Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit / UACd.sys


  • Please log in to reply
9 replies to this topic

#1 Uncle Marvo

Uncle Marvo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 10 July 2009 - 11:20 AM

I got infected a couple of nights ago by a trojan. One of the effects was the installation of a rogue "System Security" process. I believe I have successfully uninstalled this. However, running the Microsoft RootkitRevealer has indicated that a rootkit is also present and I would like some help to clean up my computer.

I have tried to install and run malwarebytes, but the mbam-setup.exe file does not want to run. It shows up in the list of processes under task manager but doesn't do anything and just goes away after 5 minutes.

Here is an excerpt from the RootkitRevealer output:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/10/2009 10:22 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\VSDOTNET\MSSQLServer\uptime_time_utc 7/10/2009 10:24 AM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\UAC 7/10/2009 9:39 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\UACd.sys 7/10/2009 9:34 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{714E74C9-87AD-403A-A34B-440390D75437} 7/10/2009 10:29 AM 96 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\LeaseObtainedTime 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\T1 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\T2 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\LeaseTerminatesTime 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\DhcpRetryTime 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\UACd.sys 7/10/2009 9:34 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\LeaseObtainedTime 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\T1 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\T2 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\LeaseTerminatesTime 7/10/2009 10:29 AM 4 bytes Data mismatch between Windows API and raw hive data.
C: 0 bytes Error mounting volume


As per instruction, I have also run the DDS.scr script and am attaching the output here:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Uncle Marvo at 11:55:29.20 on 10/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2523 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Uncle Marvo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.ca/myway
uDefault_Page_URL = hxxp://www.dell.ca/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DC
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 213.185.116.152:8080
uURLSearchHooks: H - No File
uWindows: load=c:\windows\system32\msdaj.exe
uWindows: run=c:\windows\system32\mssebq.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File
BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] c:\games\valve\steam\\Steam.exe -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033 -noicon
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mExplorerRun: [exec] c:\windows\system32\mswwpcj.exe
StartupFolder: c:\docume~1\unclem~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121225335152
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vendor.mohegansun.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\unclem~1\applic~1\mozilla\firefox\profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-28 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-28 298776]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\uncelm~1\locals~1\temp\AHCSFJXZ.exe [2009-7-10 412544]
S3 BTDataTransport;BTDataTransport;c:\program files\capton\btdatatransportservice\BTDataTransportService.exe [2008-4-12 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\capton\btmonitor\BTFileMonitor.exe [2007-2-28 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\capton\btremotelistener\BTRemoteListener.exe [2008-4-12 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\capton\btmonitor\BTRxMonitor.exe [2007-2-28 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\docteurdirect.com\docteurdirect offline access\OfflineAccess.Client.Service.exe [2007-12-20 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2009-7-10 8576]
S3 pcmstub;pcmstub;\??\c:\windows\system32\pcmstub.sys --> c:\windows\system32\pcmstub.sys [?]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSDOTNET [?]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\capton\btremotefilemonitor\BTFileMonitor.exe [2007-1-22 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit 2009\ArcNameService.exe [2008-12-19 199000]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2009-07-10 10:17 8,576 a------- c:\windows\system32\drivers\KProcWatch.sys
2009-07-10 10:17 <DIR> --d----- c:\program files\HiddenFinder
2009-07-10 10:17 <DIR> --d----- c:\program files\common files\ynshare
2009-07-09 19:43 180,592 a------- C:\R126083.EXE
2009-07-09 19:43 349,296 a------- C:\R99740.exe
2009-07-09 19:43 18,075,752 a------- C:\R99738.EXE
2009-07-09 00:17 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-07-09 00:17 <DIR> --d----- c:\docume~1\unclem~1\applic~1\Messenger
2009-06-30 23:55 <DIR> --d----- c:\program files\iTunes
2009-06-30 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 23:54 <DIR> --d----- c:\program files\Bonjour
2009-06-30 23:50 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-30 23:50 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-30 23:43 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-30 23:43 159,232 a------- c:\windows\system32\ptpusd.dll
2009-06-10 12:34 268,288 -c------ c:\windows\system32\dllcache\httpext.dll

==================== Find3M ====================

2009-07-09 00:38 4 ----h--- c:\windows\fonts\mlog
2009-06-29 09:51 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 09:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:56 229,376 a------- c:\windows\system32\DSPlayer.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-07-30 11:10 60,744 a------- c:\documents and settings\uncle marvo\g2mdlhlpx.exe
2008-04-11 08:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-21 14:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-10-16 14:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 11:58:21.17 ===============

Finally, I am also attaching a zipped version of the attach.txt file.

Many thanks in advance for your help!
Marvo

Attached Files



BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 13 July 2009 - 12:43 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

#3 Uncle Marvo

Uncle Marvo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 13 July 2009 - 03:17 PM

First, thank you very much for taking the time to help. It is much appreciated.

I downloaded ComboFix as instructed and saved it to the desktop. I am running AVG Free 8.5, so I disabled Resident Shield as well as Windows Firewall, but I could not stop the built -in AVG Anti-Spyware component. So I tried running ComboFix anyway and nothing happened. Well, more precisely, the process shows up in Task Manager, but it sits idle for about 5 minutes, does not eat up any CPU and then just disappears.

I then tried killing some of the avg services and processes in case that was the conflict. When I disabled and stopped AVG Watchdog, a bunch of ad-based IE windows started popping up (I use Firefox, not IE), so I closed them, and then tried running ComboFix again. Alas, same result: nothing happens beyond what I described above.

I should also point out that I have also noticed that any search in Google redirects me to other sites.

Finally, I have run DDS.scr again and the results are below. Please indicate if I need to run HJT instead of DDS.scr (I do not have HJT installed on my system).



DDS (Ver_09-06-26.01) - NTFSx86
Run by Uncle Marvo at 16:04:59.20 on 13/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2536 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Uncle Marvo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.ca/myway
uDefault_Page_URL = hxxp://www.dell.ca/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DC
uInternet Settings,ProxyServer = 213.185.116.152:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uWindows: load=c:\windows\system32\msdaj.exe
uWindows: run=c:\windows\system32\mssebq.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File
BHO: {500BCA15-57A7-4eaf-8143-8C619470B13D} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] c:\games\valve\steam\\Steam.exe -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033 -noicon
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mExplorerRun: [exec] c:\windows\system32\mswwpcj.exe
StartupFolder: c:\docume~1\unclem~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121225335152
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vendor.mohegansun.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\unclem~1\applic~1\mozilla\firefox\profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 108552]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\unclem~1\locals~1\temp\AHCSFJXZ.exe [2009-7-10 412544]
S3 BTDataTransport;BTDataTransport;c:\program files\capton\btdatatransportservice\BTDataTransportService.exe [2008-4-12 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\capton\btmonitor\BTFileMonitor.exe [2007-2-28 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\capton\btremotelistener\BTRemoteListener.exe [2008-4-12 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\capton\btmonitor\BTRxMonitor.exe [2007-2-28 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\docteurdirect.com\docteurdirect offline access\OfflineAccess.Client.Service.exe [2007-12-20 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2009-7-10 8576]
S3 pcmstub;pcmstub;\??\c:\windows\system32\pcmstub.sys --> c:\windows\system32\pcmstub.sys [?]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSDOTNET [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-28 906520]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-28 298776]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\capton\btremotefilemonitor\BTFileMonitor.exe [2007-1-22 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit 2009\ArcNameService.exe [2008-12-19 199000]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2009-07-10 10:17 8,576 a------- c:\windows\system32\drivers\KProcWatch.sys
2009-07-10 10:17 <DIR> --d----- c:\program files\HiddenFinder
2009-07-10 10:17 <DIR> --d----- c:\program files\common files\ynshare
2009-07-09 19:43 180,592 a------- C:\R126083.EXE
2009-07-09 19:43 349,296 a------- C:\R99740.exe
2009-07-09 19:43 18,075,752 a------- C:\R99738.EXE
2009-07-09 00:17 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-07-09 00:17 <DIR> --d----- c:\docume~1\unclem~1\applic~1\Messenger
2009-06-30 23:55 <DIR> --d----- c:\program files\iTunes
2009-06-30 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 23:54 <DIR> --d----- c:\program files\Bonjour
2009-06-30 23:50 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-30 23:50 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-30 23:43 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-30 23:43 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-07-09 00:38 4 ----h--- c:\windows\fonts\mlog
2009-06-29 09:51 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 09:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:56 229,376 a------- c:\windows\system32\DSPlayer.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-07-30 11:10 60,744 a------- c:\documents and settings\uncle marvo\g2mdlhlpx.exe
2008-04-11 08:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-21 14:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-10-16 14:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 16:06:51.89 ===============


Again, thanks for your help!
Uncle Marvo

Attached Files



#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 13 July 2009 - 05:39 PM

Rename combofix.exe to random.exe, and attempt to run it again.

If that doesn't work, there are still several other options for removal of this rootkit.

#5 Uncle Marvo

Uncle Marvo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 13 July 2009 - 09:12 PM

Ok, renamed ComboFix.exe to random.exe and tried to run it again. This time, success.

Here are the contents of the ComboFix log, followed by the DDS results:


ComboFix 09-07-13.01 - Uncle Marvo 13/07/2009 21:24.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2741 [GMT -4:00]
Running from: c:\documents and settings\Uncle Marvo\Desktop\random.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\92235456.ini
c:\windows\Install.txt
c:\windows\Installer\7e4e3.msi
c:\windows\Installer\84e6b.msp
c:\windows\Installer\9331166.msp
c:\windows\Installer\a7ef7.msp
c:\windows\Installer\b1517.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\system\oeminfo.ini
c:\windows\system32\Cache
c:\windows\system32\certstore.dat
c:\windows\system32\Data
c:\windows\system32\drivers\UAChvkejbdhmvshrkfse.sys
c:\windows\system32\UACbfcsiexibwikjwdce.dll
c:\windows\system32\UACbvwswootlwtqdhcci.dll
c:\windows\system32\UACfaxbymibocydkprww.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClycvgoqchumhhwbgk.db
c:\windows\system32\UACmsfbsqhslnhokbqtc.dll
c:\windows\system32\UACoyhrbufhxqfdgmlfd.dll
c:\windows\system32\UACqpjootbefgqikocnc.dat
c:\windows\system32\uactmp.db
c:\windows\system32\wiawow32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_pcmstub


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-10 14:57 . 2009-07-10 14:57 -------- d-----w- c:\program files\ERUNT
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-----w- c:\program files\HiddenFinder
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-----w- c:\program files\Common Files\ynshare
2009-07-10 14:17 . 2006-02-24 02:03 8576 ----a-w- c:\windows\system32\drivers\KProcWatch.sys
2009-07-09 23:43 . 2009-07-09 23:43 180592 ----a-w- C:\R126083.EXE
2009-07-09 23:43 . 2009-07-09 23:43 349296 ----a-w- C:\R99740.exe
2009-07-09 23:43 . 2009-07-09 23:43 18075752 ----a-w- C:\R99738.EXE
2009-07-09 11:38 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Nina Woodley\Application Data\Mozilla\Firefox\Profiles\b9fup904.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-09 10:44 . 2009-07-09 10:44 -------- d-----w- c:\documents and settings\Nina Woodley\Local Settings\Application Data\TSVNCache
2009-07-09 04:17 . 2009-07-09 10:31 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Messenger
2009-07-01 03:55 . 2009-07-01 03:55 -------- d-----w- c:\program files\iTunes
2009-07-01 03:55 . 2009-07-01 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 03:54 . 2009-07-01 03:54 -------- d-----w- c:\program files\Bonjour
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Uncle Marvo\Local Settings\Application Data\Apple
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\program files\Apple Software Update
2009-07-01 03:50 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-01 03:50 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-01 03:50 . 2009-07-01 03:55 -------- d-----w- c:\program files\Common Files\Apple
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-01 03:43 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-07-01 03:43 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-16 20:58 . 2009-06-16 20:58 152576 ----a-w- c:\documents and settings\Uncle Marvo\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 01:40 . 2005-07-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-14 01:40 . 2006-05-26 13:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-07-09 11:43 . 2008-05-08 21:07 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-09 10:33 . 2008-07-28 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 10:29 . 2005-07-02 15:07 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Azureus
2009-07-09 04:38 . 2009-07-09 04:18 4 ---h--w- c:\windows\Fonts\mlog
2009-07-09 04:24 . 2005-07-13 04:16 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Skype
2009-07-09 04:04 . 2008-04-11 12:51 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\skypePM
2009-07-09 00:53 . 2005-06-30 01:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-06 20:30 . 2007-12-17 16:39 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\U3
2009-07-02 01:00 . 2005-07-12 20:29 -------- d-----w- c:\program files\Dl_cats
2009-07-01 04:03 . 2006-12-30 06:15 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Apple Computer
2009-07-01 03:55 . 2006-12-30 06:12 -------- d-----w- c:\program files\iPod
2009-07-01 03:53 . 2006-12-30 06:13 -------- d-----w- c:\program files\QuickTime
2009-06-29 13:51 . 2008-07-28 16:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 13:51 . 2008-07-28 16:27 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 13:51 . 2008-07-28 16:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:33 . 2007-09-25 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 20:59 . 2005-06-22 03:58 -------- d-----w- c:\program files\Java
2009-06-11 23:25 . 2007-11-20 21:04 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Hamachi
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 20:50 . 2006-02-08 21:14 -------- d-----w- c:\program files\Windows Grep
2009-05-21 15:33 . 2009-02-08 02:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 13:59 . 2008-07-28 16:27 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 18:56 . 2008-09-24 20:56 229376 ----a-w- c:\windows\system32\DSPlayer.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 18:52 . 2009-04-15 18:52 152576 ----a-w- c:\documents and settings\Uncle Marvo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-16 12:56 . 2008-06-30 19:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2005-09-15 22:26 . 2005-06-30 00:54 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-09-18 14:08 . 2008-05-27 18:00 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-09-18 14:08 . 2008-05-27 18:00 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-18 14:08 . 2008-09-18 14:08 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-18 14:08 . 2008-09-18 14:08 107848 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll
2006-05-03 09:06 . 2007-11-28 13:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-11-28 13:06 31232 --sh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\games\Valve\Steam\\Steam.exe" [2009-06-16 1217784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-03-15 24104]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

c:\documents and settings\Uncle Marvo\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 13:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Games\\FEAR\\FEAR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3000:TCP"= 3000:TCP:Apache/Ruby
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/07/2008 12:27 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/07/2008 12:27 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [28/07/2008 12:26 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/07/2008 12:26 PM 298776]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe -sVSDOTNET --> c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [25/11/2005 5:43 PM 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\UNCLEM~1\LOCALS~1\Temp\AHCSFJXZ.exe --> c:\docume~1\UNCLEM~1\LOCALS~1\Temp\AHCSFJXZ.exe [?]
S3 BTDataTransport;BTDataTransport;c:\program files\Capton\BTDataTransportService\BTDataTransportService.exe [12/04/2008 2:58 PM 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\Capton\BTMonitor\BTFileMonitor.exe [28/02/2007 11:54 PM 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\Capton\BTRemoteListener\BTRemoteListener.exe [12/04/2008 3:24 PM 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\Capton\BTMonitor\BTRxMonitor.exe [28/02/2007 11:54 PM 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\DocteurDirect.com\DocteurDirect Offline Access\OfflineAccess.Client.Service.exe [20/12/2007 10:49 AM 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [10/07/2009 10:17 AM 8576]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlagent.EXE -i VSDOTNET --> c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlagent.EXE -i VSDOTNET [?]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\Capton\BTRemoteFileMonitor\BTFileMonitor.exe [22/01/2007 2:30 PM 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 7:01 AM 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 2009\ArcNameService.exe [19/12/2008 9:28 AM 199000]
UnknownUnknown dsload;dsload; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.ca/myway
uInternet Settings,ProxyServer = 213.185.116.152:8080
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
FF - ProfilePath - c:\documents and settings\Uncle Marvo\Application Data\Mozilla\Firefox\Profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1476)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-07-14 21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 01:55

Pre-Run: 30,591,270,912 bytes free
Post-Run: 34,387,263,488 bytes free

339 --- E O F --- 2009-06-16 20:54


*** DDS results: ***


DDS (Ver_09-06-26.01) - NTFSx86
Run by Uncle Marvo at 22:05:19.62 on 13/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2544 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Uncle Marvo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.ca/myway
uInternet Settings,ProxyServer = 213.185.116.152:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] c:\games\valve\steam\\Steam.exe -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033 -noicon
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\unclem~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121225335152
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vendor.mohegansun.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\unclem~1\applic~1\mozilla\firefox\profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-28 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-28 298776]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\unclem~1\locals~1\temp\ahcsfjxz.exe --> c:\docume~1\unclem~1\locals~1\temp\AHCSFJXZ.exe [?]
S3 BTDataTransport;BTDataTransport;c:\program files\capton\btdatatransportservice\BTDataTransportService.exe [2008-4-12 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\capton\btmonitor\BTFileMonitor.exe [2007-2-28 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\capton\btremotelistener\BTRemoteListener.exe [2008-4-12 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\capton\btmonitor\BTRxMonitor.exe [2007-2-28 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\docteurdirect.com\docteurdirect offline access\OfflineAccess.Client.Service.exe [2007-12-20 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2009-7-10 8576]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSDOTNET [?]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\capton\btremotefilemonitor\BTFileMonitor.exe [2007-1-22 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit 2009\ArcNameService.exe [2008-12-19 199000]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2009-07-13 21:53 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 21:14 219,648 a------- c:\windows\PEV.exe
2009-07-13 21:14 161,792 a------- c:\windows\SWREG.exe
2009-07-13 21:14 98,816 a------- c:\windows\sed.exe
2009-07-10 10:17 8,576 a------- c:\windows\system32\drivers\KProcWatch.sys
2009-07-10 10:17 <DIR> --d----- c:\program files\HiddenFinder
2009-07-10 10:17 <DIR> --d----- c:\program files\common files\ynshare
2009-07-09 19:43 180,592 a------- C:\R126083.EXE
2009-07-09 19:43 349,296 a------- C:\R99740.exe
2009-07-09 19:43 18,075,752 a------- C:\R99738.EXE
2009-07-09 00:17 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-07-09 00:17 <DIR> --d----- c:\docume~1\unclem~1\applic~1\Messenger
2009-06-30 23:55 <DIR> --d----- c:\program files\iTunes
2009-06-30 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 23:54 <DIR> --d----- c:\program files\Bonjour
2009-06-30 23:50 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-30 23:50 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-30 23:43 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-30 23:43 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-07-09 00:38 4 ----h--- c:\windows\fonts\mlog
2009-06-29 09:51 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 09:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:56 229,376 a------- c:\windows\system32\DSPlayer.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-07-30 11:10 60,744 a------- c:\documents and settings\uncle marvo\g2mdlhlpx.exe
2008-04-11 08:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-21 14:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-10-16 14:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 22:05:38.53 ===============


What next?

Thanks,
Uncle Marvo

Attached Files



#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 14 July 2009 - 10:25 AM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    DDS::
    uStart Page = hxxp://www.dell.ca/myway
    BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
It appears the rootkit is gone. However, I would like to be certain, so please also run rootkitrevealer again and post the log.

#7 Uncle Marvo

Uncle Marvo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 14 July 2009 - 11:52 AM

Did as instructed. I have included below the new log from ComboFix, the new DDS.txt contents, and the Attach.txt file zipped as an attachment.

I also included the complete log from RootkitRevealer at the bottom. Based on a quick glance, only 3 items are marked as "Hidden from Windows API.", and they appear to be related to Daemon Tools (d347), as follows:

HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf40 7/13/2009 9:38 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf41 7/3/2009 7:47 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf42 9/16/2008 8:52 AM 0 bytes Hidden from Windows API.

Attached files below.

--------------------------------------
COMBOFIX LOG
--------------------------------------

ComboFix 09-07-13.01 - Uncle Marvo 14/07/2009 11:52.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2598 [GMT -4:00]
Running from: c:\documents and settings\Uncle Marvo\Desktop\random.exe
Command switches used :: c:\documents and settings\Uncle Marvo\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-10 14:57 . 2009-07-10 14:57 -------- d-----w- c:\program files\ERUNT
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-----w- c:\program files\HiddenFinder
2009-07-10 14:17 . 2009-07-10 14:17 -------- d-----w- c:\program files\Common Files\ynshare
2009-07-10 14:17 . 2006-02-24 02:03 8576 ----a-w- c:\windows\system32\drivers\KProcWatch.sys
2009-07-09 23:43 . 2009-07-09 23:43 180592 ----a-w- C:\R126083.EXE
2009-07-09 23:43 . 2009-07-09 23:43 349296 ----a-w- C:\R99740.exe
2009-07-09 23:43 . 2009-07-09 23:43 18075752 ----a-w- C:\R99738.EXE
2009-07-09 11:38 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Nina Woodley\Application Data\Mozilla\Firefox\Profiles\b9fup904.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-09 10:44 . 2009-07-09 10:44 -------- d-----w- c:\documents and settings\Nina Woodley\Local Settings\Application Data\TSVNCache
2009-07-09 04:17 . 2009-07-09 10:31 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Messenger
2009-07-01 03:55 . 2009-07-01 03:55 -------- d-----w- c:\program files\iTunes
2009-07-01 03:55 . 2009-07-01 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 03:54 . 2009-07-01 03:54 -------- d-----w- c:\program files\Bonjour
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Uncle Marvo\Local Settings\Application Data\Apple
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\program files\Apple Software Update
2009-07-01 03:50 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-01 03:50 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-01 03:50 . 2009-07-01 03:55 -------- d-----w- c:\program files\Common Files\Apple
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-01 03:43 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-07-01 03:43 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-16 20:58 . 2009-06-16 20:58 152576 ----a-w- c:\documents and settings\Uncle Marvo\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 01:40 . 2005-07-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-14 01:40 . 2006-05-26 13:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-07-09 11:43 . 2008-05-08 21:07 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-09 10:33 . 2008-07-28 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 10:29 . 2005-07-02 15:07 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Azureus
2009-07-09 04:38 . 2009-07-09 04:18 4 ---h--w- c:\windows\Fonts\mlog
2009-07-09 04:24 . 2005-07-13 04:16 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Skype
2009-07-09 04:04 . 2008-04-11 12:51 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\skypePM
2009-07-09 00:53 . 2005-06-30 01:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-06 20:30 . 2007-12-17 16:39 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\U3
2009-07-02 01:00 . 2005-07-12 20:29 -------- d-----w- c:\program files\Dl_cats
2009-07-01 04:03 . 2006-12-30 06:15 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Apple Computer
2009-07-01 03:55 . 2006-12-30 06:12 -------- d-----w- c:\program files\iPod
2009-07-01 03:53 . 2006-12-30 06:13 -------- d-----w- c:\program files\QuickTime
2009-06-29 13:51 . 2008-07-28 16:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 13:51 . 2008-07-28 16:27 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 13:51 . 2008-07-28 16:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 04:33 . 2007-09-25 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-16 20:59 . 2005-06-22 03:58 -------- d-----w- c:\program files\Java
2009-06-11 23:25 . 2007-11-20 21:04 -------- d-----w- c:\documents and settings\Uncle Marvo\Application Data\Hamachi
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 20:50 . 2006-02-08 21:14 -------- d-----w- c:\program files\Windows Grep
2009-05-21 15:33 . 2009-02-08 02:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 13:59 . 2008-07-28 16:27 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 18:56 . 2008-09-24 20:56 229376 ----a-w- c:\windows\system32\DSPlayer.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 18:52 . 2009-04-15 18:52 152576 ----a-w- c:\documents and settings\Uncle Marvo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-16 12:56 . 2008-06-30 19:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2005-09-15 22:26 . 2005-06-30 00:54 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-09-18 14:08 . 2008-05-27 18:00 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-09-18 14:08 . 2008-05-27 18:00 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-18 14:08 . 2008-09-18 14:08 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-09-18 14:08 . 2008-09-18 14:08 107848 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll
2006-05-03 09:06 . 2007-11-28 13:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-11-28 13:06 31232 --sh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-14_01.43.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 21:32 . 2001-07-14 21:32 69632 c:\windows\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\games\Valve\Steam\\Steam.exe" [2009-06-16 1217784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-03-15 24104]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

c:\documents and settings\Uncle Marvo\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 13:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Games\\FEAR\\FEAR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3000:TCP"= 3000:TCP:Apache/Ruby
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/07/2008 12:27 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/07/2008 12:27 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [28/07/2008 12:26 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [28/07/2008 12:26 PM 298776]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe -sVSDOTNET --> c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [25/11/2005 5:43 PM 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\UNCLEM~1\LOCALS~1\Temp\AHCSFJXZ.exe --> c:\docume~1\UNCLEM~1\LOCALS~1\Temp\AHCSFJXZ.exe [?]
S3 BTDataTransport;BTDataTransport;c:\program files\Capton\BTDataTransportService\BTDataTransportService.exe [12/04/2008 2:58 PM 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\Capton\BTMonitor\BTFileMonitor.exe [28/02/2007 11:54 PM 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\Capton\BTRemoteListener\BTRemoteListener.exe [12/04/2008 3:24 PM 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\Capton\BTMonitor\BTRxMonitor.exe [28/02/2007 11:54 PM 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\DocteurDirect.com\DocteurDirect Offline Access\OfflineAccess.Client.Service.exe [20/12/2007 10:49 AM 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [10/07/2009 10:17 AM 8576]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlagent.EXE -i VSDOTNET --> c:\program files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlagent.EXE -i VSDOTNET [?]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\Capton\BTRemoteFileMonitor\BTFileMonitor.exe [22/01/2007 2:30 PM 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 7:01 AM 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 2009\ArcNameService.exe [19/12/2008 9:28 AM 199000]
UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - RKREVEAL150
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 213.185.116.152:8080
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
FF - ProfilePath - c:\documents and settings\Uncle Marvo\Application Data\Mozilla\Firefox\Profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 11:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2012)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-14 12:00
ComboFix-quarantined-files.txt 2009-07-14 15:59
ComboFix2.txt 2009-07-14 01:55

Pre-Run: 34,348,171,264 bytes free
Post-Run: 34,307,735,552 bytes free

276 --- E O F --- 2009-06-16 20:54

--------------------------------------
DDS.TXT
--------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Uncle Marvo at 12:04:25.04 on 14/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2586 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VSDOTNET\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Uncle Marvo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 213.185.116.152:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] c:\games\valve\steam\\Steam.exe -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033 -noicon
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\unclem~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121225335152
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://192.168.1.150/xplugLite.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://65.243.46.85/iw/ewebeditpro20/ewebeditpro4.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vendor.mohegansun.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\unclem~1\applic~1\mozilla\firefox\profiles\653cout2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-28 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-28 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-28 298776]
R2 MSSQL$VSDOTNET;MSSQL$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -svsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlservr.exe -sVSDOTNET [?]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 AHCSFJXZ;AHCSFJXZ;c:\docume~1\unclem~1\locals~1\temp\ahcsfjxz.exe --> c:\docume~1\unclem~1\locals~1\temp\AHCSFJXZ.exe [?]
S3 BTDataTransport;BTDataTransport;c:\program files\capton\btdatatransportservice\BTDataTransportService.exe [2008-4-12 45056]
S3 BTFileMonitor;BTFileMonitor;c:\program files\capton\btmonitor\BTFileMonitor.exe [2007-2-28 36864]
S3 BTRemoteListener;BTRemoteListener;c:\program files\capton\btremotelistener\BTRemoteListener.exe [2008-4-12 40960]
S3 BTRxMonitor;BTRxMonitor;c:\program files\capton\btmonitor\BTRxMonitor.exe [2007-2-28 32768]
S3 DocteurDirectSynch;DocteurDirectSynch;c:\program files\docteurdirect.com\docteurdirect offline access\OfflineAccess.Client.Service.exe [2007-12-20 32768]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [2009-7-10 8576]
S3 SQLAgent$VSDOTNET;SQLAgent$VSDOTNET;c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.exe -i vsdotnet --> c:\program files\microsoft sql server\mssql$vsdotnet\binn\sqlagent.EXE -i VSDOTNET [?]
S4 BTRemoteFileMonitor;BTRemoteFileMonitor;c:\program files\capton\btremotefilemonitor\BTFileMonitor.exe [2007-1-22 32768]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit 2009\ArcNameService.exe [2008-12-19 199000]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2009-07-13 23:34 <DIR> --dshr-- C:\cmdcons
2009-07-13 23:34 <DIR> --d----- c:\windows\setupupd
2009-07-13 21:53 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-13 21:14 219,648 a------- c:\windows\PEV.exe
2009-07-13 21:14 161,792 a------- c:\windows\SWREG.exe
2009-07-13 21:14 98,816 a------- c:\windows\sed.exe
2009-07-10 10:17 8,576 a------- c:\windows\system32\drivers\KProcWatch.sys
2009-07-10 10:17 <DIR> --d----- c:\program files\HiddenFinder
2009-07-10 10:17 <DIR> --d----- c:\program files\common files\ynshare
2009-07-09 19:43 180,592 a------- C:\R126083.EXE
2009-07-09 19:43 349,296 a------- C:\R99740.exe
2009-07-09 19:43 18,075,752 a------- C:\R99738.EXE
2009-07-09 00:17 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-07-09 00:17 <DIR> --d----- c:\docume~1\unclem~1\applic~1\Messenger
2009-06-30 23:55 <DIR> --d----- c:\program files\iTunes
2009-06-30 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 23:54 <DIR> --d----- c:\program files\Bonjour
2009-06-30 23:50 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-30 23:50 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-30 23:43 5,632 a------- c:\windows\system32\ptpusb.dll
2009-06-30 23:43 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-07-09 00:38 4 ----h--- c:\windows\fonts\mlog
2009-06-29 09:51 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 09:59 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:56 229,376 a------- c:\windows\system32\DSPlayer.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2008-07-30 11:10 60,744 a------- c:\documents and settings\uncle marvo\g2mdlhlpx.exe
2008-04-11 08:51 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-12-21 14:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-10-16 14:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat

============= FINISH: 12:04:44.34 ===============

--------------------------------------
ROOTKITREVEALER LOG
--------------------------------------


HKU\S-1-5-21-2262125989-1510342593-3242851153-1006\Console 7/14/2009 12:00 PM 0 bytes Security mismatch.
HKU\S-1-5-21-2262125989-1510342593-3242851153-1006\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 10/29/2007 9:09 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 8/10/2004 9:23 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/10/2004 9:23 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{0FA80503-071B-4607-B4AB-D97E166DB7B7}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{159D419D-AB36-4327-BD67-FDCADBD6EC87}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{1F175DFB-FC14-4758-8589-259FB632E086}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{2B7A800D-7C15-40C8-95A3-AB26ACBE56D0}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{2BEF42D3-D0D1-41A7-8394-69B0E720CD83}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 7/8/2005 10:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{48B5B944-476D-4CB8-B971-0602A3B030E3}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{5110D1A5-AE97-4F53-8CA5-C7ABA3307A30}* 2/17/2007 11:25 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{55BAC81D-9A9D-46B6-81B1-C805EE258956}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{61C10F8D-F4E8-48E8-A8D5-EBAAD0FFC6F1}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{626B2E4B-ADB9-47D7-822D-60EFAACDE5C5}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{6C033ED5-18F1-4DFC-96C8-9BF8B61E3F3D}* 12/19/2007 2:50 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{6E23FE0D-C00A-45A6-8410-FF652DE0BBDD}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{77EDEB64-90E6-4C69-AC3C-9B896D5EF924}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{92418130-AE10-45B1-A98D-7A17AD052CA9}* 12/19/2007 2:50 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{9E507FED-47C3-49F4-A501-CDD2DF422306}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{B1DDA6BD-7C83-42D0-A625-48B12062320D}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{BE1B2547-AE6D-4342-ADEE-57E9B705983C}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{BE655E7A-8BEF-45D4-BC35-D3E66974F7BE}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C36729C6-65AB-4A6F-8B96-53FF94E3A8D2}* 7/5/2005 10:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D0362CF9-9DAC-4898-8D1A-CC11034B1B68}* 7/5/2005 10:52 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D1362CF9-9DAC-4898-8D1A-CC11034B1B68}* 7/5/2005 10:52 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{E6A928CB-7289-4019-9C0F-DA55161A2493}* 12/19/2007 2:51 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 7/8/2005 10:30 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\VSDOTNET\MSSQLServer\uptime_time_utc 7/14/2009 12:10 PM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\NextDetectionTime 7/13/2009 3:36 PM 40 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect\LastSuccessTime 7/13/2009 3:36 PM 40 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\swearware\backup\winsock2 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 7/13/2009 9:13 PM 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf40 7/13/2009 9:38 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf41 7/3/2009 7:47 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\d347prt\Cfg\0Jf42 9/16/2008 8:52 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\Dhcp\Parameters\{714E74C9-87AD-403A-A34B-440390D75437} 7/14/2009 12:17 PM 116 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Epoch\Epoch 7/14/2009 12:16 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\LeaseObtainedTime 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\T1 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\T2 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\LeaseTerminatesTime 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{714E74C9-87AD-403A-A34B-440390D75437}\DhcpRetryTime 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\LeaseObtainedTime 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\T1 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\T2 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\{714E74C9-87AD-403A-A34B-440390D75437}\Parameters\Tcpip\LeaseTerminatesTime 7/14/2009 12:17 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 7/14/2009 12:17 PM 64.00 KB Visible in Windows API, MFT, but not in directory index.

--------------------------------------


I dare not do too much with my system until I get the green light from you, but early indications seems positive. For instance, Google searches now seem to work properly.

Am I good to go?

Thanks!
Uncle Marvo

Attached Files



#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 14 July 2009 - 03:10 PM

I dare not do too much with my system until I get the green light from you, but early indications seems positive. For instance, Google searches now seem to work properly.

Am I good to go?


It certainly looks like you're good to go.

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#9 Uncle Marvo

Uncle Marvo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 14 July 2009 - 04:23 PM

Thank you VERY MUCH for your help. It is very much appreciated.

As a final question, should I also install MBAM? It seems to be popular around these forums but is not part of your list of recommendations. Is it superseded by the SpywareBlaster / Spybot S&D combo?

Again, MANY THANKS for your time and invaluable help!

Uncle Marvo

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 14 July 2009 - 04:27 PM

MBAM is certainly a good product, and one that I often recommend. Yes, it is a good idea to install it.

I have just realised that I forgot to have you uninstall combofix. Please do the following to do so:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users