Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacinit.dll and WinPC Antivirus


  • This topic is locked This topic is locked
14 replies to this topic

#1 Combatchuck

Combatchuck

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 26 May 2009 - 03:39 AM

Hello. The other day I was hit by some malware through an ad on a website that downloaded WinPC Antivirus to my computer. I starting researching it, and eventually was able to get rid of most of it through various anti-virus and anti-malware scans. Currently, my PC is running ok, but I believe that it is still infected because I cannot open SUPER Anti-spyware on my comp. I also notice that iexplore.exe is running in my task manager most of the time with no application open, and it even comes back when I end the process. The most recent item I found was the uacinit.dll through Malwarebytes' Anti-Malware program. Here is my most recent MBAM and Hijack This Reports. Please help me and let me know if there's anything else I need to be doing. Thanks.


Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 2

5/25/2009 10:03:41 PM
mbam-log-2009-05-25 (22-03-41).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 193170
Time elapsed: 1 hour(s), 23 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:49 AM, on 5/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 5.1\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107690182389
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...459/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11056 bytes

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 26 May 2009 - 05:19 AM

Hello Combatchuck, and :) to Bleeping Computer Forums, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so I can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. RSIT and HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.


Ok.. Combatchuck, please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.
If you can do these things, everything should go smoothly. :thumbup2:


We need to see some information about what is happening in your machine. Please perform the following scan:

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Step #1.

random's system information tool (RSIT)

Please note that it is important that RSIT be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.

    Please post the contents of both here in your next reply.

    log.txt (<<--- will be maximized) and info.txt (<<--- will be minimized)

Summary of the logs I will need in your next reply:
  • The two logs of RSIT.
Upon completing the above steps I will review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay
.
Kind regards
Net_Surfer

:)

#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 27 May 2009 - 07:19 PM

Hi Combatchuck, :)

Since you did not replied promptly, please disregard the running of RSIT of my above reply and instead do the following steps and at the end run RSIT:

Please follow these steps carefully:


Step #1.

Protect your Host Files by Installing HostsXpert.

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Step #2.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or AVG8.

If you have an active paid subscription with McAfee then I will recommend to Just keep it and get rid of AVG8.


The process of cleaning your computer may require temporarily disabling some security programs.

Step #3.

Firstly, we need to disable SpyBot's Teatimer which can interfere with the fixes.

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Step #4.

MBAM

Note:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes that may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Step #5.

random's system information tool (RSIT)

We need to see some more information about what is happening in your machine. Please perform the following scan:

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Please note that it is important that RSIT be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.

    Please post the contents of both here in your next reply.

    log.txt (<<--- will be maximized) and info.txt (<<--- will be minimized)
Summary of the logs I will need in your next reply:
  • The log of MBAM
  • The two logs of RSIT.
How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:thumbup2:

Edited by Net_Surfer, 27 May 2009 - 07:20 PM.


#4 Combatchuck

Combatchuck
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 29 May 2009 - 10:44 PM

Hey. Sorry for taking a while to respond. I was out on a business trip this past week. I did all of the steps that you listed in your post. The computer starts out really slow, but once it gets going it runs fine. I just think that there's still some malware on my computer. Here are the logs you requested:

MBAM:
Malwarebytes' Anti-Malware 1.37
Database version: 2195
Windows 5.1.2600 Service Pack 2

5/29/2009 8:36:31 PM
mbam-log-2009-05-29 (20-36-31).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 195663
Time elapsed: 1 hour(s), 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\mark lemons\local settings\Temp\~TM36.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.





RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mark Lemons at 2009-05-29 20:41:37
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (14%) free of 38 GB
Total RAM: 511 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:47 PM, on 5/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 5.1\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark Lemons\Desktop\mbam-setup(3).exe
C:\DOCUME~1\MARKLE~1\LOCALS~1\Temp\is-5K2O6.tmp\mbam-setup(3).tmp
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\good.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mark Lemons\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark Lemons.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\good.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107690182389
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...459/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11180 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1107758400.job
C:\WINDOWS\tasks\nqzumvgx.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-24 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-16 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-16 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2004-03-04 487424]
"DadApp"=C:\Program Files\Dell\AccessDirect\dadapp.exe [2004-03-04 211828]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-02-05 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-02-05 495616]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-12-12 217088]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2003-10-06 53248]
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2003-10-06 118784]
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\mcagent.exe [2005-09-22 303104]
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [2006-01-11 212992]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-16 148888]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"THGuard"=C:\Program Files\TrojanHunter 5.1\THGuard.exe [2009-05-18 1061536]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-24 1947928]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-05-26 414480]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\good.exe [2009-05-26 1283344]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-10-24 307200]
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe [2006-11-07 972432]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\System32\NvCpl.dll [2004-01-08 4866048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2
"RapApp"=3
"Bonjour Service"=2
"Autodesk Licensing Service"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Post-it® Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe
RealSecure® Desktop Protector.lnk -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-24 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\WINDOWS\system32\P2P Networking\P2P Networking.exe"="C:\WINDOWS\system32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\Program Files\Kazaa\kazaa.exe"="C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa"
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\Program Files\EA GAMES\Battlefield 2 Demo\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2 Demo\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\Red Storm Entertainment\Rogue Spear\UrbanOperations.exe"="C:\Program Files\Red Storm Entertainment\Rogue Spear\UrbanOperations.exe:*:Enabled:UrbanOperations"
"C:\Documents and Settings\Mark Lemons\My Documents\download\mlemons77\NeverwinterNights\NWN\nwmain.exe"="C:\Documents and Settings\Mark Lemons\My Documents\download\mlemons77\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights"
"C:\Program Files\BitTorrent\btdownloadgui.exe"="C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\America's Army\System\ArmyOps.exe"="C:\Program Files\America's Army\System\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\Program Files\Ruckus Player\Ruckus.exe"="C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Warcraft\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\BackgroundDownloader.exe"="E:\Warcraft\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"E:\Warcraft\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.3-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\Warcraft\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"="E:\Warcraft\World of Warcraft\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"E:\Warcraft\World of Warcraft\Launcher.exe"="E:\Warcraft\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c781c48e-d883-11dd-bab2-000f1f12d38a}]
shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe


======File associations======

.scr - open - "C:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-05-29 20:36:43 ----A---- C:\WINDOWS\qrfxypw.txt
2009-05-29 19:00:45 ----D---- C:\rsit
2009-05-29 18:21:30 ----D---- C:\HostsXpert
2009-05-26 00:42:26 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-26 00:42:26 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-25 20:15:15 ----D---- C:\WINDOWS\pss
2009-05-25 17:51:35 ----D---- C:\Program Files\Trend Micro
2009-05-25 17:30:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-25 17:30:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 12:26:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-24 23:26:16 ----HD---- C:\$AVG8.VAULT$
2009-05-24 22:34:20 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-24 22:33:32 ----D---- C:\Program Files\AVG
2009-05-24 22:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-24 21:48:46 ----D---- C:\Program Files\Prevx
2009-05-24 21:48:39 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-05-24 21:48:39 ----A---- C:\WINDOWS\wininit.ini
2009-05-24 02:54:04 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 01:57:37 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-05-24 01:57:27 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-05-24 01:57:25 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-05-24 01:55:30 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-05-24 01:55:28 ----N---- C:\WINDOWS\system32\vsxml.dll
2009-05-24 01:55:28 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-05-24 01:55:26 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-05-24 01:55:26 ----D---- C:\Program Files\Zone Labs
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-05-24 01:54:27 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-05-24 01:54:06 ----D---- C:\WINDOWS\Internet Logs
2009-05-24 01:48:22 ----R---- C:\WINDOWS\system32\streamhlp.dll
2009-05-24 01:48:22 ----D---- C:\Program Files\TrojanHunter 5.1
2009-05-24 01:36:42 ----D---- C:\Program Files\MSECACHE
2009-05-23 23:25:21 ----D---- C:\Program Files\Ventrilo
2009-05-23 23:25:19 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-05-23 23:23:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-23 15:09:24 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\pfikslxl
2009-05-21 06:59:21 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-21 06:59:05 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-21 06:58:50 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-21 06:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-21 06:58:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-21 06:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-05-21 06:57:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-21 06:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-21 06:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-21 06:54:56 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-21 06:54:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-05-21 06:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-21 06:54:06 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-21 06:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-05-21 06:53:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-21 06:53:29 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-21 06:53:07 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-21 06:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-21 06:52:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-21 06:52:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-21 06:52:08 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-21 06:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-21 06:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-21 06:51:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-21 06:50:45 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-19 22:44:18 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Malwarebytes
2009-05-19 22:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-19 22:43:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-19 22:03:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-16 21:27:44 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-05-29 20:36:43 ----D---- C:\WINDOWS\system32\drivers
2009-05-29 20:36:43 ----D---- C:\WINDOWS
2009-05-29 20:36:31 ----D---- C:\WINDOWS\system32\wbem
2009-05-29 19:20:54 ----D---- C:\Program Files\Mozilla Firefox
2009-05-29 19:20:42 ----D---- C:\WINDOWS\Temp
2009-05-29 19:18:28 ----RASH---- C:\boot.ini
2009-05-29 19:18:28 ----A---- C:\WINDOWS\win.ini
2009-05-29 19:18:28 ----A---- C:\WINDOWS\system.ini
2009-05-29 19:09:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-26 01:09:55 ----SHD---- C:\WINDOWS\Installer
2009-05-26 00:42:26 ----RD---- C:\Program Files
2009-05-26 00:34:04 ----D---- C:\WINDOWS\Minidump
2009-05-25 22:14:00 ----D---- C:\WINDOWS\system32
2009-05-25 17:51:28 ----SHD---- C:\RECYCLER
2009-05-25 17:48:39 ----D---- C:\Documents and Settings
2009-05-25 12:13:02 ----D---- C:\WINDOWS\Prefetch
2009-05-25 02:46:04 ----D---- C:\quarantine
2009-05-24 22:33:18 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-24 22:33:17 ----D---- C:\WINDOWS\WinSxS
2009-05-24 03:10:10 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-23 23:29:59 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 23:23:15 ----D---- C:\Program Files\Common Files
2009-05-23 22:59:10 ----HD---- C:\WINDOWS\inf
2009-05-23 22:59:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-23 22:58:18 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-23 20:21:17 ----SHD---- C:\System Volume Information
2009-05-23 20:21:17 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 14:57:34 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Mozilla
2009-05-23 14:56:45 ----D---- C:\Program Files\Common Files\Mozilla Shared
2009-05-23 14:18:00 ----D---- C:\downloads
2009-05-23 13:33:29 ----SD---- C:\WINDOWS\Tasks
2009-05-23 09:10:50 ----D---- C:\Program Files\i2hub
2009-05-22 23:25:39 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-22 23:19:33 ----D---- C:\WINDOWS\AppPatch
2009-05-21 06:59:14 ----A---- C:\WINDOWS\imsins.BAK
2009-05-21 06:58:53 ----D---- C:\Program Files\Messenger
2009-05-21 06:58:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-21 06:57:20 ----D---- C:\WINDOWS\system32\en-US
2009-05-21 06:57:19 ----D---- C:\Program Files\Internet Explorer
2009-05-20 06:02:17 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 00:48:15 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-19 22:03:11 ----D---- C:\WINDOWS\Debug
2009-05-16 21:26:50 ----D---- C:\Program Files\Java
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-30 01:01:37 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Apple Computer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-24 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-24 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-13 17153]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2005-02-06 15781]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-02-20 312960]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-15 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2006-06-28 28256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-01-08 1378636]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2003-04-25 220176]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-02-05 178496]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S2 eorvwq;eorvwq; C:\WINDOWS\system32\drivers\dtukgg.sys []
S2 ykuri;ykuri; C:\WINDOWS\system32\drivers\vtdmv.sys [2009-05-29 61440]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-08 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-08 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-08 21456]
S3 RapFile;RapFile; \??\C:\WINDOWS\system32\drivers\RapFile.sys []
S3 RapNet;RapNet; \??\C:\WINDOWS\system32\drivers\RapNet.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 black;black; C:\WINDOWS\System32\drivers\BlackDrv.sys [2004-09-09 227285]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-24 298776]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-16 152984]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McDetect.exe;McAfee WSC Integration; c:\program files\mcafee.com\agent\mcdetect.exe [2005-10-13 126976]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 McTskshd.exe;McAfee Task Scheduler; c:\PROGRA~1\mcafee.com\agent\mctskshd.exe [2005-08-24 122368]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2004-01-08 77824]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2009-05-24 4368952]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2005-11-13 163840]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe [2005-07-01 245760]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-08 65795]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
S4 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2005-09-29 77944]
S4 BlackICE;BlackICE; C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe [2004-10-29 847872]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-05-02 66872]
S4 RapApp;RapApp; C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe [2003-06-19 688128]
S4 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\wltrysvc.exe [2004-02-20 45056]

-----------------EOF-----------------



For some reason, RSIT only gives me the full screeen log, not the smaller one. Thanks for all your help and let me know what else you think I need to be doing.

Thanks,
Combat Chuck

#5 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 30 May 2009 - 02:15 PM

Hello Combatchuck,

Nice to hear from you. :thumbup2:

Going over your logs I noticed that you did not followed my advise of uninstalling one of the two anti-virus that you have installed and running on your system. :)

Please you need to uninstall one of them.


Step #1.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either: AVG8 <--- or ---> McAfee.

Step #2.

:cool: P2P Warning :)

Going over your logs I noticed that you have: Kazaa<--> BitTorrent<--> LimeWire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall: Kazaa<-->BitTorrent<-->LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned
.


Please follow these instructions carefully.

Step #3.

Firstly, we need to disable SpyBot's Teatimer which can interfere with the fixes.

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Please download ComboFix By: sUBs from one of these locations:
WARNING: This tool is not a toy and not for everyday use!!!.

Link 1
Link 2
Link 3

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your DESKTOP**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • *Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Please insert all usb-drives before running Combofix
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

  • Double click on ComboFix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.
  • Leave your computer alone while ComboFix is running. Do not mouseclick combofix's window while it's running. That may cause it to stall**
    ComboFix will restart your computer if malware is found; allow it to do so.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new RSIT log for further review.
Notes:
ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


A word of warning if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use
.

Combofix is a very complex and dangerous tool. It is not a one fit all tool and it is not automaticly removing what needs to be removed by itself. It is like a scalpell in the hands of a surgeon. A surgeon can remove exactly what is need and no more while an untrained person would either cut too much or not enough.

Combofix is powerful enough to be able to render your computer unbootable if used wrongly or to leave your computer infected if you do not know what you are doing
.

ComboFix SHOULD NOT be used unless requested by a forum helper

Please re-scan with RSIT and post the log.

Summary of the logs I will need in your next reply:
  • The ComboFix log. located at: "C:\ComboFix.txt"
  • The RSIT log.
And any description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

#6 Combatchuck

Combatchuck
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 30 May 2009 - 06:26 PM

Hey Net_Surfer.

I had trouble removing my McAfee Antivirus, but I think I've finally been able to remove it. I'm also having trouble removing Prevx from my computer, but hopefully I'll be able to figure it out and remove it soon.

I ran combo fix and RSIT, so here are there logs:


COMBOFIX:


ComboFix 09-05-30.03 - Mark Lemons 05/30/2009 15:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.245 [GMT -7:00]
Running from: c:\documents and settings\Mark Lemons\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark Lemons\Application Data\pfikslxl
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\profiles.ini
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\places.sqlite-journal
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\Mark Lemons\Application Data\pfikslxl\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\Mark Lemons\Local Settings\Application Data\pfikslxl
c:\documents and settings\Mark Lemons\Local Settings\Application Data\pfikslxl\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\Mark Lemons\Local Settings\Application Data\pfikslxl\Profiles\cp9z0zn4.default\XPC.mfl
c:\documents and settings\Mark Lemons\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\NetworkService\Application Data\pfikslxl
c:\documents and settings\NetworkService\Application Data\pfikslxl\profiles.ini
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\pfikslxl\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\pfikslxl
c:\documents and settings\NetworkService\Local Settings\Application Data\pfikslxl\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\pfikslxl\Profiles\cp9z0zn4.default\XPC.mfl
c:\program files\Altnet
c:\program files\Altnet\Points Manager\LocalPages\altnet.css
c:\program files\Altnet\Points Manager\LocalPages\gradient.gif
c:\program files\Altnet\Points Manager\LocalPages\local_firstuse.html
c:\program files\Altnet\Points Manager\LocalPages\local_points.html
c:\program files\Altnet\Points Manager\LocalPages\local_redeem.html
c:\program files\Altnet\Points Manager\LocalPages\local_start.html
c:\program files\Altnet\Points Manager\LocalPages\local_wallet.html
c:\program files\Altnet\Points Manager\LocalPages\notconnected.gif
c:\program files\Altnet\Points Manager\LocalPages\offline.gif
c:\program files\Altnet\Points Manager\LocalPages\pixel.gif
c:\program files\Altnet\Points Manager\Points Manager.exe.Manifest
c:\program files\Altnet\Points Manager\settings.cab
c:\program files\Altnet\Points Manager\setup.cab
c:\program files\Altnet\Points Manager\Skin\back-over.bmp
c:\program files\Altnet\Points Manager\Skin\back.bmp
c:\program files\Altnet\Points Manager\Skin\bottom.bmp
c:\program files\Altnet\Points Manager\Skin\bottomleft.bmp
c:\program files\Altnet\Points Manager\Skin\bottomright.bmp
c:\program files\Altnet\Points Manager\Skin\close-over.bmp
c:\program files\Altnet\Points Manager\Skin\close.bmp
c:\program files\Altnet\Points Manager\Skin\forward-over.bmp
c:\program files\Altnet\Points Manager\Skin\forward.bmp
c:\program files\Altnet\Points Manager\Skin\help-bottom.bmp
c:\program files\Altnet\Points Manager\Skin\help-over.bmp
c:\program files\Altnet\Points Manager\Skin\help-sel.bmp
c:\program files\Altnet\Points Manager\Skin\help-top.bmp
c:\program files\Altnet\Points Manager\Skin\help-topleft.bmp
c:\program files\Altnet\Points Manager\Skin\help-topright.bmp
c:\program files\Altnet\Points Manager\Skin\help.bmp
c:\program files\Altnet\Points Manager\Skin\Help.xml
c:\program files\Altnet\Points Manager\Skin\left.bmp
c:\program files\Altnet\Points Manager\Skin\maximise-over.bmp
c:\program files\Altnet\Points Manager\Skin\maximise.bmp
c:\program files\Altnet\Points Manager\Skin\mb_bottom.bmp
c:\program files\Altnet\Points Manager\Skin\mb_bottomleft.bmp
c:\program files\Altnet\Points Manager\Skin\mb_bottomright.bmp
c:\program files\Altnet\Points Manager\Skin\mb_left.bmp
c:\program files\Altnet\Points Manager\Skin\mb_right.bmp
c:\program files\Altnet\Points Manager\Skin\mb_top.bmp
c:\program files\Altnet\Points Manager\Skin\mb_topleft.bmp
c:\program files\Altnet\Points Manager\Skin\mb_topright.bmp
c:\program files\Altnet\Points Manager\Skin\message.xml
c:\program files\Altnet\Points Manager\Skin\minimise-over.bmp
c:\program files\Altnet\Points Manager\Skin\minimise.bmp
c:\program files\Altnet\Points Manager\Skin\points-disabled.bmp
c:\program files\Altnet\Points Manager\Skin\points-over.bmp
c:\program files\Altnet\Points Manager\Skin\points-sel.bmp
c:\program files\Altnet\Points Manager\Skin\points.bmp
c:\program files\Altnet\Points Manager\Skin\redeem-disabled.bmp
c:\program files\Altnet\Points Manager\Skin\redeem-over.bmp
c:\program files\Altnet\Points Manager\Skin\redeem-sel.bmp
c:\program files\Altnet\Points Manager\Skin\redeem.bmp
c:\program files\Altnet\Points Manager\Skin\refresh-over.bmp
c:\program files\Altnet\Points Manager\Skin\refresh.bmp
c:\program files\Altnet\Points Manager\Skin\right.bmp
c:\program files\Altnet\Points Manager\Skin\Sav3BD.tmp
c:\program files\Altnet\Points Manager\Skin\settings-disabled.bmp
c:\program files\Altnet\Points Manager\Skin\settings-over.bmp
c:\program files\Altnet\Points Manager\Skin\settings-sel.bmp
c:\program files\Altnet\Points Manager\Skin\settings.bmp
c:\program files\Altnet\Points Manager\Skin\Skin.xml
c:\program files\Altnet\Points Manager\Skin\start-disabled.bmp
c:\program files\Altnet\Points Manager\Skin\start-over.bmp
c:\program files\Altnet\Points Manager\Skin\start-sel.bmp
c:\program files\Altnet\Points Manager\Skin\start.bmp
c:\program files\Altnet\Points Manager\Skin\top.bmp
c:\program files\Altnet\Points Manager\Skin\topleft-pro.bmp
c:\program files\Altnet\Points Manager\Skin\topleft-reg.bmp
c:\program files\Altnet\Points Manager\Skin\topleft.bmp
c:\program files\Altnet\Points Manager\Skin\topright.bmp
c:\program files\Altnet\Points Manager\Skin\wallet-disabled.bmp
c:\program files\Altnet\Points Manager\Skin\wallet-over.bmp
c:\program files\Altnet\Points Manager\Skin\wallet-sel.bmp
c:\program files\Altnet\Points Manager\Skin\wallet.bmp
c:\windows\cdmxtras
c:\windows\IE4 Error Log.txt
c:\windows\patch.exe
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_1_512000.htm
c:\windows\system32\cache329\B_329_0_1_512000.swf
c:\windows\system32\cache329\B_329_0_1_514400.htm
c:\windows\system32\cache329\B_329_0_1_514400.swf
c:\windows\system32\cache329\B_329_0_1_518300.htm
c:\windows\system32\cache329\B_329_0_1_518300.swf
c:\windows\system32\cache329\B_329_0_1_529900.htm
c:\windows\system32\cache329\B_329_0_1_529900.swf
c:\windows\system32\cache329\B_329_0_1_530600.htm
c:\windows\system32\cache329\B_329_0_1_530600.swf
c:\windows\system32\cache329\B_329_0_1_531300.htm
c:\windows\system32\cache329\B_329_0_1_531300.swf
c:\windows\system32\cache329\B_329_0_1_560400.htm
c:\windows\system32\cache329\B_329_0_1_560400.swf
c:\windows\system32\cache329\B_329_0_1_593900.htm
c:\windows\system32\cache329\B_329_0_1_593900.swf
c:\windows\system32\cache329\B_329_0_1_598700.htm
c:\windows\system32\cache329\B_329_0_1_598700.swf
c:\windows\system32\cache329\B_329_0_1_598800.htm
c:\windows\system32\cache329\B_329_0_1_598800.swf
c:\windows\system32\cache329\B_329_0_1_603100.htm
c:\windows\system32\cache329\B_329_0_1_603100.swf
c:\windows\system32\cache329\B_329_0_1_611600.htm
c:\windows\system32\cache329\B_329_0_1_611600.swf
c:\windows\system32\cache329\B_329_0_1_662500.htm
c:\windows\system32\cache329\B_329_0_1_662500.swf
c:\windows\system32\cache329\B_329_0_1_667400.htm
c:\windows\system32\cache329\B_329_0_1_667400.swf
c:\windows\system32\cache329\B_329_2_1_512000.htm
c:\windows\system32\cache329\B_329_2_1_512000.swf
c:\windows\system32\cache329\B_329_2_1_514400.htm
c:\windows\system32\cache329\B_329_2_1_514400.swf
c:\windows\system32\cache329\B_329_2_1_518300.htm
c:\windows\system32\cache329\B_329_2_1_518300.swf
c:\windows\system32\cache329\B_329_2_1_529900.htm
c:\windows\system32\cache329\B_329_2_1_529900.swf
c:\windows\system32\cache329\B_329_2_1_530600.htm
c:\windows\system32\cache329\B_329_2_1_530600.swf
c:\windows\system32\cache329\B_329_2_1_531300.htm
c:\windows\system32\cache329\B_329_2_1_531300.swf
c:\windows\system32\cache329\B_329_2_1_560400.htm
c:\windows\system32\cache329\B_329_2_1_560400.swf
c:\windows\system32\cache329\B_329_2_1_593900.htm
c:\windows\system32\cache329\B_329_2_1_593900.swf
c:\windows\system32\cache329\B_329_2_1_598700.htm
c:\windows\system32\cache329\B_329_2_1_598700.swf
c:\windows\system32\cache329\B_329_2_1_598800.htm
c:\windows\system32\cache329\B_329_2_1_598800.swf
c:\windows\system32\cache329\B_329_2_1_603100.htm
c:\windows\system32\cache329\B_329_2_1_603100.swf
c:\windows\system32\cache329\B_329_2_1_611600.htm
c:\windows\system32\cache329\B_329_2_1_611600.swf
c:\windows\system32\cache329\B_329_2_1_662500.htm
c:\windows\system32\cache329\B_329_2_1_662500.swf
c:\windows\system32\cache329\B_329_2_1_667400.htm
c:\windows\system32\cache329\B_329_2_1_667400.swf
c:\windows\system32\cache329\B_329_3_1_512000.htm
c:\windows\system32\cache329\B_329_3_1_512000.swf
c:\windows\system32\cache329\B_329_3_1_514400.htm
c:\windows\system32\cache329\B_329_3_1_514400.swf
c:\windows\system32\cache329\B_329_3_1_518300.htm
c:\windows\system32\cache329\B_329_3_1_518300.swf
c:\windows\system32\cache329\B_329_3_1_529900.htm
c:\windows\system32\cache329\B_329_3_1_529900.swf
c:\windows\system32\cache329\B_329_3_1_530600.htm
c:\windows\system32\cache329\B_329_3_1_530600.swf
c:\windows\system32\cache329\B_329_3_1_531300.htm
c:\windows\system32\cache329\B_329_3_1_531300.swf
c:\windows\system32\cache329\B_329_3_1_560400.htm
c:\windows\system32\cache329\B_329_3_1_560400.swf
c:\windows\system32\cache329\B_329_3_1_593900.htm
c:\windows\system32\cache329\B_329_3_1_593900.swf
c:\windows\system32\cache329\B_329_3_1_598700.htm
c:\windows\system32\cache329\B_329_3_1_598700.swf
c:\windows\system32\cache329\B_329_3_1_598800.htm
c:\windows\system32\cache329\B_329_3_1_598800.swf
c:\windows\system32\cache329\B_329_3_1_603100.swf
c:\windows\system32\cache329\B_329_3_1_611600.swf
c:\windows\system32\cache329\B_329_3_1_662500.swf
c:\windows\system32\cache329\B_329_3_1_667400.swf
c:\windows\system32\cache329\B_329_4_1_512500.htm
c:\windows\system32\cache329\B_329_4_1_515700.swf
c:\windows\system32\cache329\B_329_4_1_517200.swf
c:\windows\system32\cache329\B_329_4_1_549800.gif
c:\windows\system32\cache329\B_329_4_1_551200.htm
c:\windows\system32\cache329\B_329_4_1_557900.htm
c:\windows\system32\cache329\B_517800.htm
c:\windows\system32\cache329\B_530800.htm
c:\windows\system32\cache329\B_551700.htm
c:\windows\system32\cache329\B_553500.htm
c:\windows\system32\cache329\B_561000.htm
c:\windows\system32\cache329\B_584000.htm
c:\windows\system32\cache329\B_595500.htm
c:\windows\system32\cache329\B_618300.htm
c:\windows\system32\cache329\B_618400.htm
c:\windows\system32\cache329\B_636500.htm
c:\windows\system32\cache329\B_637600.htm
c:\windows\system32\cache329\B_654000.htm
c:\windows\system32\cache329\t_B_517800.htm
c:\windows\system32\cache329\t_B_530800.htm
c:\windows\system32\cache329\t_B_551700.htm
c:\windows\system32\cache329\t_B_553500.htm
c:\windows\system32\cache329\t_B_561000.htm
c:\windows\system32\cache329\t_B_584000.htm
c:\windows\system32\cache329\t_B_595500.htm
c:\windows\system32\cache329\t_B_618300.htm
c:\windows\system32\cache329\t_B_618400.htm
c:\windows\system32\cache329\t_B_636500.htm
c:\windows\system32\cache329\t_B_637600.htm
c:\windows\system32\cache329\t_B_654000.htm
c:\windows\system32\dcMWDJjl.ini2
c:\windows\system32\drivers\UACyndotfefotvvroc.sys
c:\windows\system32\P2P Networking
c:\windows\system32\P2P Networking\Cache\Database\file-10000-0x1ca7b50d48e7821ba409a76ce633114f.sig
c:\windows\system32\P2P Networking\Cache\Database\file-10000-0xb6a27672a7c4641faf09d9a19699abd5.sig
c:\windows\system32\P2P Networking\Cache\Database\file-10000-0xdeaee67065a90ade2bf6e256719d8606.sig
c:\windows\system32\P2P Networking\Cache\Database\file-10001-3292528746.sig
c:\windows\system32\P2P Networking\Cache\Database\file-10001-97.sig
c:\windows\system32\P2P Networking\Cache\Database\index256.dbb
c:\windows\system32\UACftaptlrtvdhupqv.dat
c:\windows\system32\UACftyiqmjdlslbaoy.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkmjulkyliensxet.dll
c:\windows\system32\UACkmxxvvmlrrqjcmk.dll
c:\windows\system32\UAClvgiuyqpadvapnw.log
c:\windows\system32\UAConifprdsallkcqn.dll
c:\windows\system32\UACpgtgibghbijewsm.dll
c:\windows\system32\UACvjwnoaqwmhsgiho.log
c:\windows\system32\UACxnrnehhncjbfenr.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-30 22:32 . 2004-08-04 07:56 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-30 22:32 . 2004-08-04 07:56 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-30 02:24 . 2009-05-26 20:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 02:24 . 2009-05-26 20:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-30 02:00 . 2009-05-30 02:01 -------- d-----w C:\rsit
2009-05-30 01:21 . 2009-05-30 01:22 -------- d-----w C:\HostsXpert
2009-05-26 07:42 . 2009-05-26 07:42 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-26 07:42 . 2009-05-26 07:42 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-26 00:53 . 2009-05-26 00:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-26 00:51 . 2009-05-26 00:51 -------- d-----w c:\program files\Trend Micro
2009-05-26 00:30 . 2009-05-30 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-26 00:30 . 2009-05-26 00:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-25 06:26 . 2009-05-26 08:19 -------- d--h--w C:\$AVG8.VAULT$
2009-05-25 05:34 . 2009-05-25 05:34 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-25 05:34 . 2009-05-25 05:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-25 05:34 . 2009-05-25 05:34 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-25 05:34 . 2009-05-25 05:34 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-25 05:33 . 2009-05-30 16:45 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-25 05:33 . 2009-05-25 05:33 -------- d-----w c:\program files\AVG
2009-05-25 05:33 . 2009-05-25 05:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-25 04:48 . 2009-05-25 04:48 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-05-25 04:48 . 2009-05-25 04:48 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-05-25 04:48 . 2009-05-25 04:48 -------- d-----w c:\program files\Prevx
2009-05-25 04:48 . 2009-05-26 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-24 09:54 . 2009-05-24 09:54 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 08:58 . 2009-05-24 09:12 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-24 08:57 . 2009-02-16 07:10 103816 ----a-w c:\windows\system32\zlcommdb.dll
2009-05-24 08:57 . 2009-02-16 07:10 69000 ----a-w c:\windows\system32\zlcomm.dll
2009-05-24 08:55 . 2009-02-16 07:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-05-24 08:55 . 2009-05-24 09:56 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-24 08:55 . 2009-05-24 08:55 -------- d-----w c:\program files\Zone Labs
2009-05-24 08:54 . 2009-05-30 22:19 -------- d-----w c:\windows\Internet Logs
2009-05-24 08:48 . 2009-05-24 10:19 -------- d-----w c:\program files\TrojanHunter 5.1
2009-05-24 08:36 . 2009-05-24 08:43 -------- d-----w c:\program files\MSECACHE
2009-05-24 06:25 . 2009-05-24 06:25 -------- d-----w c:\program files\Ventrilo
2009-05-24 06:23 . 2009-05-26 07:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-24 06:09 . 2007-12-02 21:21 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-20 05:44 . 2009-05-20 05:44 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Malwarebytes
2009-05-20 05:43 . 2009-05-20 05:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-20 05:43 . 2009-05-30 02:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 05:03 . 2009-05-20 07:46 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-20 04:58 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-20 04:58 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-05-20 04:58 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-20 04:58 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-20 04:58 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-20 04:58 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 04:58 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 04:58 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-20 04:58 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-20 04:57 . 2008-05-01 14:30 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-05-20 04:55 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-17 04:27 . 2009-05-17 04:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 04:26 . 2009-05-17 04:26 152576 ----a-w c:\documents and settings\Mark Lemons\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 21:27 . 2005-02-06 13:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-30 20:37 . 2005-02-06 12:41 13083 ----a-w c:\windows\system32\nvModes.dat
2009-05-26 02:28 . 2009-05-26 05:05 52224 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-05-26 02:28 . 2009-05-26 05:05 1385472 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-05-26 01:26 . 2009-05-26 01:28 133120 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-26 01:26 . 2009-05-26 01:28 1383936 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-05-25 19:38 . 2009-05-25 23:58 1380352 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-05-25 19:38 . 2009-05-25 23:58 67072 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-05-25 18:38 . 2009-05-25 18:40 436736 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-05-25 18:38 . 2009-05-25 18:40 1377280 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-05-24 06:29 . 2007-05-24 02:17 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 21:56 . 2003-07-16 16:33 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-05-23 16:10 . 2005-10-24 02:36 -------- d-----w c:\program files\i2hub
2009-05-17 04:26 . 2005-02-09 00:52 -------- d-----w c:\program files\Java
2009-04-30 08:01 . 2005-02-21 21:14 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Apple Computer
2009-04-25 02:53 . 2009-04-25 02:53 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Amazon
2009-04-25 02:52 . 2009-04-25 02:52 -------- d-----w c:\program files\Amazon
2009-04-11 16:57 . 2005-12-04 06:34 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\dvdcss
2009-03-06 14:44 . 2003-07-16 16:34 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 00:32 826368 ----a-w c:\windows\system32\wininet.dll
2008-12-19 19:09 . 2005-02-07 04:28 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 19:09 . 2005-02-07 04:28 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 19:09 . 2008-04-11 08:28 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 19:09 . 2008-04-11 08:28 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 19:09 . 2005-02-07 04:28 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2006-11-07 972432]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-06 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-06 495616]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-25 1947928]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-6 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-5 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-5 28672]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-25 05:34 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"RapApp"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/24/2009 9:48 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/24/2009 9:48 PM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2009 10:34 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2009 10:34 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/24/2009 10:33 PM 298776]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [5/24/2009 9:48 PM 4368952]
S2 eorvwq;eorvwq;c:\windows\system32\drivers\dtukgg.sys --> c:\windows\system32\drivers\dtukgg.sys [?]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2/6/2005 12:41 PM 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2/6/2005 12:41 PM 24344]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys [2/6/2005 12:41 PM 227285]
S4 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2/6/2005 12:41 PM 847872]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nyohluob
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-05-07 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8107758400.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath - c:\documents and settings\Mark Lemons\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-30 15:38
ComboFix-quarantined-files.txt 2009-05-30 22:37

Pre-Run: 5,681,491,968 bytes free
Post-Run: 10,585,038,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

470 --- E O F --- 2009-05-24 06:00













RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mark Lemons at 2009-05-30 16:06:22
Microsoft Windows XP Professional Service Pack 2
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 511 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:29 PM, on 5/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Mark Lemons\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark Lemons.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107690182389
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...459/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9219 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1107758400.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-24 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-16 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-16 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2004-03-04 487424]
"DadApp"=C:\Program Files\Dell\AccessDirect\dadapp.exe [2004-03-04 211828]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-02-05 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-02-05 495616]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-12-12 217088]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2003-10-06 53248]
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2003-10-06 118784]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-16 148888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-24 1947928]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-01-08 4866048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-10-24 307200]
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe [2006-11-07 972432]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\mnyexpr.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Post-it® Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe
RealSecure® Desktop Protector.lnk -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-24 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\BitTorrent\btdownloadgui.exe"="C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\Ruckus Player\Ruckus.exe"="C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.scr - open - "C:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-05-30 16:01:15 ----SHD---- C:\Config.Msi
2009-05-30 15:38:48 ----A---- C:\ComboFix.txt
2009-05-30 15:32:06 ----A---- C:\WINDOWS\system32\proquota.exe
2009-05-30 14:59:56 ----A---- C:\Boot.bak
2009-05-30 14:59:32 ----RASHD---- C:\cmdcons
2009-05-30 14:57:05 ----A---- C:\WINDOWS\zip.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWSC.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWREG.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\sed.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\PEV.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\grep.exe
2009-05-30 14:56:57 ----SD---- C:\ComboFix
2009-05-30 14:56:57 ----D---- C:\WINDOWS\ERDNT
2009-05-30 14:56:52 ----D---- C:\Qoobox
2009-05-29 19:00:45 ----D---- C:\rsit
2009-05-29 18:21:30 ----D---- C:\HostsXpert
2009-05-26 00:42:26 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-26 00:42:26 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-25 20:15:15 ----D---- C:\WINDOWS\pss
2009-05-25 17:51:35 ----D---- C:\Program Files\Trend Micro
2009-05-25 17:30:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-25 17:30:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 12:26:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-24 23:26:16 ----HD---- C:\$AVG8.VAULT$
2009-05-24 22:34:20 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-24 22:33:32 ----D---- C:\Program Files\AVG
2009-05-24 22:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-24 21:48:46 ----D---- C:\Program Files\Prevx
2009-05-24 21:48:39 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-05-24 21:48:39 ----A---- C:\WINDOWS\wininit.ini
2009-05-24 02:54:04 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 01:57:37 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-05-24 01:57:27 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-05-24 01:57:25 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-05-24 01:55:30 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-05-24 01:55:28 ----N---- C:\WINDOWS\system32\vsxml.dll
2009-05-24 01:55:28 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-05-24 01:55:26 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-05-24 01:55:26 ----D---- C:\Program Files\Zone Labs
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-05-24 01:54:27 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-05-24 01:54:06 ----D---- C:\WINDOWS\Internet Logs
2009-05-24 01:48:22 ----R---- C:\WINDOWS\system32\streamhlp.dll
2009-05-24 01:48:22 ----D---- C:\Program Files\TrojanHunter 5.1
2009-05-24 01:36:42 ----D---- C:\Program Files\MSECACHE
2009-05-23 23:25:21 ----D---- C:\Program Files\Ventrilo
2009-05-23 23:25:19 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-05-23 23:23:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-21 06:59:21 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-21 06:59:05 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-21 06:58:50 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-21 06:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-21 06:58:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-21 06:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-05-21 06:57:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-21 06:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-21 06:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-21 06:54:56 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-21 06:54:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-05-21 06:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-21 06:54:06 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-21 06:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-05-21 06:53:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-21 06:53:29 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-21 06:53:07 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-21 06:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-21 06:52:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-21 06:52:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-21 06:52:08 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-21 06:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-21 06:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-21 06:51:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-21 06:50:45 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-19 22:44:18 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Malwarebytes
2009-05-19 22:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-19 22:43:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-19 22:03:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-16 21:27:44 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-16 21:27:43 ----A---- C:\WINDOWS\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-05-30 16:03:07 ----SHD---- C:\WINDOWS\Installer
2009-05-30 16:03:07 ----D---- C:\WINDOWS
2009-05-30 16:03:01 ----D---- C:\WINDOWS\Prefetch
2009-05-30 16:03:00 ----D---- C:\Program Files\Common Files
2009-05-30 16:02:59 ----RD---- C:\Program Files
2009-05-30 16:02:50 ----D---- C:\WINDOWS\system32
2009-05-30 16:01:30 ----D---- C:\WINDOWS\system32\drivers
2009-05-30 15:49:11 ----D---- C:\WINDOWS\Temp
2009-05-30 15:47:47 ----RASH---- C:\boot.ini
2009-05-30 15:47:42 ----A---- C:\WINDOWS\win.ini
2009-05-30 15:47:42 ----A---- C:\WINDOWS\system.ini
2009-05-30 15:42:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-30 15:42:40 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-30 15:36:18 ----SD---- C:\WINDOWS\Tasks
2009-05-30 15:32:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-30 15:28:41 ----D---- C:\WINDOWS\AppPatch
2009-05-30 14:27:18 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee.com
2009-05-30 14:10:52 ----D---- C:\Program Files\Mozilla Firefox
2009-05-29 20:36:31 ----D---- C:\WINDOWS\system32\wbem
2009-05-26 00:34:04 ----D---- C:\WINDOWS\Minidump
2009-05-25 17:48:39 ----D---- C:\Documents and Settings
2009-05-25 02:46:04 ----D---- C:\quarantine
2009-05-24 22:33:18 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-24 22:33:17 ----D---- C:\WINDOWS\WinSxS
2009-05-24 03:10:10 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-23 23:29:59 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 22:59:10 ----HD---- C:\WINDOWS\inf
2009-05-23 20:21:17 ----SHD---- C:\System Volume Information
2009-05-23 20:21:17 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 14:57:34 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Mozilla
2009-05-23 14:56:45 ----D---- C:\Program Files\Common Files\Mozilla Shared
2009-05-23 14:18:00 ----D---- C:\downloads
2009-05-23 09:10:50 ----D---- C:\Program Files\i2hub
2009-05-22 23:25:39 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-21 06:59:14 ----A---- C:\WINDOWS\imsins.BAK
2009-05-21 06:58:53 ----D---- C:\Program Files\Messenger
2009-05-21 06:58:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-21 06:57:20 ----D---- C:\WINDOWS\system32\en-US
2009-05-21 06:57:19 ----D---- C:\Program Files\Internet Explorer
2009-05-20 06:02:17 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 00:48:15 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-19 22:03:11 ----D---- C:\WINDOWS\Debug
2009-05-16 21:26:50 ----D---- C:\Program Files\Java
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-24 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-24 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys []
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-13 17153]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2005-02-06 15781]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-02-20 312960]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-15 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2006-06-28 28256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-01-08 1378636]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2003-04-25 220176]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-02-05 178496]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S2 eorvwq;eorvwq; C:\WINDOWS\system32\drivers\dtukgg.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-08 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-08 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-08 21456]
S3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys []
S3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys []
S3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys []
S3 RapFile;RapFile; \??\C:\WINDOWS\system32\drivers\RapFile.sys []
S3 RapNet;RapNet; \??\C:\WINDOWS\system32\drivers\RapNet.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 black;black; C:\WINDOWS\System32\drivers\BlackDrv.sys [2004-09-09 227285]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-24 298776]
R2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2009-05-24 4368952]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-16 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2004-01-08 77824]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe []
S2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe []
S2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\wltrysvc.exe [2004-02-20 45056]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2005-09-29 77944]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2005-11-13 163840]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-08 65795]
S3 RapApp;RapApp; C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe [2003-06-19 688128]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
S4 BlackICE;BlackICE; C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe [2004-10-29 847872]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-05-02 66872]

-----------------EOF-----------------




Thanks for all your help and let me know what other things I need to be doing!

Combat Chuck

#7 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 31 May 2009 - 12:11 AM

Hello Combatchuck,

Good job!. :thumbup2:

Combofix has took out a fair bit but there is still quite a bit to clean up.


Please follow these instructions carefully.

Step #1.

We need to run a CF Script by using ComboFix again

Please disable any running anti-virus or anti-malware programs.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
  • Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it (Do not include the word: "CODE"):

    KILLALL::
    
    Driver::
    eorvwq
    
    NetSvc::
    nyohluob
    
    File::
    C:\WINDOWS\system32\drivers\dtukgg.sys
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    Posted Image

  • Now refering to the picture above, use your mouse to drag CFScript.text on top of ComboFix.exe
  • This will start ComboFix again. Please follow the prompts.
  • When finished, after reboot (in case it asks to reboot), it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

* CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Step #2.

Your Java is out of date!!!.
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step #3.

Please download Posted Image ATF Cleaner-3 by Atribune.
(Good temp file cleaner that could do the job safely and without removing files that are crucial to windows).
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTES: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

NOTE:*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_...refetch-XP.html

Step #4.

Please do a scan with Kaspersky Online Scanner

Note: Kaspersky doesn't fix anything it just reports what it founds.
If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Posted Image

Step #5.

Please re-scan with RSIT and post the log.

Summary of the logs I will need in your next reply:
  • The ComboFix log. C:\ComboFix.txt
  • The Kaspersky log.
  • The RSIT log.
And any description of remaining problems in your next post.

How is your Computer running now?.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
.
Kind regards
Net_Surfer

:)

Edited by kahdah, 31 May 2009 - 04:49 AM.


#8 Combatchuck

Combatchuck
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 31 May 2009 - 11:47 AM

Here's the latest round of scans.


COMBOFIX:

ComboFix 09-05-30.03 - Mark Lemons 05/31/2009 0:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.253 [GMT -7:00]
Running from: c:\documents and settings\Mark Lemons\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Lemons\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\drivers\dtukgg.sys"
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-30 22:32 . 2004-08-04 07:56 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe
2009-05-30 22:32 . 2004-08-04 07:56 50176 ----a-w c:\windows\system32\proquota.exe
2009-05-30 02:24 . 2009-05-26 20:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 02:24 . 2009-05-26 20:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-30 02:00 . 2009-05-30 02:01 -------- d-----w C:\rsit
2009-05-30 01:21 . 2009-05-30 01:22 -------- d-----w C:\HostsXpert
2009-05-26 07:42 . 2009-05-26 07:42 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-26 07:42 . 2009-05-26 07:42 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-26 00:53 . 2009-05-26 00:53 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-26 00:51 . 2009-05-26 00:51 -------- d-----w c:\program files\Trend Micro
2009-05-26 00:30 . 2009-05-30 21:32 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-26 00:30 . 2009-05-26 00:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-25 06:26 . 2009-05-26 08:19 -------- d--h--w C:\$AVG8.VAULT$
2009-05-25 05:34 . 2009-05-25 05:34 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-25 05:34 . 2009-05-25 05:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-25 05:34 . 2009-05-25 05:34 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-25 05:34 . 2009-05-25 05:34 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-25 05:33 . 2009-05-30 16:45 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-25 05:33 . 2009-05-25 05:33 -------- d-----w c:\program files\AVG
2009-05-25 05:33 . 2009-05-25 05:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-24 09:54 . 2009-05-24 09:54 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 08:58 . 2009-05-24 09:12 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-24 08:57 . 2009-02-16 07:10 103816 ----a-w c:\windows\system32\zlcommdb.dll
2009-05-24 08:57 . 2009-02-16 07:10 69000 ----a-w c:\windows\system32\zlcomm.dll
2009-05-24 08:55 . 2009-02-16 07:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-05-24 08:55 . 2009-05-24 09:56 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-24 08:55 . 2009-05-24 08:55 -------- d-----w c:\program files\Zone Labs
2009-05-24 08:54 . 2009-05-31 07:43 -------- d-----w c:\windows\Internet Logs
2009-05-24 08:48 . 2009-05-24 10:19 -------- d-----w c:\program files\TrojanHunter 5.1
2009-05-24 08:36 . 2009-05-24 08:43 -------- d-----w c:\program files\MSECACHE
2009-05-24 06:25 . 2009-05-24 06:25 -------- d-----w c:\program files\Ventrilo
2009-05-24 06:23 . 2009-05-26 07:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-24 06:09 . 2007-12-02 21:21 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-20 05:44 . 2009-05-20 05:44 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Malwarebytes
2009-05-20 05:43 . 2009-05-20 05:43 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-20 05:43 . 2009-05-30 02:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 05:03 . 2009-05-20 07:46 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-20 04:58 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-20 04:58 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-05-20 04:58 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-20 04:58 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-20 04:58 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-20 04:58 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-20 04:58 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-20 04:58 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-20 04:58 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-20 04:57 . 2008-05-01 14:30 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-05-20 04:55 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-17 04:27 . 2009-05-17 04:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-17 04:26 . 2009-05-17 04:26 152576 ----a-w c:\documents and settings\Mark Lemons\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 21:27 . 2005-02-06 13:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-05-30 20:37 . 2005-02-06 12:41 13083 ----a-w c:\windows\system32\nvModes.dat
2009-05-26 02:28 . 2009-05-26 05:05 52224 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-05-26 02:28 . 2009-05-26 05:05 1385472 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-05-26 01:26 . 2009-05-26 01:28 133120 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-26 01:26 . 2009-05-26 01:28 1383936 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-05-25 19:38 . 2009-05-25 23:58 1380352 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-05-25 19:38 . 2009-05-25 23:58 67072 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-05-25 18:38 . 2009-05-25 18:40 436736 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-05-25 18:38 . 2009-05-25 18:40 1377280 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-05-24 06:29 . 2007-05-24 02:17 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 21:56 . 2003-07-16 16:33 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-05-23 16:10 . 2005-10-24 02:36 -------- d-----w c:\program files\i2hub
2009-05-17 04:26 . 2005-02-09 00:52 -------- d-----w c:\program files\Java
2009-04-30 08:01 . 2005-02-21 21:14 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Apple Computer
2009-04-25 02:53 . 2009-04-25 02:53 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\Amazon
2009-04-25 02:52 . 2009-04-25 02:52 -------- d-----w c:\program files\Amazon
2009-04-11 16:57 . 2005-12-04 06:34 -------- d-----w c:\documents and settings\Mark Lemons\Application Data\dvdcss
2009-03-06 14:44 . 2003-07-16 16:34 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 00:32 826368 ----a-w c:\windows\system32\wininet.dll
2008-12-19 19:09 . 2005-02-07 04:28 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 19:09 . 2005-02-07 04:28 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 19:09 . 2008-04-11 08:28 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 19:09 . 2008-04-11 08:28 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 19:09 . 2005-02-07 04:28 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-30_22.33.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 07:48 . 2009-05-31 07:48 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2006-11-07 972432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-06 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-06 495616]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-06 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-25 1947928]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-01-08 4866048]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-01-08 323584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-6 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-5 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-5 28672]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-25 05:34 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2009 10:34 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2009 10:34 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/24/2009 10:33 PM 298776]
S2 eorvwq;eorvwq;c:\windows\system32\drivers\dtukgg.sys --> c:\windows\system32\drivers\dtukgg.sys [?]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2/6/2005 12:41 PM 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2/6/2005 12:41 PM 24344]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys [2/6/2005 12:41 PM 227285]
S4 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2/6/2005 12:41 PM 847872]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-05-07 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8107758400.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath - c:\documents and settings\Mark Lemons\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 00:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\program files\ISS\issSensors\DesktopProtection\blackice.exe
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-31 1:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-31 07:58
ComboFix2.txt 2009-05-30 22:38

Pre-Run: 10,597,781,504 bytes free
Post-Run: 10,578,288,640 bytes free

219 --- E O F --- 2009-05-24 06:00






KASPERSKY:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 31, 2009 10:54:35
Records in database: 2283894
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 91696
Threat name: 14
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 03:49:02


File name / Threat name / Threats count
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\adm.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\adm4005.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\asmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.l 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\asmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\dmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.g 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\InstaFinderK_inst.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.404Search.h 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\pmexe.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.h 1
C:\Documents and Settings\Mark Lemons\.housecall\Quarantine\Points Manager.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.h 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\adm.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\adm4005.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\asmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.l 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\asmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\divx[1].bac_a02648 Infected: Trojan.Win32.Monder.agej 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\dmfiles.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.g 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\InstaFinderK_inst.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.404Search.h 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\karna.dat.bac_a03860 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\ljJDWMcd(2).dll.bac_a02648 Infected: Trojan.Win32.Monder.agej 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\MYBAR.DLL.bac_a01640 Infected: not-a-virus:AdWare.Win32.MyWay.g 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\pmexe.cab.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.h 1
C:\Documents and Settings\Mark Lemons\.housecall6.6\Quarantine\Points Manager.exe.bac_a02364 Infected: not-a-virus:AdWare.Win32.Altnet.h 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACyndotfefotvvroc.sys.vir Infected: Trojan.Win32.Agent.chwd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACftyiqmjdlslbaoy.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkmjulkyliensxet.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkmxxvvmlrrqjcmk.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAConifprdsallkcqn.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpgtgibghbijewsm.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000001.sys Infected: Trojan.Win32.Agent.chwd 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000002.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000003.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000004.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000005.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{A601F028-7949-4CE0-8D7C-7E1459A8FFAD}\RP0\A0000006.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.





RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mark Lemons at 2009-05-31 09:40:02
Microsoft Windows XP Professional Service Pack 2
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 511 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:24 AM, on 5/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Mark Lemons\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark Lemons.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107690182389
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...459/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8754 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1107758400.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-24 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-31 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-31 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2004-03-04 487424]
"DadApp"=C:\Program Files\Dell\AccessDirect\dadapp.exe [2004-03-04 211828]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-02-05 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-02-05 495616]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-12-12 217088]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2003-10-06 53248]
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2003-10-06 118784]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-24 1947928]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-01-08 4866048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-31 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-10-24 307200]
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe [2006-11-07 972432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Post-it® Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe
RealSecure® Desktop Protector.lnk -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-24 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\BitTorrent\btdownloadgui.exe"="C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\Ruckus Player\Ruckus.exe"="C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.scr - open - "C:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-05-31 01:22:35 ----SHD---- C:\RECYCLER
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\java.exe
2009-05-31 01:00:03 ----A---- C:\ComboFix.txt
2009-05-30 15:32:06 ----A---- C:\WINDOWS\system32\proquota.exe
2009-05-30 14:59:56 ----A---- C:\Boot.bak
2009-05-30 14:59:32 ----RASHD---- C:\cmdcons
2009-05-30 14:57:05 ----A---- C:\WINDOWS\zip.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWSC.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWREG.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\sed.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\PEV.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\grep.exe
2009-05-30 14:56:57 ----D---- C:\WINDOWS\ERDNT
2009-05-30 14:56:52 ----D---- C:\Qoobox
2009-05-29 19:00:45 ----D---- C:\rsit
2009-05-29 18:21:30 ----D---- C:\HostsXpert
2009-05-26 00:42:26 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-26 00:42:26 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-25 20:15:15 ----D---- C:\WINDOWS\pss
2009-05-25 17:51:35 ----D---- C:\Program Files\Trend Micro
2009-05-25 17:30:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-25 17:30:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 12:26:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-24 23:26:16 ----HD---- C:\$AVG8.VAULT$
2009-05-24 22:34:20 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-24 22:33:32 ----D---- C:\Program Files\AVG
2009-05-24 22:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-24 21:48:39 ----A---- C:\WINDOWS\wininit.ini
2009-05-24 02:54:04 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 01:57:37 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-05-24 01:57:27 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-05-24 01:57:25 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-05-24 01:55:30 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-05-24 01:55:28 ----N---- C:\WINDOWS\system32\vsxml.dll
2009-05-24 01:55:28 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-05-24 01:55:26 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-05-24 01:55:26 ----D---- C:\Program Files\Zone Labs
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-05-24 01:54:27 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-05-24 01:54:06 ----D---- C:\WINDOWS\Internet Logs
2009-05-24 01:48:22 ----R---- C:\WINDOWS\system32\streamhlp.dll
2009-05-24 01:48:22 ----D---- C:\Program Files\TrojanHunter 5.1
2009-05-24 01:36:42 ----D---- C:\Program Files\MSECACHE
2009-05-23 23:25:21 ----D---- C:\Program Files\Ventrilo
2009-05-23 23:25:19 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-05-23 23:23:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-21 06:59:21 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-21 06:59:05 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-21 06:58:50 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-21 06:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-21 06:58:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-21 06:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-05-21 06:57:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-21 06:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-21 06:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-21 06:54:56 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-21 06:54:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-05-21 06:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-21 06:54:06 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-21 06:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-05-21 06:53:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-21 06:53:29 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-21 06:53:07 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-21 06:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-21 06:52:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-21 06:52:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-21 06:52:08 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-21 06:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-21 06:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-21 06:51:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-21 06:50:45 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-19 22:44:18 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Malwarebytes
2009-05-19 22:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-19 22:43:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-19 22:03:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-16 21:27:44 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of files/folders modified in the last 1 months======

2009-05-31 01:22:35 ----D---- C:\WINDOWS\Prefetch
2009-05-31 01:22:31 ----D---- C:\WINDOWS\Temp
2009-05-31 01:20:46 ----D---- C:\Program Files\Mozilla Firefox
2009-05-31 01:20:02 ----SHD---- C:\WINDOWS\Installer
2009-05-31 01:19:53 ----D---- C:\WINDOWS\system32
2009-05-31 01:19:15 ----D---- C:\Program Files\Java
2009-05-31 01:17:28 ----D---- C:\WINDOWS
2009-05-31 01:08:54 ----D---- C:\Program Files\Common Files
2009-05-31 01:00:07 ----D---- C:\WINDOWS\system32\drivers
2009-05-31 00:55:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-31 00:49:52 ----A---- C:\WINDOWS\system.ini
2009-05-31 00:44:52 ----D---- C:\WINDOWS\AppPatch
2009-05-31 00:38:59 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-30 23:16:50 ----RD---- C:\Program Files
2009-05-30 15:47:47 ----RASH---- C:\boot.ini
2009-05-30 15:47:42 ----A---- C:\WINDOWS\win.ini
2009-05-30 15:36:18 ----SD---- C:\WINDOWS\Tasks
2009-05-30 15:32:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-30 14:27:18 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee.com
2009-05-29 20:36:31 ----D---- C:\WINDOWS\system32\wbem
2009-05-26 00:34:04 ----D---- C:\WINDOWS\Minidump
2009-05-25 17:48:39 ----D---- C:\Documents and Settings
2009-05-25 02:46:04 ----D---- C:\quarantine
2009-05-24 22:33:18 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-24 22:33:17 ----D---- C:\WINDOWS\WinSxS
2009-05-24 03:10:10 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-23 23:29:59 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 22:59:10 ----HD---- C:\WINDOWS\inf
2009-05-23 20:21:17 ----SHD---- C:\System Volume Information
2009-05-23 20:21:17 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 14:57:34 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Mozilla
2009-05-23 14:56:45 ----D---- C:\Program Files\Common Files\Mozilla Shared
2009-05-23 14:18:00 ----D---- C:\downloads
2009-05-23 09:10:50 ----D---- C:\Program Files\i2hub
2009-05-22 23:25:39 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-21 06:59:14 ----A---- C:\WINDOWS\imsins.BAK
2009-05-21 06:58:53 ----D---- C:\Program Files\Messenger
2009-05-21 06:58:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-21 06:57:20 ----D---- C:\WINDOWS\system32\en-US
2009-05-21 06:57:19 ----D---- C:\Program Files\Internet Explorer
2009-05-20 06:02:17 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 00:48:15 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-19 22:03:11 ----D---- C:\WINDOWS\Debug
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-24 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-24 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-13 17153]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2005-02-06 15781]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-02-20 312960]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-15 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2006-06-28 28256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-01-08 1378636]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2003-04-25 220176]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-02-05 178496]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
S2 eorvwq;eorvwq; C:\WINDOWS\system32\drivers\dtukgg.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-08 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-08 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-08 21456]
S3 RapFile;RapFile; \??\C:\WINDOWS\system32\drivers\RapFile.sys []
S3 RapNet;RapNet; \??\C:\WINDOWS\system32\drivers\RapNet.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 black;black; C:\WINDOWS\System32\drivers\BlackDrv.sys [2004-09-09 227285]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-24 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-31 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2004-01-08 77824]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\wltrysvc.exe [2004-02-20 45056]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2005-09-29 77944]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2005-11-13 163840]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-08 65795]
S3 RapApp;RapApp; C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe [2003-06-19 688128]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
S4 BlackICE;BlackICE; C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe [2004-10-29 847872]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-05-02 66872]

-----------------EOF-----------------






Thanks for the help and hopefully we're starting to win the battle here a little bit!

Combat Chuck

#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 01 June 2009 - 04:32 PM

Thanks for all your help and let me know what other things I need to be doing!
Combat Chuck

Hi Combatchuck, :)
You're welcome my friend.

:) let's do the following to see if we can get rid of one leftover baddie.


Step #1.

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of OTMoveIt3 fixing tool.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given..

We need to execute an OTMoveIt3 Script.
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click on the Posted Image icon on your desktop to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right click and choose Copy.) Do NOT include the word: "CODE".
    :Processes
    explorer.exe
    
    :Services
    eorvwq
    
    :Files
    c:\windows\system32\drivers\dtukgg.sys
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, Then, right click under the Posted Image window and choose Paste.
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
CAUTION:
The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


OK.. Combatchuck,

Please re-scan with RSIT and post the log


Summary of the logs I need from you in your next post:
  • The report of OTMoveIt3 you can find it in: C:\_OTMoveIt\MovedFiles , copy/paste the contents of that document back here.
  • A fresh RSIT log.
    And a description of any remaining problems.
How is your computer running now?


Kind Regards
Net_Surfer

:thumbup2:

#10 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 04 June 2009 - 06:27 PM

:) Bump :)
Hello Combatchuck. :cool:

Are you still there???
:thumbup2:

If you are please follow the instructions in my previous post.

Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.


Kind regards
Net_Surfer

:)

#11 Combatchuck

Combatchuck
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 05 June 2009 - 10:59 PM

Hi Net Surfer.

Sorry for the slow response. I was out of town for most of the week.

Here are the logs you asked for.

Move_It:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver eorvwq deleted successfully.
========== FILES ==========
File/Folder c:\windows\system32\drivers\dtukgg.sys not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\MARKLE~1\LOCALS~1\Temp\~DF3A05.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_240.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT02e7a.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 06052009_195844

Files moved on Reboot...
C:\DOCUME~1\MARKLE~1\LOCALS~1\Temp\~DF3A05.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_240.dat not found!
File C:\WINDOWS\temp\ZLT02e7a.TMP not found!
C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mark Lemons\Local Settings\Application Data\Mozilla\Firefox\Profiles\rmcz6lit.Default User\XUL.mfl moved successfully.






RSIT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mark Lemons at 2009-06-05 20:53:03
Microsoft Windows XP Professional Service Pack 2
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 511 MB (23% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:08 PM, on 6/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mark Lemons\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark Lemons.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107690182389
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...459/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8856 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1107758400.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-24 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-31 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-31 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2004-03-04 487424]
"DadApp"=C:\Program Files\Dell\AccessDirect\dadapp.exe [2004-03-04 211828]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-02-05 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-02-05 495616]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-12-12 217088]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2003-10-06 53248]
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2003-10-06 118784]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-24 1947928]
"nwiz"=nwiz.exe /installquiet []
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2004-01-08 4866048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-31 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2005-10-24 307200]
"igndlm.exe"=C:\Program Files\IGN\Download Manager\DLM.exe [2006-11-07 972432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Post-it® Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe
RealSecure® Desktop Protector.lnk -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-24 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\Program Files\GameSpy Arcade\Aphex.exe"="C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe"="C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2"
"C:\Program Files\BitTorrent\btdownloadgui.exe"="C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\Ruckus Player\Ruckus.exe"="C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.scr - open - "C:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-06-05 20:40:10 ----HDC---- C:\WINDOWS\ie8
2009-06-05 19:58:44 ----D---- C:\_OTMoveIt
2009-05-31 01:22:35 ----SHD---- C:\RECYCLER
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-31 01:19:53 ----A---- C:\WINDOWS\system32\java.exe
2009-05-31 01:00:03 ----A---- C:\ComboFix.txt
2009-05-30 15:32:06 ----A---- C:\WINDOWS\system32\proquota.exe
2009-05-30 14:59:56 ----A---- C:\Boot.bak
2009-05-30 14:59:32 ----RASHD---- C:\cmdcons
2009-05-30 14:57:05 ----A---- C:\WINDOWS\zip.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWSC.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\SWREG.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\sed.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\PEV.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-30 14:57:05 ----A---- C:\WINDOWS\grep.exe
2009-05-30 14:56:57 ----D---- C:\WINDOWS\ERDNT
2009-05-30 14:56:52 ----D---- C:\Qoobox
2009-05-29 19:00:45 ----D---- C:\rsit
2009-05-29 18:21:30 ----D---- C:\HostsXpert
2009-05-26 00:42:26 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-26 00:42:26 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\SUPERAntiSpyware.com
2009-05-25 20:15:15 ----D---- C:\WINDOWS\pss
2009-05-25 17:51:35 ----D---- C:\Program Files\Trend Micro
2009-05-25 17:30:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-05-25 17:30:49 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 12:26:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-24 23:26:16 ----HD---- C:\$AVG8.VAULT$
2009-05-24 22:34:20 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-05-24 22:33:32 ----D---- C:\Program Files\AVG
2009-05-24 22:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-05-24 21:48:39 ----A---- C:\WINDOWS\wininit.ini
2009-05-24 02:54:04 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\TrojanHunter
2009-05-24 01:57:37 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-05-24 01:57:27 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-05-24 01:57:25 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-05-24 01:55:30 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-05-24 01:55:28 ----N---- C:\WINDOWS\system32\vsxml.dll
2009-05-24 01:55:28 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-05-24 01:55:26 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-05-24 01:55:26 ----D---- C:\Program Files\Zone Labs
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-05-24 01:55:26 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-05-24 01:54:28 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-05-24 01:54:27 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-05-24 01:54:06 ----D---- C:\WINDOWS\Internet Logs
2009-05-24 01:48:22 ----R---- C:\WINDOWS\system32\streamhlp.dll
2009-05-24 01:48:22 ----D---- C:\Program Files\TrojanHunter 5.1
2009-05-24 01:36:42 ----D---- C:\Program Files\MSECACHE
2009-05-23 23:25:21 ----D---- C:\Program Files\Ventrilo
2009-05-23 23:25:19 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-05-23 23:23:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-21 06:59:21 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-05-21 06:59:05 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-05-21 06:58:50 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-05-21 06:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-05-21 06:58:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-05-21 06:58:06 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-05-21 06:57:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-05-21 06:56:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-05-21 06:55:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-05-21 06:54:56 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-05-21 06:54:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-05-21 06:54:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-05-21 06:54:06 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-05-21 06:53:54 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-05-21 06:53:41 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-05-21 06:53:29 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-05-21 06:53:07 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-05-21 06:52:50 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-05-21 06:52:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-05-21 06:52:21 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-05-21 06:52:08 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-05-21 06:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-05-21 06:51:40 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-05-21 06:51:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-05-21 06:50:45 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-05-19 22:44:18 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Malwarebytes
2009-05-19 22:43:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-19 22:43:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-19 22:03:11 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-05-16 21:27:44 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of files/folders modified in the last 1 months======

2009-06-05 20:50:09 ----D---- C:\WINDOWS\Prefetch
2009-06-05 20:49:52 ----D---- C:\WINDOWS\Temp
2009-06-05 20:49:50 ----D---- C:\WINDOWS
2009-06-05 20:49:46 ----D---- C:\WINDOWS\system32
2009-06-05 20:49:01 ----D---- C:\Program Files\Mozilla Firefox
2009-06-05 20:47:47 ----D---- C:\WINDOWS\system32\en-US
2009-06-05 20:47:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-05 20:47:44 ----HD---- C:\WINDOWS\inf
2009-06-05 20:47:44 ----D---- C:\WINDOWS\Media
2009-06-05 20:47:44 ----D---- C:\WINDOWS\Help
2009-06-05 20:47:44 ----D---- C:\Program Files\Internet Explorer
2009-06-05 20:46:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-05 20:42:19 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-05 20:31:30 ----D---- C:\WINDOWS\network diagnostic
2009-05-31 01:20:02 ----SHD---- C:\WINDOWS\Installer
2009-05-31 01:19:15 ----D---- C:\Program Files\Java
2009-05-31 01:08:54 ----D---- C:\Program Files\Common Files
2009-05-31 01:00:07 ----D---- C:\WINDOWS\system32\drivers
2009-05-31 00:49:52 ----A---- C:\WINDOWS\system.ini
2009-05-31 00:44:52 ----D---- C:\WINDOWS\AppPatch
2009-05-30 23:16:50 ----RD---- C:\Program Files
2009-05-30 15:47:47 ----RASH---- C:\boot.ini
2009-05-30 15:47:42 ----A---- C:\WINDOWS\win.ini
2009-05-30 15:36:18 ----SD---- C:\WINDOWS\Tasks
2009-05-30 14:27:18 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee.com
2009-05-29 20:36:31 ----D---- C:\WINDOWS\system32\wbem
2009-05-26 00:34:04 ----D---- C:\WINDOWS\Minidump
2009-05-25 17:48:39 ----D---- C:\Documents and Settings
2009-05-25 02:46:04 ----D---- C:\quarantine
2009-05-24 22:33:18 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-05-24 22:33:17 ----D---- C:\WINDOWS\WinSxS
2009-05-24 03:10:10 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-23 23:29:59 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Ventrilo
2009-05-23 20:21:17 ----SHD---- C:\System Volume Information
2009-05-23 20:21:17 ----D---- C:\WINDOWS\system32\Restore
2009-05-23 14:57:34 ----D---- C:\Documents and Settings\Mark Lemons\Application Data\Mozilla
2009-05-23 14:56:45 ----D---- C:\Program Files\Common Files\Mozilla Shared
2009-05-23 14:18:00 ----D---- C:\downloads
2009-05-23 09:10:50 ----D---- C:\Program Files\i2hub
2009-05-22 23:25:39 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-21 06:59:27 ----A---- C:\WINDOWS\imsins.BAK
2009-05-21 06:58:53 ----D---- C:\Program Files\Messenger
2009-05-21 06:58:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-20 06:02:17 ----RSD---- C:\WINDOWS\Fonts
2009-05-20 00:48:15 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-19 22:03:11 ----D---- C:\WINDOWS\Debug
2009-05-07 00:16:30 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-24 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-24 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 OMCI;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-13 17153]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2005-02-06 15781]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-02-20 312960]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-15 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2006-06-28 28256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-01-08 1378636]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2003-04-25 220176]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-02-05 178496]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-08 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-08 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-08 21456]
S3 RapFile;RapFile; \??\C:\WINDOWS\system32\drivers\RapFile.sys []
S3 RapNet;RapNet; \??\C:\WINDOWS\system32\drivers\RapNet.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 black;black; C:\WINDOWS\System32\drivers\BlackDrv.sys [2004-09-09 227285]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-24 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-31 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2004-01-08 77824]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\wltrysvc.exe [2004-02-20 45056]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-14 32768]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2005-09-29 77944]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2005-11-13 163840]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-08 65795]
S3 RapApp;RapApp; C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe [2003-06-19 688128]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
S4 BlackICE;BlackICE; C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe [2004-10-29 847872]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-05-02 66872]

-----------------EOF-----------------






The only problems I've having is that immediately after running the OTMove_IT program, I was unable to use Firefox for a while. I was eventually able to solve the problem and get it running again. Otherwise, I think my computer has been running much better. Just figured someone much smarter than myself should look over my system and make sure all the bad stuff is out of there.

Thanks for all your help!

Combat Chuck

#12 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 06 June 2009 - 01:33 PM

The only problems I've having is that immediately after running the OTMove_IT program, I was unable to use Firefox for a while. I was eventually able to solve the problem and get it running again. Otherwise, I think my computer has been running much better. Just figured someone much smarter than myself should look over my system and make sure all the bad stuff is out of there.

Thanks for all your help!

Combat Chuck


Your Welcome, Glad that I can help.

Hi Combatchuck, :)

Good Job, we got all the baddies. :thumbup2:

Your logs are clean except for a few files that we need to take care of it.
:cool:

Step #1.

Kaspersky only scan and reports what it finds so, we need to clean up all those quarantine baddies.

For the ones that already are quarantine. You need to empty the quarantine vault of your House Call Program. And all of those files will be gone from your computer.
So, Please empty the vault NOW!!!

The other ones are in the quarantine folder of ComboFix Tool, and they should be gone also when we use the uninstall switch of Combofix at the end.

To get rid of the ones in system restore please do the following:


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Step #2.

Your Microsoft Windows installation is out of date!.
Using unpatched Windows systems on the Internet are a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Step #3.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Delete ComboFix and Clean Up

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of the next step.. Please visit HERE if you don't know how...Please re-enable them back after performing all steps given.


Click Start > Run and type combofix /u click OK (Note the "space" between combofix and /u) <--- It needs to be there.
Posted Image
Please advise if this step is missed for any reason as it performs some important actions:

"This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Cleanup using OTMoveit3 by OldTimer

Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

If you don't plan to use Kaspersky again, then uninstall it through Add/Remove Programs.

You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTMoveIt3. This will help by automatically removing some of the tools we used.
Double click on the Posted Image icon on your desktop to run it.
Then, click on Cleanup (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator").
(When you do this a list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.)
After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, Please do so.

You may delete RSIT and any logs that any of the tools produced. Please delete RSIT.exe and the RSIT folder (C:\RSIT).
I recommend keeping ATF, and use Malwarebyte's Anti-Malware to scan your computer regularly.



If you have done all of the above, Your Computer should be Clean of Malware.
CONGRATULATIONS.
:)


Ok,, Combatchuck, I'm not skilled at mincing words but I believe that by now you already figure it out how you got infected. {using P2p (file sharing programs)Maybe ?} So, especially for you I will use my long version of my "All Clean Canned Speech".

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.:

Please take the time to read below to secure your machine and take the necessary steps to keep it Clean, some of the following you may already have, So. just disregard them.
  • Make sure that you keep your anti-virus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your anti-virus program to provide you with the best possible protection from malicious software.
    Note: You should only have one anti-virus installed at a time. Having more than one anti-virus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    You are using Internet Explorer, Therefore please read and follow the recommendations at this SITE
Recommended Programs

To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:.
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • McAfee Site Advisor --free version.
    To give you an indication of which sites may contain bad links or suspect downloads. It loads an icon to the taskbar of your browser (versions for IE and Firefox), As you browse, a small button on your browser toolbar changes color based on SiteAdvisor's safety results indicating the trustworthiness of the site you are on. Green for safe and Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Safety ratings from McAfee SiteAdvisor appear next to search results. Works with Google, Yahoo!, Live Search, AOL or ASK.
    This is a utility that can be downloaded and installed it from: HERE
  • Posted Image ATF Cleaner
    Good temp file cleaner that could do the job safely and without removing files that are crucial to windows.
    Cleans temporary files from IE and Windows, empties the recycle bin and more.
    Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    This is a utility that can be downloaded and installed it from: HERE
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Malwarebytes' Anti-Malware or SuperAntiSpyware
    These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
    You can download SuperAntiSpyware from HERE.
  • Hosts File - Hosts file is one such file that can be used to replace the Hosts file on your computer and help you to avoid accidentally visiting known nasty web sites.
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:

    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK

    Prevention:
    The Hosts file can be made read only and monitored for changes, or attempted changes. Programs such as >WinPatrol< do this very well.

    Cure:
    If your Hosts file becomes infected, it can be reset by installing >HostsXpert<.
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Backup regularly.
    You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.
    Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer.

  • To stay secure is to stay updated.
    Calendar of Updates.

  • Practice Safe Internet
    One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

To find out more information about how you got infected in the first place? and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

That's it, happy surfing!

Cheers,
Net_Surfer


***If ComboFix tool helped you***, please kindly consider a donation to it's author: Posted Image

Stay clean and be safe :)

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!


:)

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.

#13 Combatchuck

Combatchuck
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 08 June 2009 - 06:38 AM

I followed all of your remaining steps. Thanks for all the help you have given to me!

Sincerely,

Combat Chuck

#14 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 08 June 2009 - 05:28 PM

Hi Combat Chuck, :cool:

You are very welcome!!! :)

Glad that I can help you. :thumbup2:

I had a good coach doing this fix with me, I learned a lot from doing this fix so let's thank him also.

He takes cares that of all my responses to you are well advised.

:) His nick name is Kahdah.

That's it.

Happy Computing and stay safe. :)

Kind regards
Net_Surfer

:)

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:59 PM

Posted 08 June 2009 - 09:02 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users