\Profiles\k3kpjqhu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 16:39:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1708537768-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:da,f6,5b,8c,8e,ac,08,aa,59,26,91,01,4e,4a,27,2f,ea,96,e9,7e,bc,
e7,ff,e1,ab,93,06,61,ed,4f,45,98,a0,f5,34,0b,40,8e,bc,73,1c,89,e9,d9,06,d9,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\AVG\AVG8\avgupd.exe
.
**************************************************************************
.
Completion time: 2009-01-15 16:42:55 - machine was rebooted [Francis]
ComboFix-quarantined-files.txt 2009-01-15 21:42:53

Pre-Run: 55,151,759,360 bytes free
Post-Run: 56,128,413,696 bytes free

277 --- E O F --- 2008-11-12 08:01:20

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:25 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\Riva Tuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 7189 bytes

OK so here's the interesting part. After running combo fix, I go back to the AVG site and try to install AVG Remover again, and it works this time. No Page not found error.
So then I go to microsoft.com and try to download something, and it works too. It seems that Combofix has removed the malware that was blocking access to certain sites. It has also fixed my issue with google search results being redirected. So I believe all my problems have been solved.

Could you give me any information about what I was infected with? Like the name of the malware and what it does?

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 17 January 2009 - 12:23 AM

Hi zigzag8336,


Could you give me any information about what I was infected with?


The main culprit is a Rootkit which consists of a program (or combination of several programs) designed to take fundamental control of a computer system.
If we run GMER Rootkit Scanner, The GRS log will show this line--->Service C:\WINDOWS\system32\drivers\msqpdxkkuyuida.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT
Since the main offending instance is gone, then your searching engine is back to normal.

You're doing well. :thumbsup: But we need to check your status once more to ensure you're virus-free. Until then, You are good to go. Please be patient and do the following.


Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Step3

Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
You can refer to this animation




Please post back the logs in your next reply.

1.KAS Scan Report
2.Combofix log
3.New DDS.txt

Tell me how your pc is running now.

#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 20 January 2009 - 12:20 AM

Hi zigzag8336,

How are things going on? Are you still with us? :thumbsup:

#8 zigzag8336

zigzag8336
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 20 January 2009 - 06:53 AM

Yeah, sorry I haven't responded, I haven't had the time. I've been very busy with my job. I completed everything the other night, I was just too tired to type a response. Well anyway...

Step 1:

Did everything as requested, here is the Combofix log file:

ComboFix 09-01-16.03 - Francis 2009-01-17 4:36:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1675 [GMT -5:00]
Running from: c:\documents and settings\Francis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Francis\Desktop\Bleeping Computer\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 01:13 . 2009-01-16 01:13 <DIR> d-------- C:\0dc92a47c9f6e6dad7a52af17f05
2009-01-16 01:12 . 2009-01-16 01:13 <DIR> d-------- C:\73140eb9a71a9e076dc05d11
2009-01-16 01:05 . 2009-01-16 01:05 <DIR> d-------- c:\documents and settings\Francis\Application Data\dBpoweramp
2009-01-15 19:38 . 2009-01-15 19:38 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-15 17:34 . 2009-01-15 17:34 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-15 17:34 . 2009-01-15 17:34 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-15 17:33 . 2009-01-15 17:33 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-15 17:26 . 2008-05-02 08:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2009-01-15 17:26 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2009-01-15 17:26 . 2008-05-02 08:25 317,952 --------- c:\windows\system32\imapi2.dll
2009-01-15 17:26 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2009-01-15 17:26 . 2008-05-02 05:49 62,976 -----c--- c:\windows\system32\dllcache\cdrom.sys
2009-01-13 04:49 . 2009-01-13 04:49 <DIR> d-------- C:\rsit
2009-01-07 03:06 . 2009-01-07 03:06 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2009-01-07 03:06 . 2009-01-07 03:06 3,400 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-01-07 03:05 . 2009-01-07 03:05 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2009-01-07 03:05 . 2009-01-07 03:05 2,987 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-01-07 03:02 . 2009-01-07 03:02 <DIR> d-------- c:\program files\Illustrate
2009-01-07 03:02 . 2009-01-07 03:02 <DIR> d-------- c:\documents and settings\Francis\Application Data\AccurateRip
2009-01-07 03:02 . 2009-01-07 03:06 10,886,008 --a------ c:\windows\system32\SpoonUninstall.exe
2009-01-07 03:02 . 2009-01-07 03:02 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-07 03:02 . 2009-01-07 03:02 13,785 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-12-31 08:59 . 2008-12-31 08:59 24,872 --a------ c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-30 18:53 . 2008-12-30 18:53 103,360 --a------ c:\windows\system32\drivers\AnyDVD.sys
2008-12-27 03:04 . 2008-12-27 03:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
2008-12-27 02:58 . 2008-12-28 01:28 <DIR> d-------- c:\program files\SlySoft
2008-12-22 19:30 . 2009-01-16 05:15 69 --a------ c:\windows\NeroDigital.ini
2008-12-22 19:27 . 2008-11-25 03:45 2,283,027 --a------ c:\windows\system32\x264vfw.dll
2008-12-22 19:27 . 2002-07-07 17:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2008-12-22 19:27 . 2006-04-02 07:47 630,784 --a------ c:\windows\system32\vp7vfw.dll
2008-12-22 19:27 . 1997-04-07 12:19 391,680 --a------ c:\windows\system32\I263_32.drv
2008-12-22 19:27 . 2001-02-24 20:19 287,744 --a------ c:\windows\system32\divxa32.acm
2008-12-22 19:27 . 2006-10-18 13:05 232,448 --a------ c:\windows\system32\mp3fhg.acm
2008-12-22 19:27 . 2004-05-18 13:16 39,936 --a------ c:\windows\system32\huffyuv.dll
2008-12-22 18:54 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-22 18:54 . 2009-01-16 01:20 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-22 18:54 . 2009-01-16 01:20 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-19 02:15 . 2008-12-19 02:15 <DIR> d-------- c:\program files\Lavasoft
2008-12-19 02:15 . 2008-12-19 02:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 02:15 . 2008-12-19 02:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-19 02:11 . 2008-12-19 02:11 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 22:52 . 2008-12-19 00:03 <DIR> d-------- c:\program files\StarCraft
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-18 16:55 . 2008-12-18 19:33 <DIR> d-------- c:\program files\Avi2Dvd
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\program files\AVI 2 DVD
2008-12-18 04:32 . 2008-12-18 04:32 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-18 04:30 . 2008-12-18 04:33 <DIR> d-------- c:\program files\Nero
2008-12-18 04:10 . 2008-12-18 04:10 <DIR> d-------- c:\documents and settings\Francis\Application Data\DVD Flick
2008-12-18 04:10 . 2008-12-23 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-18 01:46 . 2008-12-18 01:46 <DIR> d-------- c:\documents and settings\Francis\Application Data\Apple Computer
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 01:32 . 2008-12-18 01:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 00:24 . 2008-12-18 00:24 <DIR> d-------- c:\documents and settings\Francis\Application Data\HP
2008-12-18 00:24 . 2008-12-18 00:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2008-12-17 18:00 . 2008-12-17 18:00 <DIR> d-------- c:\documents and settings\Francis\Application Data\HPAppData
2008-12-17 17:59 . 2008-12-17 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-17 17:59 . 2008-12-17 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Common Files\HP
2008-12-17 17:58 . 2008-12-17 17:58 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-17 17:57 . 2008-12-17 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-17 17:57 . 2007-03-30 10:29 267,864 -ra------ c:\windows\system32\hpzids01.dll
2008-12-17 17:57 . 2007-03-28 14:01 118,272 --a------ c:\windows\system32\hpz3l5ha.dll
2008-12-17 17:57 . 2007-03-07 23:20 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-17 17:57 . 2007-03-07 23:20 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-12-17 17:57 . 2007-03-07 23:20 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-17 17:56 . 2007-03-17 01:39 958,464 -ra------ c:\windows\system32\hpotiop4.dll
2008-12-17 17:56 . 2007-03-07 23:20 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-12-17 17:56 . 2007-03-17 01:39 303,104 -ra------ c:\windows\system32\hpovst11.dll
2008-12-17 17:56 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-17 17:56 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-17 17:53 . 2008-12-17 18:01 139,785 --a------ c:\windows\hpoins15.dat
2008-12-17 17:53 . 2007-06-05 18:04 1,039 --------- c:\windows\hpomdl15.dat
2008-12-17 17:50 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-17 17:50 . 2008-04-13 13:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-17 02:01 . 2008-12-17 12:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-17 01:29 . 2008-12-17 01:29 <DIR> d-------- c:\program files\AVG
2008-12-17 01:29 . 2009-01-15 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 09:36 --------- d-----w c:\documents and settings\Francis\Application Data\uTorrent
2009-01-16 06:13 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-15 22:29 --------- d-----w c:\program files\Zune
2009-01-15 08:15 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-23 00:27 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-19 04:00 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-18 06:33 --------- d-----w c:\program files\QuickTime
2008-12-18 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-17 23:00 --------- d-----w c:\program files\HP
2008-12-17 07:06 --------- d-----w c:\program files\3GP Video Converter
2008-12-15 04:14 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-15 04:14 --------- d-----w c:\program files\Java
2008-12-13 09:38 --------- d-----w c:\program files\Xilisoft
2008-12-13 09:29 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-13 09:29 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 08:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-12 17:41 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe
2008-12-12 17:41 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 05:55 --------- d-----w c:\documents and settings\Francis\Application Data\Media Player Classic
2008-11-24 14:32 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-11-23 07:01 --------- d-----w c:\program files\DirectX
2008-11-23 06:52 --------- d-----w c:\documents and settings\Francis\Application Data\DivX
2008-11-23 04:25 --------- d-----w c:\program files\WinRAR 3.80 Professional
2008-11-23 04:24 --------- d-----w c:\program files\EA GAMES
2008-11-23 01:25 --------- d-----w c:\program files\Crysis Benchmark tool
2008-11-23 00:51 --------- d-----w c:\program files\Riva Tuner
2008-11-23 00:41 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-20 21:23 --------- d-----w c:\program files\Reference Assemblies
2008-11-20 21:23 --------- d-----w c:\program files\MSBuild
2008-11-20 21:08 --------- d-----w c:\program files\PowerStrip
2008-11-20 07:33 --------- d-----w c:\program files\GameSpy
2008-11-20 07:32 669,184 ----a-w c:\windows\system32\pbsvc.exe
2008-11-20 07:32 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-20 07:32 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-20 07:32 22,328 ----a-w c:\documents and settings\Francis\Application Data\PnkBstrK.sys
2008-11-20 07:32 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-20 07:21 --------- d-----w c:\program files\Electronic Arts
2008-11-19 17:21 93,128 ----a-w c:\windows\system32\ElbyCDIO.dll
2008-11-17 07:17 --------- d-----w c:\program files\CPU-Z
2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-07 20:41 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-05 12:25 409,600 ----a-w c:\windows\system32\wrap_oal.dll
2008-11-05 12:25 114,688 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-01 22:09 31,744 ----a-w c:\windows\system32\5Jdqq22S.exe
2008-10-31 18:36 315,392 ----a-w c:\windows\HideWin.exe
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-27 15:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_16.42.28.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-15 22:27:59 2,256,896 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\UIX.RenderApi\bf58a773d5b2be78ee9bcf0f074cb3c4\UIX.RenderApi.ni.dll
+ 2009-01-15 22:27:56 5,517,312 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\UIX\227b07fa6a18db4f5ad969a4cf3c05b4\UIX.ni.dll
+ 2009-01-15 22:28:06 86,016 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\UIXControls\e7693274cd2110389984d1c0dbd66f53\UIXControls.ni.dll
+ 2009-01-15 22:27:48 1,523,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ZuneDBApi\cd77013762a324689a8f72ed576158d3\ZuneDBApi.ni.dll
+ 2009-01-15 22:28:05 2,932,736 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ZuneShell\7e79209f28169c1d4503e79e6b1c1cd8\ZuneShell.ni.dll
+ 2008-05-02 10:49:39 62,976 ------w c:\windows\Driver Cache\i386\cdrom.sys
- 2004-08-04 12:00:00 208,896 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
+ 2009-01-16 00:38:28 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-08-04 12:00:00 8,192 ----a-w c:\windows\system32\asferror.dll
+ 2006-10-19 02:47:08 7,168 ----a-w c:\windows\system32\asferror.dll
- 2004-08-04 12:00:00 8,192 ----a-w c:\windows\system32\dllcache\asferror.dll
+ 2006-10-19 02:47:08 7,168 -c--a-w c:\windows\system32\dllcache\asferror.dll
+ 2008-06-20 17:46:57 147,968 -c----w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2006-10-19 01:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 06:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2004-08-04 12:00:00 368,640 ----a-w c:\windows\system32\dllcache\mpvis.dll
+ 2006-10-19 02:47:14 243,712 -c--a-w c:\windows\system32\dllcache\mpvis.dll
- 2008-08-20 05:30:53 3,067,904 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-06-20 17:46:57 245,248 -c----w c:\windows\system32\dllcache\mswsock.dll
- 2004-08-04 12:00:00 774,144 ----a-w c:\windows\system32\dllcache\setup_wm.exe
+ 2006-11-01 23:31:38 1,669,120 -c--a-w c:\windows\system32\dllcache\setup_wm.exe
- 2008-08-20 05:30:51 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-04-14 00:12:07 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-06-20 11:51:12 361,600 -c----w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:08:27 225,856 -c----w c:\windows\system32\dllcache\tcpip6.sys
- 2004-08-04 12:00:00 208,896 ----a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
- 2008-08-20 05:30:52 619,520 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 01:00:11 619,520 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30:51 666,112 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 01:00:11 666,112 -c----w c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00:00 168,448 ----a-w c:\windows\system32\dllcache\wmerror.dll
+ 2006-10-19 02:47:20 227,328 -c--a-w c:\windows\system32\dllcache\wmerror.dll
- 2006-10-19 02:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-08-04 12:00:00 4,874,240 ----a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2004-08-04 12:00:00 114,688 ----a-w c:\windows\system32\dllcache\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 -c--a-w c:\windows\system32\dllcache\wmpasf.dll
- 2004-08-04 12:00:00 98,304 ----a-w c:\windows\system32\dllcache\wmpband.dll
+ 2006-10-19 02:47:20 96,256 -c--a-w c:\windows\system32\dllcache\wmpband.dll
- 2004-08-04 12:00:00 233,472 ----a-w c:\windows\system32\dllcache\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 -c--a-w c:\windows\system32\dllcache\wmpdxm.dll
- 2004-08-04 12:00:00 73,728 ----a-w c:\windows\system32\dllcache\wmplayer.exe
+ 2006-10-19 02:46:20 64,000 -c--a-w c:\windows\system32\dllcache\wmplayer.exe
- 2004-08-04 12:00:00 2,940,928 ----a-w c:\windows\system32\dllcache\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 -c--a-w c:\windows\system32\dllcache\wmploc.dll
- 2004-08-04 12:00:00 102,400 ----a-w c:\windows\system32\dllcache\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 -c--a-w c:\windows\system32\dllcache\wmpshell.dll
- 2006-10-19 02:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
- 2008-04-14 00:11:52 147,968 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-04-13 18:40:46 62,976 ----a-w c:\windows\system32\drivers\cdrom.sys
+ 2008-05-02 10:49:39 62,976 ----a-w c:\windows\system32\drivers\cdrom.sys
- 2008-04-13 19:20:16 361,344 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2008-04-13 19:00:02 225,664 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2008-04-30 00:39:06 672,768 ----a-w c:\windows\system32\drivers\UMDF\ZuneDriver.dll
+ 2008-11-10 17:09:32 706,048 ----a-w c:\windows\system32\drivers\UMDF\ZuneDriver.dll
+ 2006-11-02 12:00:08 39,368 ------w c:\windows\system32\drivers\winusb.sys
- 2006-09-28 23:55:50 77,568 ------w c:\windows\system32\drivers\WudfPf.sys
+ 2008-01-19 03:52:52 77,696 ------w c:\windows\system32\drivers\WudfPf.sys
- 2006-09-29 00:00:34 82,944 ------w c:\windows\system32\drivers\WudfRd.sys
+ 2008-01-19 03:53:06 83,328 ------w c:\windows\system32\drivers\WudfRd.sys
- 2008-04-30 00:39:04 40,704 ----a-w c:\windows\system32\drivers\zumbus.sys
+ 2008-11-10 17:09:32 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
- 2006-10-19 01:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:30:53 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
- 2008-04-14 00:12:01 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2007-03-09 01:38:58 1,230,336 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 21:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2009-01-15 21:36:52 71,308 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-17 09:09:31 71,308 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-15 21:36:52 441,624 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-17 09:09:31 441,624 ----a-w c:\windows\system32\perfh009.dat
+ 2008-04-18 00:11:06 1,112,288 ----a-w c:\windows\system32\ReinstallBackups\0012\DriverFiles\WdfCoInstaller01007.dll
+ 2008-04-30 00:39:04 40,704 ----a-w c:\windows\system32\ReinstallBackups\0012\DriverFiles\zumbus.sys
- 2008-08-20 05:30:51 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-07-27 15:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:07 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 00:12:38 60,416 ------w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-20 05:30:52 619,520 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:30:51 666,112 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\system32\wininet.dll
+ 2006-11-02 12:00:10 24,136 ------w c:\windows\system32\winusb.dll
+ 2008-09-12 19:39:20 581,192 ----a-w c:\windows\system32\WinUSBCoInstaller.dll
- 2004-08-04 12:00:00 168,448 ----a-w c:\windows\system32\wmerror.dll
+ 2006-10-19 02:47:20 227,328 ----a-w c:\windows\system32\wmerror.dll
- 2006-10-19 02:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-08-04 12:00:00 4,874,240 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2004-08-04 12:00:00 114,688 ----a-w c:\windows\system32\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 ----a-w c:\windows\system32\wmpasf.dll
- 2004-08-04 12:00:00 233,472 ----a-w c:\windows\system32\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 ----a-w c:\windows\system32\wmpdxm.dll
+ 2008-06-24 23:12:58 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2006-10-19 02:47:20 1,661,440 ------w c:\windows\system32\wmpencen.dll
- 2004-08-04 12:00:00 2,940,928 ----a-w c:\windows\system32\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 ----a-w c:\windows\system32\wmploc.dll
+ 2006-10-19 02:47:20 613,376 ------w c:\windows\system32\wmpmde.dll
+ 2006-10-19 02:47:20 130,048 ------w c:\windows\system32\wmpps.dll
- 2004-08-04 12:00:00 102,400 ----a-w c:\windows\system32\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 ----a-w c:\windows\system32\wmpshell.dll
+ 2006-10-19 02:47:20 204,288 ------w c:\windows\system32\wmpsrcwp.dll
- 2006-10-19 02:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\wmvcore.dll
- 2006-09-29 01:13:26 95,344 ------w c:\windows\system32\WUDFCoinstaller.dll
+ 2008-01-19 05:37:14 87,552 ------w c:\windows\system32\WUDFCoinstaller.dll
- 2006-09-28 23:56:38 146,432 ------w c:\windows\system32\WudfHost.exe
+ 2008-01-19 05:33:42 142,336 ------w c:\windows\system32\WudfHost.exe
- 2006-09-28 23:56:16 165,376 ------w c:\windows\system32\WudfPlatform.dll
+ 2008-01-19 03:52:54 163,840 ------w c:\windows\system32\WudfPlatform.dll
- 2006-09-28 23:56:14 55,808 ------w c:\windows\system32\WudfSvc.dll
+ 2008-01-19 05:37:14 55,296 ------w c:\windows\system32\WudfSvc.dll
+ 2008-09-12 19:39:20 1,302,600 ----a-w c:\windows\system32\WUDFUpdate_01007.dll
- 2006-09-28 23:56:38 316,416 ------w c:\windows\system32\WUDFx.dll
+ 2008-01-19 05:37:14 305,152 ------w c:\windows\system32\WUDFx.dll
+ 2009-01-17 09:05:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_748.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2005-09-23 03:48:08 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-23 03:48:08 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 03:48:06 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-06 270128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-12-16 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2006-11-02 528384]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"RivaTunerStartupDaemon"="c:\program files\Riva Tuner\RivaTuner.exe" [2008-09-16 2715648]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"VTTimer"="VTTimer.exe" [2006-09-21 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-12-15 c:\windows\system32\VTTrayp.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]

c:\documents and settings\Francis\Start Menu\Programs\Startup\
Shortcut to taskmgr.exe.lnk - c:\windows\system32\taskmgr.exe [2004-08-04 135680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.AP41"= APmpg4v1.dll
"VIDC.MPG4"= APmpg4v1.dll
"VIDC.MP42"= APmpg4v1.dll
"VIDC.DIV3"= APmpg4v1.dll
"VIDC.DIV4"= APmpg4v1.dll
"VIDC.MP43"= APmpg4v1.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54156:TCP"= 54156:TCP:54156
"54156:UDP"= 54156:UDP:54156
"6112:TCP"= 6112:TCP:port 6112 TCP
"6112:UDP"= 6112:UDP:port 6112 UDP

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-10-31 38560]
R4 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-22 27904]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-11-02 7548]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Francis\Application Data\Mozilla\Firefox\Profiles\k3kpjqhu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 04:39:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1708537768-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:da,f6,5b,8c,8e,ac,08,aa,59,26,91,01,4e,4a,27,2f,ea,96,e9,7e,bc,
e7,ff,e1,ab,93,06,61,ed,4f,45,98,a0,f5,34,0b,40,8e,bc,73,1c,89,e9,d9,06,d9,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
Completion time: 2009-01-17 4:39:56
ComboFix-quarantined-files.txt 2009-01-17 09:39:54
ComboFix2.txt 2009-01-15 21:42:56

Pre-Run: 53,850,873,856 bytes free
Post-Run: 53,848,952,832 bytes free

408 --- E O F --- 2009-01-16 07:04:11


Step 2:


ATFCleaner.exe downloaded and ran, cleared everything, but I did save my passwords and form info.

Step 3:

Ran Kaspersky Antivirus (Online Edition), here are the results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 17, 2009 09:16:18
Records in database: 1635492
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 71738
Threat name: 6
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 01:40:23


File name / Threat name / Threats count
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0008121.exe.bac_a03668 Infected: Trojan-Downloader.Win32.Agent.amqp 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021029.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021083.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021124.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021230.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021270.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021376.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021387.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021401.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\A0021417.inf.bac_a03668 Infected: Worm.Win32.AutoRun.nuu 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp2.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp4.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp43.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp47.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp5.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp6.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmp8.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmpB.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmpD3.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Documents and Settings\Francis\.housecall6.6\Quarantine\tmpD6.tmp.bac_a03668 Infected: Trojan.Win32.Patched.dw 1
C:\Qoobox\Quarantine\C\DOCUME~1\Francis\LOCALS~1\Temp\tmp1.tmp.vir Infected: Trojan.Win32.Small.yon 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir Infected: Packed.Win32.Krap.d 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxwgqeirxy.dll.vir Infected: Packed.Win32.Krap.d 1
C:\WINDOWS\system32\5Jdqq22S.exe Infected: Trojan-Downloader.Win32.Firu.bhf 1

The selected area was scanned.

Step 4:

DDS.scr results:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Francis at 6:43:11.57 on Tue 01/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1662 [GMT -5:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Francis\Desktop\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RivaTunerStartupDaemon] "c:\program files\riva tuner\RivaTuner.exe" /S
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\francis\startm~1\programs\startup\shortc~1.lnk - c:\windows\system32\taskmgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\francis\applic~1\mozilla\firefox\profiles\k3kpjqhu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-10-31 38560]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-22 27904]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-11-2 7548]

=============== Created Last 30 ================

2009-01-20 06:36 389,120 a------- c:\windows\system32\CF3716.exe
2009-01-20 06:36 <DIR> --d----- C:\ComboFix
2009-01-16 01:13 <DIR> --d----- C:\0dc92a47c9f6e6dad7a52af17f05
2009-01-16 01:12 <DIR> --d----- C:\73140eb9a71a9e076dc05d11
2009-01-16 01:05 <DIR> --d----- c:\docume~1\francis\applic~1\dBpoweramp
2009-01-15 19:38 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-15 17:34 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-15 17:34 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-15 17:33 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-15 17:26 62,976 -c------ c:\windows\system32\dllcache\cdrom.sys
2009-01-15 17:26 465,920 -c------ c:\windows\system32\dllcache\imapi2fs.dll
2009-01-15 17:26 317,952 -c------ c:\windows\system32\dllcache\imapi2.dll
2009-01-15 17:26 465,920 -------- c:\windows\system32\imapi2fs.dll
2009-01-15 17:26 317,952 -------- c:\windows\system32\imapi2.dll
2009-01-15 16:27 <DIR> --d----- C:\cmdcons
2009-01-15 16:25 161,792 a------- c:\windows\SWREG.exe
2009-01-15 16:25 98,816 a------- c:\windows\sed.exe
2009-01-07 03:06 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2009-01-07 03:06 3,400 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-01-07 03:05 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2009-01-07 03:05 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-01-07 03:02 33,846 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-01-07 03:02 <DIR> --d----- c:\docume~1\francis\applic~1\AccurateRip
2009-01-07 03:02 10,886,008 a------- c:\windows\system32\SpoonUninstall.exe
2009-01-07 03:02 13,785 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-01-07 03:02 <DIR> --d----- c:\program files\Illustrate
2008-12-31 08:59 24,872 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2008-12-30 18:53 103,360 a------- c:\windows\system32\drivers\AnyDVD.sys
2008-12-27 02:58 <DIR> --d----- c:\program files\SlySoft
2008-12-22 19:30 69 a------- c:\windows\NeroDigital.ini
2008-12-22 19:27 2,283,027 a------- c:\windows\system32\x264vfw.dll
2008-12-22 19:27 1,294,336 a------- c:\windows\system32\vorbis.acm
2008-12-22 19:27 630,784 a------- c:\windows\system32\vp7vfw.dll
2008-12-22 19:27 391,680 a------- c:\windows\system32\I263_32.drv
2008-12-22 19:27 287,744 a------- c:\windows\system32\divxa32.acm
2008-12-22 19:27 232,448 a------- c:\windows\system32\mp3fhg.acm
2008-12-22 19:27 39,936 a------- c:\windows\system32\huffyuv.dll
2008-12-22 18:54 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-22 18:54 23,392 a------- c:\windows\system32\nscompat.tlb
2008-12-22 18:54 16,832 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2008-12-17 18:01 139,785 a------- c:\windows\hpoins15.dat
2008-12-14 23:14 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-13 04:29 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-13 04:29 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-12 12:41 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-12-12 12:41 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-24 09:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-22 19:41 27,904 a------- c:\windows\system32\drivers\ndisprot.sys
2008-11-20 02:32 22,328 a------- c:\docume~1\francis\applic~1\PnkBstrK.sys
2008-11-20 02:32 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-11-20 02:32 669,184 a------- c:\windows\system32\pbsvc.exe
2008-11-20 02:32 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-19 12:21 93,128 a------- c:\windows\system32\ElbyCDIO.dll
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-11-07 15:41 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-05 07:25 409,600 a------- c:\windows\system32\wrap_oal.dll
2008-11-05 07:25 114,688 a------- c:\windows\system32\OpenAL32.dll
2008-11-03 14:47 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-01 17:09 31,744 a------- c:\windows\system32\5Jdqq22S.exe
2008-10-31 13:36 315,392 a------- c:\windows\HideWin.exe
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll

============= FINISH: 6:43:27.95 ===============

It seems like my computer is running exactly as it should now. Again, I would like to thank you for all your help.

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:46 AM

Posted 20 January 2009 - 12:45 PM

Hi zigzag8336,


It seems like my computer is running exactly as it should now


That sounds good. :) The Kas online scan displayed some infected files in housecall Quarantine and Qoobox folder. Please do the following:

Please show all files and navigate to the following filepath to empty the contents in housecall Quarantine folder.

C:\Documents and Settings\Francis\.housecall6.6\Quarantine

After that, please use Windows Explorer to find and delete the following infected file:

C:\WINDOWS\system32\5Jdqq22S.exe

Other than that, you are all clean now. :thumbsup: Let's do some tideup.


Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Remember to delete bat.file, DDS, and RSIT including the folder in C:\rsit and all the logs we have been used.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Keep your system updated

    Visit Microsoft's Windows Update Site Frequently.

  • Make your Internet Explorer more secure


    For Internet Explorer 6
    • Open Internet Explorer. Click on Tools > Options.
    • Click on the Security tab.
    • Click on the Internet icon.
    • Click on the Custom Level button.
    • Under Download signed ActiveX controls, select Prompt.
    • Under Download unsigned ActiveX controls, select Disable.
    • Under Initialize and script ActiveX controls not marked as safe, select Disable.
    • Under Installation of desktop items, select Prompt.
    • Under Launching programs and files in an IFRAME, select Prompt.
    • Under Navigate sub-frames across different domains, select Prompt.
    • Under Allow paste operations via script, select Disable.
    • Click OK to apply these settings.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Press OK to exit the Internet Properties page.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#10 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 22 January 2009 - 04:30 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users