Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.J infection - google results redirect


  • This topic is locked This topic is locked
18 replies to this topic

#1 mpete1313

mpete1313

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 July 2009 - 03:06 PM

Hi there,

I believe I have some sort of a Vundo type infection. I recently noticed that certain google search results were redirecting to other spam like sites. "Pctools Spyware Doctor" identified and cleaned out several vundo.j infections. Since then I followed the instructions listed here in the "How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo" thread and was able to identify and clean out a few other bits with "Malwarebytes anti malware" and clean them up as well, finally I tried VirtumundoBegone with no luck. I also tried uninstalling and re-installing firefox with no luck...

However, I still have some google redirects happening and all my attempts at scanning are coming up clean.

Any help would greatly be appreciated.

Thanks.

DDS.txt
______________________

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jenn and Mark at 13:01:46.07 on Mon 07/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1278 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Jenn and Mark\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.weather.ca/weather/cities/can/Pages/CABC0205.htm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Gainward] c:\program files\vdotool\TBPanel.exe /A
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\jennan~1\startm~1\programs\startup\dropbox.lnk - c:\program files\dropbox\dropbox.exe
StartupFolder: c:\docume~1\jennan~1\startm~1\programs\startup\tversi~1.lnk - c:\program files\tversity\media server\web\admin\TVersity.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\iiffDUlK

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennan~1\applic~1\mozilla\firefox\profiles\jvzgv58v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://vancouver.en.craigslist.ca/swp/
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-5 130936]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2006-5-16 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-23 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-23 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-23 108552]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2006-10-15 131840]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2006-10-15 4608]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-4-8 33920]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-23 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-23 298776]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [2006-3-13 234140]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-1 47640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-5 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-5 1095560]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\tmpfw.exe --> c:\progra~1\trendm~1\intern~1\TmPfw.exe [?]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2004-11-12 44032]
S3 HwIOctl;HwIOctl;\??\c:\program files\setup files\ms-7047 v2.00\hwioctl.sys --> c:\program files\setup files\ms-7047 v2.00\HwIOctl.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-6 38160]
S3 Memctl;Memctl;\??\c:\program files\setup files\ms-7047 v2.00\memctl.sys --> c:\program files\setup files\ms-7047 v2.00\Memctl.sys [?]
S3 RTCore32;RTCore32;\??\c:\program files\rmclock\rtcore32.sys --> c:\program files\rmclock\RTCore32.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Npenlhwdsvbs;Npenlhwdsvbs; [x]

=============== Created Last 30 ================

2009-07-06 11:11 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 11:10 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-06 10:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-06 09:44 <DIR> --d----- c:\docume~1\jennan~1\applic~1\Malwarebytes
2009-07-06 09:44 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 09:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 09:44 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 09:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 22:11 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-05 22:11 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-05 22:11 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-05 22:10 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-05 22:10 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-05 22:10 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-05 22:10 <DIR> --d----- c:\docume~1\jennan~1\applic~1\PC Tools
2009-07-05 22:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-05 21:08 <DIR> --d----- c:\windows\ERUNT
2009-07-05 21:07 <DIR> --d----- C:\SDFix
2009-07-05 20:38 <DIR> --d----- C:\VundoFix Backups
2009-07-05 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-05 14:05 <DIR> --d----- c:\program files\common files\iS3
2009-07-05 14:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-30 21:44 <DIR> --d----- C:\avifix
2009-06-24 16:53 48,640 a------- C:\dse.exe

==================== Find3M ====================

2009-07-06 12:20 2,124 a------- c:\windows\system32\ealregsnapshot1.reg
2009-07-06 12:10 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-07-01 09:44 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 09:44 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-20 08:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2005-09-26 20:04 11,092 a------- c:\program files\SolidWorksswxJRNL.BAK
2008-06-05 20:32 5,170 a--sh--- c:\windows\system32\KlUDffii.ini2

============= FINISH: 13:03:30.67 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 09 July 2009 - 12:48 PM

Hello mpete1313,


I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
AVG Anti-Virus Free Antivirus or Spyware Doctor with AntiVirus Antivirus

************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 09 July 2009 - 12:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 09 July 2009 - 01:49 PM

Hi SifuMike,

First thanks for the help... I'm usually pretty ok at cleaning up this kind of thing, but definetly in over my head here.

Since the orginal post, I've installed Spybot Search and Destory , should I uninstall that as well? It did find and clean up a few bits that MBAM seems to have missed. I've seen from reading others threads around here not to make any changes or attempts any fixes without being asked, so no worries I won't go changing things when you're not around.

here is the results from the Security Check:

________________________________

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgemc.exe
AVG avgemc.exe
Spybot SDHelper is disabled!
Spybot - Search & Destroy TeaTimer.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 79197 seconds.
`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 09 July 2009 - 05:02 PM

Hi mpete1313,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 13
    Java SE Runtime Environment 6 Update 1
    Java 6 Update 2
    Java 6 Update 5
    Java 6 Update 7
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest
    version.

I've installed Spybot Search and Destory , should I uninstall that as well?


No need to uninstal it, as it will not interfere with anything we do.


Please post the Malwarebytes log so I can see what it is finding.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 09 July 2009 - 07:18 PM

Thanks again.

1 - Ok new java is installed.

2 - All old java and JSE has been removed.

3 - Here are the non-clean MBAM logs.

_______________________

Malwarebytes' Anti-Malware 1.38
Database version: 2380
Windows 5.1.2600 Service Pack 3

7/6/2009 9:53:23 AM
mbam-log-2009-07-06 (09-53-23).txt

Scan type: Quick Scan
Objects scanned: 135378
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e1bc0aab-2c35-40df-8f1d-4fd437df432e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\jenn and mark\local settings\temporary internet files\Content.IE5\VGK2N1FN\db[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\Iexplor701.exe (Trojan.Agent) -> Quarantined and deleted successfully.

________________________

Malwarebytes' Anti-Malware 1.38
Database version: 2382
Windows 5.1.2600 Service Pack 3

7/6/2009 7:38:06 PM
mbam-log-2009-07-06 (19-38-06).txt

Scan type: Quick Scan
Objects scanned: 137893
Time elapsed: 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\nmcxgaibvl.exe (Rogue.Installer) -> Quarantined and deleted successfully.


______________________________

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 09 July 2009 - 09:07 PM

Hi mpete1313,

I see the infecion in your log.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

I am assuming you only have AVG antivirus on this computer and have uninstalled Spyware Doctor with antivirus.

You need to disable your AVG Anti-Virus Free Antivirus, Spybot and Spyware Doctor before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 09 July 2009 - 10:30 PM

OK.. followed all the instructions. Confirmed Spyware Doctor is uninstalled. Combofix ran and rebooted a couple of times, mentioned some rootkit files in the 1st go. Here is the log.

Thanks again!
________________________

ComboFix 09-07-09.06 - Jenn and Mark 07/09/2009 20:08.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1572 [GMT -7:00]
Running from: c:\documents and settings\Jenn and Mark\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Adobe PDF\Data\Desktop_.ini
c:\documents and settings\All Users\Documents\Adobe PDF\Desktop_.ini
c:\documents and settings\All Users\Documents\Adobe PDF\Example Files\Desktop_.ini
c:\documents and settings\All Users\Documents\Adobe PDF\Extras\Desktop_.ini
c:\documents and settings\All Users\Documents\Adobe PDF\Settings\Desktop_.ini
c:\documents and settings\All Users\Documents\Adobe PDF\Startup\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\003EEB2D\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sync Playlists\005AB197\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Videos\Desktop_.ini
c:\documents and settings\Jenn and Mark\Local Settings\Temporary Internet Files\MF9729ED.gif
c:\recycler\NPROTECT
c:\windows\Installer\1098999.msp
c:\windows\Installer\10a07d2.msp
c:\windows\Installer\10b6a6f.msp
c:\windows\Installer\11396c.msp
c:\windows\Installer\115ab30.msp
c:\windows\Installer\1183c3c.msp
c:\windows\Installer\1187c52.msp
c:\windows\Installer\120ee4f.msp
c:\windows\Installer\125dc64.msp
c:\windows\Installer\12975f6.msp
c:\windows\Installer\13c2663.msp
c:\windows\Installer\140771.msp
c:\windows\Installer\1474b99.msp
c:\windows\Installer\14acb9.msp
c:\windows\Installer\14e164e.msp
c:\windows\Installer\14f3589.msp
c:\windows\Installer\1526cf.msi
c:\windows\Installer\1526d5.msi
c:\windows\Installer\1526db.msi
c:\windows\Installer\153060.msp
c:\windows\Installer\16b6c2.msp
c:\windows\Installer\16fb954.msp
c:\windows\Installer\177bca8.msp
c:\windows\Installer\17d7ded.msp
c:\windows\Installer\17e2057.msp
c:\windows\Installer\1b76932.msp
c:\windows\Installer\1c184c8.msp
c:\windows\Installer\1c37e94.msp
c:\windows\Installer\1dd00da.msp
c:\windows\Installer\1e08b97.msp
c:\windows\Installer\1e3dbad.msp
c:\windows\Installer\1f065c2.msp
c:\windows\Installer\1fd4a5b.msp
c:\windows\Installer\2051ec0.msp
c:\windows\Installer\20b6486.msp
c:\windows\Installer\2106aa8.msp
c:\windows\Installer\21f26.msp
c:\windows\Installer\21f84.msp
c:\windows\Installer\22040.msp
c:\windows\Installer\2205f.msp
c:\windows\Installer\2260ae9.msp
c:\windows\Installer\226a8.msp
c:\windows\Installer\22ade.msp
c:\windows\Installer\22b8a.msp
c:\windows\Installer\22dad.msp
c:\windows\Installer\22dbd.msp
c:\windows\Installer\232dd.msp
c:\windows\Installer\23464.msp
c:\windows\Installer\236d5.msp
c:\windows\Installer\236e5.msp
c:\windows\Installer\2384c.msp
c:\windows\Installer\23946.msp
c:\windows\Installer\239c3.msp
c:\windows\Installer\23a21.msp
c:\windows\Installer\23b4a.msp
c:\windows\Installer\23b4b.msp
c:\windows\Installer\23b78.msp
c:\windows\Installer\23c63.msp
c:\windows\Installer\23cb1.msp
c:\windows\Installer\23db6ba.msp
c:\windows\Installer\23e47.msp
c:\windows\Installer\23f60.msp
c:\windows\Installer\2405a.msp
c:\windows\Installer\24089.msp
c:\windows\Installer\24106.msp
c:\windows\Installer\24154.msp
c:\windows\Installer\24174.msp
c:\windows\Installer\241e1.msp
c:\windows\Installer\2425e.msp
c:\windows\Installer\24387.msp
c:\windows\Installer\243a6.msp
c:\windows\Installer\243e5.msp
c:\windows\Installer\24617.msp
c:\windows\Installer\24618.msp
c:\windows\Installer\246f2.msp
c:\windows\Installer\24879.msp
c:\windows\Installer\2487a.msp
c:\windows\Installer\24898.msp
c:\windows\Installer\248c7.msp
c:\windows\Installer\249b1.msp
c:\windows\Installer\249d0.msp
c:\windows\Installer\24a7c.msp
c:\windows\Installer\24b57.msp
c:\windows\Installer\24d3b.msp
c:\windows\Installer\24d4b.msp
c:\windows\Installer\24f6e.msp
c:\windows\Installer\25104.msp
c:\windows\Installer\25133.msp
c:\windows\Installer\2527b.msp
c:\windows\Installer\25394.msp
c:\windows\Installer\25431.msp
c:\windows\Installer\254dc.msp
c:\windows\Installer\255f6.msp
c:\windows\Installer\2575d.msp
c:\windows\Installer\25876.msp
c:\windows\Installer\25b64.msp
c:\windows\Installer\25b65.msp
c:\windows\Installer\25b84.msp
c:\windows\Installer\25be1.msp
c:\windows\Installer\25c01.msp
c:\windows\Installer\25c2f.msp
c:\windows\Installer\26150.msp
c:\windows\Installer\263f0.msp
c:\windows\Installer\2646d.msp
c:\windows\Installer\264cb.msp
c:\windows\Installer\26874.msp
c:\windows\Installer\2690ec.msp
c:\windows\Installer\2695e.msp
c:\windows\Installer\26dc3.msp
c:\windows\Installer\26ecd.msp
c:\windows\Installer\27277.msp
c:\windows\Installer\27545.msp
c:\windows\Installer\275b3.msp
c:\windows\Installer\27b0faf.msp
c:\windows\Installer\282d2.msp
c:\windows\Installer\28f74.msp
c:\windows\Installer\292ef.msp
c:\windows\Installer\29437.msp
c:\windows\Installer\29456.msp
c:\windows\Installer\2949197.msp
c:\windows\Installer\2a166.msp
c:\windows\Installer\2a2ce.msp
c:\windows\Installer\2a629.msp
c:\windows\Installer\2b329.msp
c:\windows\Installer\2b679e3.msp
c:\windows\Installer\2bbc3f4.msp
c:\windows\Installer\2c7bc1.msp
c:\windows\Installer\2e0dcb8.msp
c:\windows\Installer\2e80db8.msp
c:\windows\Installer\311305c.msp
c:\windows\Installer\322831d.msp
c:\windows\Installer\3788250.msp
c:\windows\Installer\3a92c04.msp
c:\windows\Installer\3ac3433.msp
c:\windows\Installer\3af42ca.msp
c:\windows\Installer\3b9faee.msp
c:\windows\Installer\3c2366a.msp
c:\windows\Installer\3ca54.msi
c:\windows\Installer\3ca6e.msi
c:\windows\Installer\3ca7d.msi
c:\windows\Installer\402780f.msp
c:\windows\Installer\40be46a.msp
c:\windows\Installer\40dd618.msp
c:\windows\Installer\40fd8be.msp
c:\windows\Installer\41443c9.msp
c:\windows\Installer\41483d0.msp
c:\windows\Installer\414c415.msp
c:\windows\Installer\4152734.msp
c:\windows\Installer\4186a97.msp
c:\windows\Installer\41f63ee.msp
c:\windows\Installer\4441f40.msp
c:\windows\Installer\4e61df4.msp
c:\windows\Installer\506358.msp
c:\windows\Installer\555a09.msp
c:\windows\Installer\56324.msi
c:\windows\Installer\5633e.msi
c:\windows\Installer\5634b.msi
c:\windows\Installer\5909878.msp
c:\windows\Installer\60177c.msp
c:\windows\Installer\60744.msi
c:\windows\Installer\6075e.msi
c:\windows\Installer\6076d.msi
c:\windows\Installer\614594b.msp
c:\windows\Installer\6757b52.msp
c:\windows\Installer\6858a5.msp
c:\windows\Installer\6e7ddda.msp
c:\windows\Installer\6e9eb1.msi
c:\windows\Installer\70dd8.msp
c:\windows\Installer\71f6f02.msp
c:\windows\Installer\72bfc7b.msp
c:\windows\Installer\7e20d95.msp
c:\windows\Installer\7ff90c.msp
c:\windows\Installer\815c64.msp
c:\windows\Installer\8470a9.msp
c:\windows\Installer\848fdd0.msp
c:\windows\Installer\8cb359.msp
c:\windows\Installer\934df.msp
c:\windows\Installer\9fd943.msp
c:\windows\Installer\aa766d.msp
c:\windows\Installer\b1f05e.msp
c:\windows\Installer\b3a0515.msp
c:\windows\Installer\bce37.msp
c:\windows\Installer\c5835a.msp
c:\windows\Installer\cdc761.msp
c:\windows\Installer\d085f63.msp
c:\windows\Installer\d6f3d7e.msp
c:\windows\Installer\d9204a.msp
c:\windows\Installer\e5eeea.msp
c:\windows\Installer\ee0fc9.msp
c:\windows\Installer\f50f69.msp
c:\windows\Installer\f5d0a6.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\hjgruiloywlqsx.sys
c:\windows\system32\hjgruidathakog.dat
c:\windows\system32\hjgruiewmxtuwh.dll
c:\windows\system32\hjgruiglifvmpe.dll
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruipuaaloja.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruierajowng
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 01:28 . 2009-07-09 01:28 -------- d-----w- c:\program files\Safer Networking
2009-07-06 19:00 . 2009-07-06 19:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-06 18:11 . 2009-07-06 18:10 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 18:10 . 2009-07-06 18:55 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-07-06 18:10 . 2009-07-06 18:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-06 17:45 . 2009-07-06 17:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-07-06 17:45 . 2009-03-24 21:43 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-06 17:45 . 2009-03-24 21:43 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-06 17:45 . 2009-03-24 21:43 235520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-06 17:45 . 2009-03-24 21:43 338432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-06 17:45 . 2009-03-24 21:42 235008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-06 17:45 . 2009-03-24 21:42 345088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-06 17:44 . 2009-07-06 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-07-06 17:44 . 2009-07-06 17:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 17:00 . 2009-07-09 23:54 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 17:00 . 2009-07-06 17:00 152576 ----a-w- c:\documents and settings\Jenn and Mark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\Malwarebytes
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 16:44 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 16:44 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 04:08 . 2009-07-06 04:08 -------- d-----w- c:\windows\ERUNT
2009-07-06 04:07 . 2009-07-06 04:43 -------- d-----w- C:\SDFix
2009-07-06 03:38 . 2009-07-06 03:38 -------- d-----w- C:\VundoFix Backups
2009-07-05 21:06 . 2009-07-05 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-05 21:05 . 2009-07-08 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-05 21:05 . 2009-07-05 21:05 -------- d-----w- c:\program files\Common Files\iS3
2009-07-01 04:44 . 2009-07-01 04:44 -------- d-----w- C:\avifix
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 03:15 . 2008-07-08 00:19 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\Dropbox
2009-07-10 03:15 . 2007-01-23 01:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 02:52 . 2009-04-23 16:39 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-07-09 23:57 . 2005-08-11 03:15 -------- d-----w- c:\program files\Java
2009-07-09 18:40 . 2008-10-02 00:20 -------- d-----w- c:\program files\LogMeIn
2009-07-09 04:40 . 2006-04-28 01:53 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\uTorrent
2009-07-09 03:16 . 2005-02-06 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 01:32 . 2005-02-06 06:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 20:41 . 2008-08-02 03:45 -------- d-----w- c:\program files\TVersity Codec Pack
2009-07-06 20:41 . 2007-01-17 04:11 -------- d-----w- c:\program files\ffdshow
2009-07-06 19:21 . 2004-11-13 04:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 19:20 . 2008-06-18 00:59 2124 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-07-06 19:10 . 2008-04-11 04:10 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-07-06 18:50 . 2005-07-06 02:54 -------- d-----w- c:\program files\Trend Micro
2009-07-06 18:08 . 2008-10-07 04:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-01 16:44 . 2008-05-04 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-01 16:44 . 2008-07-24 00:32 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 16:44 . 2008-07-24 00:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-29 04:44 . 2008-10-07 04:23 -------- d-----w- c:\program files\mkv2vob
2009-05-29 18:07 . 2007-07-02 23:29 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\U3
2009-05-20 15:46 . 2008-07-24 00:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-08-29 07:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-12-08 00:37 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2002-08-29 06:14 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-11-13 20:37 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 10:09 . 2009-04-11 02:12 86216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-09-27 03:04 . 2005-06-02 00:55 11092 ----a-w- c:\program files\SolidWorksswxJRNL.BAK
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-09-21 3061248]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-01 2165272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Jenn and Mark\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-7-3 8767575]
TVersity Media Server.lnk - c:\program files\TVersity\Media Server\web\admin\TVersity.exe [2009-5-22 1775013]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:tversity ps3
"41952:UDP"= 41952:UDP:tversity

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [5/16/2006 9:04 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/23/2008 5:32 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/23/2008 5:32 PM 108552]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [10/15/2006 2:09 PM 131840]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [10/15/2006 2:09 PM 4608]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/23/2008 5:32 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/23/2008 5:32 PM 298776]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [3/13/2006 9:57 PM 234140]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/1/2008 5:20 PM 47640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [11/12/2004 9:20 PM 44032]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-7047 v2.00\HwIOctl.sys --> c:\program files\Setup Files\MS-7047 v2.00\HwIOctl.sys [?]
S3 RTCore32;RTCore32;\??\c:\program files\RMClock\RTCore32.sys --> c:\program files\RMClock\RTCore32.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Npenlhwdsvbs;Npenlhwdsvbs; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.ca/weather/cities/can/Pages/CABC0205.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jenn and Mark\Application Data\Mozilla\Firefox\Profiles\jvzgv58v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://vancouver.en.craigslist.ca/swp/
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-261478967-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fd,87,06,60,c5,39,c6,05,7d,40,97,0d,04,75,16,dc,e1,b2,23,32,3c,c8,ef,
ef,ee,1a,b7,83,ce,a9,4f,c8,3e,97,c5,1e,b5,bf,15,49,47,9b,01,5a,bd,76,7d,b5,\
"??"=hex:71,83,47,fc,0d,be,ac,cf,d0,fd,9a,48,e1,9a,92,33

[HKEY_USERS\S-1-5-21-1177238915-261478967-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7a,bc,61,ee,65,0d,87,d7,da,53,e3,be,1a,90,da,62,4a,e2,ec,31,b7,
8f,fc,c5,a9,a4,af,6f,2e,41,65,6c,61,90,0e,e0,5e,dc,bc,c0,b9,ac,64,9e,55,8c,\
"rkeysecu"=hex:93,de,15,9d,2e,f0,7d,cb,af,8e,7e,7a,d0,de,b5,9d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1077a414-9846-4c73-964a-3193e4de4bc5}]
@Denied: (Full) (Everyone)
"Model"=dword:00000072
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7c,5d,04,9b,e5,28,6a,15,d6,a5,9b,88,f1,98,bb,21,a7,6e,ee,76,7b,
8d,a0,6e,a6,08,59,3b,bd,a3,f1,9d,d7,33,3f,3d,b0,c0,b4,22,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:af,8e,c3,3f,fb,a8,f7,8b,ab,57,d4,67,e1,2d,23,26,c7,72,eb,68,f2,
f9,27,60,d4,ac,38,4b,5a,7a,16,e2,bf,9d,e8,83,1c,71,e8,20,f7,ab,7e,c8,cd,8b,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:b0,af,1d,eb,21,aa,04,a8,b6,b0,03,71,55,ed,91,9a,87,64,d2,05,13,
df,15,01,56,ad,2d,16,48,96,f5,8c,87,a3,9d,bb,52,f2,df,e1,42,16,65,da,74,cc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(668)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-10 20:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 03:21

Pre-Run: 11,655,946,240 bytes free
Post-Run: 19,371,905,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

536 --- E O F --- 2009-07-01 10:00

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 09 July 2009 - 10:45 PM

Hi mpete1313,

Your very welcome. :thumbup2:


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\KlUDffii.ini2
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 10 July 2009 - 12:46 AM

OK,

I got into the Viruscan.org website, copied the link but the file is not present... I took a quick look in c:\windows\system32 directory and I can't see the file either. I double checked that the show hidden folders, show extensions and show system files and folders are all on...

Let me know what we should try next.

Thanks :thumbup2:

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 10 July 2009 - 09:56 AM

Hi mpete1313,

I think the file is gone. We will check to make sure it is not there.


Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :file
    c:\windows\system32\KlUDffii.ini2
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 10 July 2009 - 11:00 AM

Thanks again, here is the log.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 08:58 on 10/07/2009 by Jenn and Mark (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\KlUDffii.ini2 - Unable to find/read file.

-=End Of File=-

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 10 July 2009 - 12:23 PM

Hi

Great! :thumbup2: That means it is gone.


You need to disable your AVG Anti-Virus Free Antivirus, Spybot and Spyware Doctor before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups

Driver:: 
LMIRfsClientNP
Npenlhwdsvbs


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply



****************



Now we look for malware stragglers.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.

Edited by SifuMike, 10 July 2009 - 12:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 11 July 2009 - 11:42 PM

Hi there,

Ok here are the logs:

thanks again! :thumbup2:

__________________

ComboFix 09-07-09.06 - Jenn and Mark 07/10/2009 10:32.2.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1406 [GMT -7:00]
Running from: c:\documents and settings\Jenn and Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jenn and Mark\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LMIRFSCLIENTNP
-------\Service_LMIRfsClientNP
-------\Service_Npenlhwdsvbs


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 01:28 . 2009-07-09 01:28 -------- d-----w- c:\program files\Safer Networking
2009-07-06 19:00 . 2009-07-06 19:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-06 18:11 . 2009-07-06 18:10 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-06 18:10 . 2009-07-06 18:55 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-07-06 18:10 . 2009-07-06 18:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-06 17:45 . 2009-07-06 17:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-07-06 17:45 . 2009-03-24 21:43 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-06 17:45 . 2009-03-24 21:43 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-06 17:45 . 2009-03-24 21:43 235520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-06 17:45 . 2009-03-24 21:43 338432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-06 17:45 . 2009-03-24 21:42 235008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-06 17:45 . 2009-03-24 21:42 345088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\49wwov78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-06 17:44 . 2009-07-06 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-07-06 17:44 . 2009-07-06 17:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-06 17:00 . 2009-07-09 23:54 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 17:00 . 2009-07-06 17:00 152576 ----a-w- c:\documents and settings\Jenn and Mark\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\Malwarebytes
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 16:44 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 16:44 . 2009-07-06 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 16:44 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 04:08 . 2009-07-06 04:08 -------- d-----w- c:\windows\ERUNT
2009-07-06 04:07 . 2009-07-06 04:43 -------- d-----w- C:\SDFix
2009-07-05 21:06 . 2009-07-05 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-05 21:05 . 2009-07-08 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-05 21:05 . 2009-07-05 21:05 -------- d-----w- c:\program files\Common Files\iS3
2009-07-01 04:44 . 2009-07-01 04:44 -------- d-----w- C:\avifix
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 17:38 . 2008-07-08 00:19 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\Dropbox
2009-07-10 17:38 . 2007-01-23 01:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-10 14:58 . 2008-10-02 00:20 -------- d-----w- c:\program files\LogMeIn
2009-07-10 04:53 . 2008-10-07 04:23 -------- d-----w- c:\program files\mkv2vob
2009-07-10 02:52 . 2009-04-23 16:39 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-07-09 23:57 . 2005-08-11 03:15 -------- d-----w- c:\program files\Java
2009-07-09 04:40 . 2006-04-28 01:53 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\uTorrent
2009-07-09 03:16 . 2005-02-06 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 01:32 . 2005-02-06 06:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 20:41 . 2008-08-02 03:45 -------- d-----w- c:\program files\TVersity Codec Pack
2009-07-06 20:41 . 2007-01-17 04:11 -------- d-----w- c:\program files\ffdshow
2009-07-06 19:21 . 2004-11-13 04:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 19:20 . 2008-06-18 00:59 2124 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-07-06 19:10 . 2008-04-11 04:10 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-07-06 18:50 . 2005-07-06 02:54 -------- d-----w- c:\program files\Trend Micro
2009-07-06 18:08 . 2008-10-07 04:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-01 16:44 . 2008-05-04 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-01 16:44 . 2008-07-24 00:32 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 16:44 . 2008-07-24 00:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-29 18:07 . 2007-07-02 23:29 -------- d-----w- c:\documents and settings\Jenn and Mark\Application Data\U3
2009-05-20 15:46 . 2008-07-24 00:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-08-29 07:41 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-12-08 00:37 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2002-08-29 06:14 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-11-13 20:37 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 10:09 . 2009-04-11 02:12 86216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-09-27 03:04 . 2005-06-02 00:55 11092 ----a-w- c:\program files\SolidWorksswxJRNL.BAK
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_03.18.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 17:38 . 2009-07-10 17:38 16384 c:\windows\Temp\Perflib_Perfdata_824.dat
+ 2009-07-10 17:38 . 2009-07-10 17:38 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-06-20 00:51 143360 ----a-w- c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-09-21 3061248]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-01 2165272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Jenn and Mark\Start Menu\Programs\Startup\
Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-7-3 8767575]
TVersity Media Server.lnk - c:\program files\TVersity\Media Server\web\admin\TVersity.exe [2009-5-22 1775013]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
avgrsstx.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:tversity ps3
"41952:UDP"= 41952:UDP:tversity

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [5/16/2006 9:04 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/23/2008 5:32 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/23/2008 5:32 PM 108552]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [10/15/2006 2:09 PM 131840]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [10/15/2006 2:09 PM 4608]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/23/2008 5:32 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/23/2008 5:32 PM 298776]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [3/13/2006 9:57 PM 234140]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/1/2008 5:20 PM 47640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [11/12/2004 9:20 PM 44032]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-7047 v2.00\HwIOctl.sys --> c:\program files\Setup Files\MS-7047 v2.00\HwIOctl.sys [?]
S3 RTCore32;RTCore32;\??\c:\program files\RMClock\RTCore32.sys --> c:\program files\RMClock\RTCore32.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.ca/weather/cities/can/Pages/CABC0205.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jenn and Mark\Application Data\Mozilla\Firefox\Profiles\jvzgv58v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://vancouver.en.craigslist.ca/swp/
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 10:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-261478967-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fd,87,06,60,c5,39,c6,05,7d,40,97,0d,04,75,16,dc,e1,b2,23,32,3c,c8,ef,
ef,ee,1a,b7,83,ce,a9,4f,c8,3e,97,c5,1e,b5,bf,15,49,47,9b,01,5a,bd,76,7d,b5,\
"??"=hex:71,83,47,fc,0d,be,ac,cf,d0,fd,9a,48,e1,9a,92,33

[HKEY_USERS\S-1-5-21-1177238915-261478967-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:7a,bc,61,ee,65,0d,87,d7,da,53,e3,be,1a,90,da,62,4a,e2,ec,31,b7,
8f,fc,c5,a9,a4,af,6f,2e,41,65,6c,61,90,0e,e0,5e,dc,bc,c0,b9,ac,64,9e,55,8c,\
"rkeysecu"=hex:93,de,15,9d,2e,f0,7d,cb,af,8e,7e,7a,d0,de,b5,9d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1077a414-9846-4c73-964a-3193e4de4bc5}]
@Denied: (Full) (Everyone)
"Model"=dword:00000072
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7c,5d,04,9b,e5,28,6a,15,d6,a5,9b,88,f1,98,bb,21,a7,6e,ee,76,7b,
8d,a0,6e,a6,08,59,3b,bd,a3,f1,9d,d7,33,3f,3d,b0,c0,b4,22,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:af,8e,c3,3f,fb,a8,f7,8b,ab,57,d4,67,e1,2d,23,26,c7,72,eb,68,f2,
f9,27,60,d4,ac,38,4b,5a,7a,16,e2,bf,9d,e8,83,1c,71,e8,20,f7,ab,7e,c8,cd,8b,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:b0,af,1d,eb,21,aa,04,a8,b6,b0,03,71,55,ed,91,9a,87,64,d2,05,13,
df,15,01,56,ad,2d,16,48,96,f5,8c,87,a3,9d,bb,52,f2,df,e1,42,16,65,da,74,cc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3916)
c:\program files\Dropbox\DropboxExt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-10 10:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 17:44
ComboFix2.txt 2009-07-10 03:21

Pre-Run: 14,411,386,880 bytes free
Post-Run: 14,390,718,464 bytes free

315 --- E O F --- 2009-07-01 10:00





_____________________

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 07:37:08
Records in database: 2459421
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 94482
Threat name: 17
Infected objects: 32
Suspicious objects: 3
Duration of the scan: 02:26:23


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01305DDE Infected: Trojan.Win32.Dialer.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03B72E10.exe Infected: Worm.Win32.VB.an 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03E97718 Infected: not-a-virus:AdWare.Win32.WinAD.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11133324 Infected: Trojan-Clicker.Win32.Agent.bt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\228905BD.exe Infected: Backdoor.Win32.Rbot.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28F07643 Infected: Backdoor.Win32.IRCBot.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2CB26BFF.exe Infected: Virus.Win32.Tenga.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36877A54 Infected: Trojan-Downloader.BAT.Ftp.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A476ED7 Infected: Backdoor.Win32.Rbot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DD5501C.EXE Infected: Backdoor.Win32.Rbot.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44D4090B Infected: Trojan-Clicker.Win32.Agent.bt 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4BAE7848 Infected: Backdoor.Win32.Rbot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\536160C7.exe Infected: Worm.Win32.Fujack.bh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5BBE7BD5 Infected: Trojan.Win32.LowZones.g 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CED7187.old Infected: Backdoor.Win32.Rbot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CED7187.q_8048001_q Infected: Backdoor.Win32.IRCBot.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CED7187.q_8049401_q Infected: Backdoor.Win32.Rbot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DD27B28.tmp Infected: Worm.Win32.VB.an 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65FA2AB8.exe Infected: Backdoor.Win32.Robobot.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\771C595B.exe Infected: Worm.Win32.VB.an 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77292C9D.exe Infected: Backdoor.Win32.Gobot.s 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79A025DF Infected: Backdoor.Win32.Rbot.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79C373B8 Infected: not-a-virus:AdWare.Win32.WinAD.z 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AE16743.exe Infected: Trojan-Downloader.Win32.Delf.bm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7AF80D2A.exe Infected: Trojan-Downloader.Win32.Delf.bm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B0F3311.exe Infected: Trojan-Downloader.Win32.Delf.bm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B2558F8.exe Infected: Trojan-Downloader.Win32.Delf.bm 1
C:\Documents and Settings\Jenn and Mark\My Documents\NETSTUFF\download apps\eDonkey57.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
C:\Documents and Settings\Jenn and Mark\My Documents\NETSTUFF\mp3 utils\mp3\mpegjo11.zip Suspicious: Password-protected-EXE 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiewmxtuwh.dll.vir Infected: Trojan.Win32.Monder.cqbi 1
C:\System Volume Information\_restore{5A859977-BA1F-4506-8323-E78AC5AAC4E4}\RP1365\A0274018.dll Infected: Trojan.Win32.Monder.cqbi 1
E:\backup\My Documents 06_22_08.rar Infected: not-a-virus:AdWare.Win32.Gator.1050 1
E:\backup\My Documents 06_22_08.rar Suspicious: Password-protected-EXE 1
E:\backup\My Documents 11_25_07.rar Infected: not-a-virus:AdWare.Win32.Gator.1050 1
E:\backup\My Documents 11_25_07.rar Suspicious: Password-protected-EXE 1

The selected area was scanned.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:02 AM

Posted 12 July 2009 - 11:59 AM

Hi mpete1313,

Please close FireFox and Internet Explorer browser before running OTM.

Please download OTM by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C[/b] (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".


:files
C:\Documents and Settings\Jenn and Mark\My Documents\NETSTUFF\download apps\eDonkey57.exe 
:commands
[emptytemp]
[Reboot]


Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 mpete1313

mpete1313
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 12 July 2009 - 06:53 PM

Ok done,

here is the OTM log....

________________

All processes killed
========== FILES ==========
C:\Documents and Settings\Jenn and Mark\My Documents\NETSTUFF\download apps\eDonkey57.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 29980346 bytes
->FireFox cache emptied: 55554860 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Jenn and Mark
->Temp folder emptied: 78485774 bytes
->Temporary Internet Files folder emptied: 5123536 bytes
->Java cache emptied: 57471328 bytes
->FireFox cache emptied: 60073327 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 98438 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 6688273 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 281.00 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07122009_164805

Files moved on Reboot...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users