Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

false Win32.Brontok worm?


  • This topic is locked This topic is locked
27 replies to this topic

#1 lil_adell

lil_adell

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 20 May 2009 - 10:30 PM

hi--unbelieveably this is the third time ill be typing this. it seems as i get to the end the worm gets me and closes the browser--or i do something stupid like click the wrong window....

i have a problem that reads almost identical to a thread posted and closed yesterday (False Win32.Brontok Worm Infection - HELP!) i have been getting a pop up every 15 min or so that says that the firewall has detected unauthorized activity but cannot help with removal of the threat. it says that the name is Win32.Brontok, threat level: high, and that the description is Description: This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine. i have a copy of the popup window attached.

the other problem i have is that i cannot open internet explorer (which i dont really use anyway) or firefox (which i use more often) the homepage for each is google but opening them i get an alert screen that says:
Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).
this is the same for both browsers and then within a min or two they automatically close and then i get a window telling me that the application or browser has been terminated.

so far i have not really noticed any other symptoms. the pc doesnt seem unusually sluggish or anything--but im concerned that this problem is only going to get worse. my primary browser, opera, doesnt seem affected but i hope you can help me resolve the problem.

ive spent a lot of time looking for and downloading various programs that are supposed to take care of viruses spyware and malware. so far i have run AVG (version 8.5), a special brontok tool from bitdefender, pareto, and several others that i have the file names for but cannot remember the names of the software. ive also seen some manual instructions and although i have a useful store of knowledge--i cant understand what to make of them or where even to start--theres really no step by step.

thank you for any help you can give me!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Eileen at 22:40:22.80 on Wed 05/20/2009
Internet Explorer: 7.0.6000.16830 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.1021.173 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Users\Eileen\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Eileen\AppData\Roaming\Google\vmsclock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RegCleaner\RegCleanr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Opera 9\Opera.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Eileen\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Zango: {e1bacf55-35e1-4e47-9247-2d48660e5545} - c:\program files\zango\bin\10.1.181.0\HostIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Zango Information Window: {cfc5345b-5d1f-4686-bae0-b3ba4ee3acc7} - c:\program files\zango\bin\10.1.181.0\HostIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [googletalk] c:\users\eileen\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [realteks] "c:\users\eileen\appdata\roaming\google\vmsclock.exe" 2
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\eileen\appdata\roaming\mozilla\firefox\profiles\m85fo13w.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\users\eileen\appdata\roaming\mozilla\firefox\profiles\m85fo13w.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-5-15 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-15 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-15 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-15 298776]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-05-20 18:24 <DIR> --d----- c:\program files\RegCleaner
2009-05-20 18:22 <DIR> --d----- C:\SOPHTEMP
2009-05-20 13:38 <DIR> --d----- c:\users\eileen\appdata\roaming\Malwarebytes
2009-05-20 13:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-20 13:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 13:38 <DIR> --d----- c:\programdata\Malwarebytes
2009-05-20 13:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-20 13:38 <DIR> --d----- c:\progra~2\Malwarebytes
2009-05-16 06:19 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-15 23:51 13,655,072 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-15 23:51 184,592 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-15 23:51 3,150 a------- C:\rollback.ini
2009-05-15 23:45 <DIR> --d----- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-05-15 23:45 <DIR> --d----- c:\programdata\ParetoLogic
2009-05-15 23:45 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-15 23:45 <DIR> --d----- c:\progra~2\ParetoLogic Anti-Virus PLUS
2009-05-15 23:45 <DIR> --d----- c:\progra~2\ParetoLogic
2009-05-15 17:11 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-15 16:37 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-15 16:37 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-05-15 16:37 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-15 16:37 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 16:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-15 16:36 <DIR> --d----- c:\programdata\avg8
2009-05-15 16:36 <DIR> --d----- c:\program files\AVG
2009-05-15 16:36 <DIR> --d----- c:\progra~2\avg8
2009-05-15 16:25 <DIR> --d----- c:\users\eileen\appdata\roaming\eMusic
2009-05-15 16:24 <DIR> --d----- c:\program files\eMusic Download Manager
2009-05-13 01:19 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-13 01:19 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-13 01:19 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 01:19 <DIR> --d----- c:\program files\iTunes
2009-05-13 01:19 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 01:17 <DIR> --d----- c:\program files\Bonjour
2009-04-22 19:15 <DIR> --d----- c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}
2009-04-22 19:13 <DIR> --d----- c:\program files\Pantech

==================== Find3M ====================

2009-05-13 01:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-13 01:16 86,016 a------- c:\windows\inf\infstor.dat
2009-05-13 01:16 51,200 a------- c:\windows\inf\infpub.dat
2009-03-16 23:16 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:16 14,848 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:16 25,600 a------- c:\windows\system32\amxread.dll
2009-03-07 04:20 174 a--sh--- c:\program files\desktop.ini
2009-03-03 00:24 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 00:24 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 00:20 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 00:19 158,720 a------- c:\windows\system32\sdohlp.dll
2009-03-03 00:19 549,888 a------- c:\windows\system32\rpcss.dll
2009-03-03 00:19 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 00:16 56,320 a------- c:\windows\system32\iesetup.dll
2009-03-03 00:16 97,280 a------- c:\windows\system32\iasrecst.dll
2009-03-03 00:16 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 00:16 53,248 a------- c:\windows\system32\iasads.dll
2009-03-03 00:16 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-03-03 00:16 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 00:15 72,704 a------- c:\windows\system32\admparse.dll
2009-03-02 22:40 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 22:08 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-02 20:44 48,128 a------- c:\windows\system32\mshtmler.dll
2008-06-11 03:14 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-21 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032120080322\index.dat
2008-03-22 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032220080323\index.dat
2008-03-22 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat
2009-01-14 21:57 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-01-14 21:57 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-14 21:57 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:42:25.38 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 22 May 2009 - 02:04 PM

as an update,

opera shut down on me twice, but seems to be fine right now for the moment. also windows explorer has shut down several times and has rearranged the shortcuts on the desk top.

i guess that means its getting worse?

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 22 May 2009 - 03:07 PM

Hello lil adell,

If you still have the same issues, and they are un-resolved, and you are not getting help elsewhere, start with the following.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are casual observer and NOT this OP, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

Close all browsers and all other programs that you have started.
=

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Show all files:
  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.
=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • RIGHT-click FixPolicies.exe and select Run as Administrator to start it.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
KILLALL::

DDS::
BHO: Zango: {e1bacf55-35e1-4e47-9247-2d48660e5545} - c:\program files\zango\bin\10.1.181.0\HostIE.dll
EB: Zango Information Window: {cfc5345b-5d1f-4686-bae0-b3ba4ee3acc7} - c:\program files\zango\bin\10.1.181.0\HostIE.dll
mRun: [Adobe Reader Speed Launcher]

DirLook::
c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}

File::
C:\Baca Bro !!!.txt

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:
=

Start your MBAM MalwareBytes Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2159 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Next, Please download GooredFix and save it to your Desktop. RIGHT-click Goored.exe and select Run as Administrator to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

=

Download and SAVE to your Desktop BRONTGUI
Do a RIGHT-Click on Brontgui.com and select Run as Administrator.
Accept the license agreement (EULA).
Next, press the green GO to start scan.
Close the program when done.
The log file will be at C:\resolve.log
=

Once Complete, reboot! :!:

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
After following the above, post back with 1. Contents of C:\Combofix.txt;
2. the MBAM log;
3. Goored.txt
4. C:\resolve.log
5. Log.txt
6. Info.txt
7. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 22 May 2009 - 03:33 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 23 May 2009 - 12:18 AM

thank you for the indepth reply. ive never attempted anything like this before and ill admit im a little worried i'll screw something up.

i have one question before i start--as i read through the steps i saw that there are numerous things that i'll need to be downloading. should i download all these programs first before attempting the fix? especially since they seem to be links to the pages needed to get the programs...

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 23 May 2009 - 02:54 PM

Yes, you can download the tools and Save them to your Desktop.
Take your time when doing it, but please do start. You can print our and or save the page of directions beforehand.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 10:20 AM

i just started, and i have what may be a stupid question...

its about this step:
"take out the trash (temp files & temp internet files)"

i deleted the temp internet files from the control panel and internet options, but im not sure if that is also deleting the temp files. does deleteing the temp files means that i go to C: and windows and delete the temp folder? i dont really think so, but im not sure.

i haven not deleted that, but i stopped just to be on the safe side

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 24 May 2009 - 10:35 AM

No question is stupid. Look at the line following whre it says to download "ATF Cleaner".
That is the link for download of that tool. Download and save it to your Desktop.
Then run it, as per directions.

Yes, the standard method is to empty out temp files using the control panel and internet options or the Tools > Internet options in I.E. browser.
It is just that ATF Cleaner is a lot more thorough and it covers also other browsers, like Firefox & Opera, Mozilla.

Please get & run ATF Cleaner and go forward.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 11:10 AM

oh, got it.

i followed the steps for the ATF cleanser for main and for firefox. next to firefox the opera section has been greyed out, so i couldnt select anything. is this a problem?

also, after choosing Install for the VArestorepolices.INF, should something happen? im used to getting prompt windows and seeing the pc actually install something and then end with some sort of shortcut on the desk top (in the case of program files, i guess). so, even though nothing visual happened after i right-clicked and selected install--i should still delete the download and the unzipped folder with its contents?

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 24 May 2009 - 11:33 AM

If you have already run ATF Cleaner, that's fine. You do not have Opera browser, and that's why it is grayed out.

If you have done as I outlined for VArestorepolices, then you may either keep that around or delete that download.

Please go foward and proceed with the items that follow (like Fixpolicies and the rest ).
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 01:57 PM

i am at the combofix step. i saved the notepad file and dragged and dropped it on the icon.

a warning box appeared, and i typed "1" and enter but nothing happened. i read the box more carefully and it says:
combofix has detected the following real time scanner(s) to be active:
antivirus: AVG anti-virus
antispyware: AVG anti-virus
antivirus and intrusion prevention programs are known to interfere with combofix's running. this may lead to unpredictable results or possible machine damage.
please disable these scanners before clicking 'ok'.

i didnt think the avg program was running, as no scan is being performed in the task bar. i opened the program and i am not sure how to disable the scanners

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 24 May 2009 - 02:02 PM

See this article on this forum How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
It will tell you how to turn off AVG.

If you still get stuck, you can proceed again with dragging & dropping the Notepad script onto Combofix;
and go ahead and click OK when Combofix gives you the prompt.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 02:38 PM

i was able to begin the combofix, but a window popped up and im not sure what to do as you said not to touch the pc or mouse while combofix was running

the window says "windows - no disk"
execption processing message 0xc000013 parameters 0x7647023C
0x83333AAC 0x7647023C 0x7647023C
the choice is to cancel try again or continue.

im not sure but i dont think combofix is still running...
should i choose cancel? or just not touch anything?

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:31 AM

Posted 24 May 2009 - 03:03 PM

Press (select) Cancel. If you have to, restart the system and Windows.
Then, skip the Combofix, and continue forward with the MBAM and other tasks.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 04:01 PM

ive finished the process.
1. Contents of C:\Combofix.txt
ComboFix 09-05-23.04 - Eileen 05/24/2009 15:22.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.1021.476 [GMT -4:00]
Running from: c:\users\Eileen\Desktop\ComboFixLink1.exe
Command switches used :: c:\users\Eileen\Desktop\CFscript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
C:\Baca Bro !!!.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\recycler
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc18.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc19.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc20.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc21.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc22.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc23.mp4
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc24.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc25.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc26.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\AviSynth_071005.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\ffdshow-20051015.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\lame-3.96.1.zip
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter\avi.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter\mkx.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter\mp4.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter\splitter.ax
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\MatroskaSplitter\uninstall.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\VirtualDub-1.6.11.zip
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\auxsetup.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\aviproxy\proxyoff.reg
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\aviproxy\proxyon.reg
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\aviproxy\readme.txt
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\copying
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\plugins\readme.txt
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\vdicmdrv.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\vdremote.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\vdsvrlnk.dll
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\vdub.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\VirtualDub.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\VirtualDub.vdhelp
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\virtualdub stuff\VirtualDub.vdi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc27\winzip100.exe
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc28\[K-F]_One_Piece_164_[E1FC96DD].avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc28\[K-F]_One_Piece_165_[52974255].avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc29.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_136[XviD][5EDEFE91].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_137_[XviD][B64F9591].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_139_[XviD][7B405F64].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_140_[XviD][B8A11AE6].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_141_[XviD][F56094CF].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_142_[XviD][5B523D93].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_143_[XviD][6722D0BE].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_144_[XviD][A790A96F].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_146_[XviD][4555C9AF].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_147_[XviD][04F67874].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]_Bleach_-_148_v2_[XviD][2DB79493].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\(AniRena)[Flomp-Rumbel]Bleach_-_138_[XviD][82084D03].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]_Bleach_-_131[XviD][ENG][C7D5D7DB].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]_Bleach_-_134_[XviD][B6A84AD4].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]_Bleach_-_135_[XviD][A2F3B3AA].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]Bleach_-_129[XviD][7344B753].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]Bleach_-_130[XviD][2ED3DA42].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[AniRena][Flomp-Rumbel]Bleach_-_132[XviD][9B2E4CC0].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Bleach-Society]Bleach_-_60[XviD][D4726CB7][1].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[BP-MKV][Flomp-Rumbel]_Bleach_124_[F9F7B4B1].mkv.avi
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Flomp-Rumbel]Bleach_-_123[XviD][56088F90].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Flomp-Rumbel]Bleach_-_125[XviD][C03FC80C].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Flomp-Rumbel]Bleach_-_126[XviD][D2DFB390].torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Flomp-Rumbel]Bleach_-_127[XviD][43EA1A36].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Flomp-Rumbel]Bleach_-_128[XviD][816B963E].avi.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Ju-Ni]Bleach_ch254.zip
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\[Silhouette]Bleach_ch182.zip
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b100.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b101.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b102.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b103.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b104.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b105.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b106.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b107.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b108.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b109.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b110.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b111.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b112.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b113.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b114.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b115.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b116.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b117.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b118.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b119.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b120.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b121.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b122.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b67.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b68-69.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b70.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b71.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b72.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b73.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b75-76.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b77.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b78.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b79.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b80.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b81.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b82.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b83.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b84-85.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b86.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b87.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b88.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b89.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b90.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b91.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b92.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b93.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b94.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b95.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b96.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b97.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b98.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\b99.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\not101.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc30\not101v2.torrent
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\Dc31.lnk
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\desktop.ini
c:\recycler\S-1-5-21-448539723-1770027372-725345543-1003\INFO2
c:\users\Eileen\AppData\Roaming\Google\Shell32.dll
c:\users\Eileen\AppData\Roaming\Google\vmsclock.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 20:19 . 2009-05-24 20:19 -------- d-----w c:\users\Eileen\AppData\Local\Apple Computer
2009-05-21 21:40 . 2009-05-06 18:06 4784464 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{343E8F67-61C7-4A53-8155-BBD9223E659F}\mpengine.dll
2009-05-21 10:23 . 2009-05-21 10:24 16509288 ----a-w c:\users\Eileen\AppData\Roaming\Opera\Opera 9\profile\cache4\temporary_download\LimeWireWin-full.exe
2009-05-20 22:24 . 2009-05-20 22:24 -------- d-----w c:\program files\RegCleaner
2009-05-20 22:22 . 2009-05-20 22:22 -------- d-----w C:\SOPHTEMP
2009-05-20 17:38 . 2009-05-20 17:38 -------- d-----w c:\users\Eileen\AppData\Roaming\Malwarebytes
2009-05-20 17:38 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 17:38 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 17:38 . 2009-05-20 17:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 17:38 . 2009-05-20 17:38 -------- d-----w c:\programdata\Malwarebytes
2009-05-18 12:35 . 2009-05-15 20:36 2051864 ----a-w c:\programdata\avg8\update\backup\avgcorex.dll
2009-05-18 12:35 . 2009-05-15 20:36 312088 ----a-w c:\programdata\avg8\update\backup\avglngx.dll
2009-05-18 12:34 . 2009-05-15 20:36 1437464 ----a-w c:\programdata\avg8\update\backup\avgupd.dll
2009-05-16 03:51 . 2009-05-24 20:18 19964704 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-16 03:45 . 2009-05-16 10:19 -------- d-----w c:\programdata\ParetoLogic
2009-05-16 03:45 . 2009-05-16 10:19 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-16 03:45 . 2009-05-16 03:45 -------- d-----w c:\programdata\ParetoLogic Anti-Virus PLUS
2009-05-16 03:43 . 2009-05-16 03:43 -------- d-----w c:\users\Eileen\AppData\Local\Downloaded Installations
2009-05-15 21:11 . 2009-05-23 06:42 -------- d--h--w C:\$AVG8.VAULT$
2009-05-15 20:37 . 2009-05-15 20:37 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-15 20:37 . 2009-05-15 20:37 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-05-15 20:37 . 2009-05-15 20:37 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-15 20:37 . 2009-05-15 20:37 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-15 20:37 . 2009-05-24 09:09 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-15 20:36 . 2009-05-15 20:36 -------- d-----w c:\programdata\avg8
2009-05-15 20:36 . 2009-05-15 20:36 -------- d-----w c:\program files\AVG
2009-05-15 20:25 . 2009-05-15 20:25 -------- d-----w c:\users\Eileen\AppData\Roaming\eMusic
2009-05-15 20:25 . 2009-05-15 20:25 -------- d-----w c:\users\Eileen\AppData\Local\eMusic
2009-05-15 20:24 . 2009-05-15 20:24 -------- d-----w c:\program files\eMusic Download Manager
2009-05-13 06:03 . 2009-05-13 06:03 16141 ----a-w c:\users\Eileen\AppData\Roaming\Identities\lego.exe
2009-05-13 06:03 . 2009-05-13 06:03 145131 ----a-w c:\users\Eileen\AppData\Roaming\dvdcss\nomad.exe
2009-05-13 06:03 . 2009-05-13 06:03 13221 ----a-w c:\users\Eileen\AppData\Roaming\Apple Computer\rengo.dll
2009-05-13 06:03 . 2009-05-13 06:03 11410 ----a-w c:\users\Eileen\AppData\Roaming\Macromedia\msgdi.dll
2009-05-13 06:03 . 2009-05-13 06:03 11232 ----a-w c:\users\Eileen\AppData\Roaming\Adobe\shalom.exe
2009-05-13 06:03 . 2009-05-13 06:03 10121 ----a-w c:\users\Eileen\AppData\Roaming\Mozilla\kern.dll
2009-05-13 05:19 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-13 05:19 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-13 05:19 . 2009-05-13 05:19 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 05:19 . 2009-05-13 05:19 -------- d-----w c:\program files\iTunes
2009-05-13 05:17 . 2009-05-13 05:17 -------- d-----w c:\program files\Bonjour
2009-05-13 05:14 . 2009-05-13 05:14 75048 ----a-w c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 20:20 . 2008-01-10 10:41 -------- d-----w c:\program files\Steam
2009-05-24 20:16 . 2009-05-16 03:51 269480 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-21 01:58 . 2008-01-10 10:41 -------- d-----w c:\program files\Common Files\Steam
2009-05-15 20:37 . 2007-12-26 03:45 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-13 07:06 . 2008-03-21 13:28 -------- d-----w c:\programdata\Microsoft Help
2009-05-13 07:01 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-13 06:03 . 2008-06-13 14:27 -------- d-----w c:\users\Eileen\AppData\Roaming\Apple Computer
2009-05-13 06:03 . 2008-05-09 23:22 -------- d-----w c:\users\Eileen\AppData\Roaming\dvdcss
2009-05-13 05:19 . 2008-06-13 14:24 -------- d-----w c:\program files\iPod
2009-05-13 05:19 . 2008-06-13 14:35 -------- d-----w c:\program files\Common Files\Apple
2009-04-22 23:13 . 2009-04-22 23:13 -------- d-----w c:\program files\Pantech
2009-04-03 22:59 . 2009-04-03 22:58 29813256 ----a-w c:\programdata\TaxCut\2008\Update\US68017101cupd.exe
2009-03-28 10:59 . 2007-12-26 02:46 100256 ----a-w c:\users\Eileen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-18 14:55 . 2009-03-18 14:55 4574496 ----a-w c:\programdata\TaxCut\2008\Downloads\TaxCutCT.exe
2009-03-18 13:54 . 2009-03-18 13:54 27655688 ----a-w c:\programdata\TaxCut\2008\Update\US33016801cupd.exe
2009-03-17 03:16 . 2009-04-15 02:04 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-15 02:04 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-13 16:04 . 2009-03-13 16:04 0 ----a-w c:\windows\ativpsrm.bin
2009-03-13 16:02 . 2009-03-13 16:02 10134 ----a-r c:\users\Eileen\AppData\Roaming\Microsoft\Installer\{FC5A7E9B-2CAC-6261-7F34-817C6547ABF3}\ARPPRODUCTICON.exe
2009-03-13 15:56 . 2009-01-15 00:30 680 ----a-w c:\users\Eileen\AppData\Local\d3d9caps.dat
2009-03-03 04:24 . 2009-04-15 02:04 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:24 . 2009-04-15 02:04 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:20 . 2009-04-15 02:04 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:19 . 2009-04-15 02:04 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-15 02:04 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-15 02:04 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-15 02:03 56320 ----a-w c:\windows\system32\iesetup.dll
2009-03-03 04:16 . 2009-04-15 02:04 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-15 02:04 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-15 02:04 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-15 02:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:15 . 2009-04-15 02:03 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-03 02:40 . 2009-04-15 02:04 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-15 02:03 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-15 02:03 48128 ----a-w c:\windows\system32\mshtmler.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} ----

2006-11-02 10:21 . 2006-11-02 10:21 319456 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxAPI.dll
2009-02-04 17:56 . 2009-02-04 17:56 75112 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe
2009-05-13 05:19 . 2009-05-13 05:19 3350 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxInstallLog.txt
2009-03-19 20:38 . 2009-03-19 20:38 2763 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\GEARAspiWDM.inf
2009-03-25 05:19 . 2009-03-25 05:19 7919 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\gearaspiwdmx86.cat
2008-04-17 16:12 . 2008-04-17 16:12 107368 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspi.dll
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

---- Directory of c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53} ----

2009-04-22 23:13 . 2007-02-27 03:08 3584 ----a-w c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}\ptuc_flt.sys
2009-04-22 23:13 . 2007-03-23 10:47 11321 ----a-w c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}\ptuc_mdm.cat
2009-04-22 23:13 . 2007-03-21 01:10 44444 ----a-w c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}\ptuc_mdm.inf
2009-04-22 23:13 . 2007-03-21 00:54 40448 ----a-w c:\users\eileen\{4b5fce9e-ce13-46a9-8a9d-057aea066c53}\ptuc_mdm.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"googletalk"="c:\users\Eileen\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Steam"="c:\program files\Steam\Steam.exe" [2009-05-20 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{CB49EDA3-900F-4B91-A43D-460B5FDC355E}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{36BDBDC4-B1DB-46A6-A53D-AC5EF489A3F6}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"TCP Query User{D0371A44-06DF-4A60-84D4-EA93C30CD825}c:\\nexon\\maplestory\\maplestory.exe"= UDP:c:\nexon\maplestory\maplestory.exe:MapleStory
"UDP Query User{01A3A46A-A016-4C24-BD50-56F4D3CAA711}c:\\nexon\\maplestory\\maplestory.exe"= TCP:c:\nexon\maplestory\maplestory.exe:MapleStory
"{AAC8B4A4-B58F-4935-BAE8-0B75984EB8D5}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{151950F9-A946-44C4-B7AC-4EF97E01C94F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{8F05C883-A90F-45C9-ADB4-DD235D5AFCA9}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2CD3F378-86EC-45A4-ACB6-1D98D3AABA37}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{950A9705-E60D-487F-92FF-9D7334090F74}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{A36B821F-60B3-46A0-AB0D-9643D7184BEC}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{6B87190D-7604-473C-A94A-1C0F7AE3727E}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{8A294314-B8BF-41F7-AC48-FD9ADD1D6F83}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AC39A51A-1869-402D-B866-5984638EE319}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A0919993-618E-406C-A481-0F3424AE6B72}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2DB9AEEC-410C-46CC-AE1A-9E28CD7CF1FF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E5D5257E-47AE-48D8-8D86-AF4D61BD3860}"= UDP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{A5237519-9E81-4805-A1CF-E350B1637418}"= TCP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{8122E1C9-6086-4CF8-9BF0-6EE6C4316C27}"= UDP:990:LocalSubnet:LocalSubnet|IF={9DD6B53B-93C4-41BD-AC21-E8F34C9D747C}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{E436ED64-96BC-468D-A496-366E0AE32E96}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E6F3DBF5-BC1F-4BB8-9E18-CFA44535A057}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EB16A0BA-ECC5-4D87-B820-F8BE1E8E329D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{38B44CB1-3575-4DB4-8169-911E6324AB8E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A64D315D-8961-46A5-8027-52032990DF54}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe
"{02F171FC-1573-4733-9C26-46BB9C7278D8}"= c:\program files\AVG\AVG8\avgdiag.exe:avgdiag.exe
"{A8900FCD-044B-4F8C-B737-8FCBC7EA97B3}"= c:\program files\AVG\AVG8\avgdiagex.exe:avgdiagex.exe
"{FA34B64D-57A3-4722-885A-B456FEB96EBD}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{EF96CA99-E671-4E68-90A4-4D9E61A8FE87}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [5/15/2009 4:37 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [5/15/2009 4:37 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [5/15/2009 4:37 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/15/2009 4:36 PM 298776]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [11/2/2006 6:25 AM 167936]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 6:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 6:25 AM 251904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\User_Feed_Synchronization-{0D2839D6-F06E-4D16-BE03-3F5720EBB9B3}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-realteks - c:\users\Eileen\AppData\Roaming\Google\vmsclock.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\users\Eileen\AppData\Roaming\Mozilla\Firefox\Profiles\m85fo13w.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\users\Eileen\AppData\Roaming\Mozilla\Firefox\Profiles\m85fo13w.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 16:19
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-05-24 16:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 20:24

Pre-Run: 49,398,501,376 bytes free
Post-Run: 45,999,542,272 bytes free

365 --- E O F --- 2009-05-21 21:40

2. MBAM log
Malwarebytes' Anti-Malware 1.36
Database version: 2175
Windows 6.0.6000

5/24/2009 4:39:17 PM
mbam-log-2009-05-24 (16-39-17).txt

Scan type: Quick Scan
Objects scanned: 71622
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 lil_adell

lil_adell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 24 May 2009 - 04:04 PM

3. Goored.txt
GooredFix v1.92 by jpshortstuff
Log created at 16:41 on 24/05/2009 running Option #2 (Eileen)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

4.C:\reslove.log


RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Brontok

Data Version 1.03

System scan started at 16:43 on 24 May 2009

Checking for W32/Brontok in memory

Could not open process. Process ID: 1188

Checking for registry keys affected by W32/Brontok


Checking for files affected by W32/Brontok

Scanning C:


Scanning D:


Scanning C:\Windows


Checking for registry keys affected by W32/Brontok


System scan finished at 16:46 on 24 May 2009

Processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users