Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.M


  • Please log in to reply
11 replies to this topic

#1 Bodchris

Bodchris

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 19 August 2009 - 01:04 PM

Rootkit.Pakes.M

Hello

I visited a 'freeware' site to download what was advertised as a 'freedowload' and was asked to download a file and the rest is history..............sucker.............I can't believe I did it. Ever since then my AVG goes bananas upon opening trying to deal with different infections, some of which it says it cannot eradicate.

I'm posting my RootKit log file SDFix and HijackThis logfiles if they can be of any use in the hope that one of you could be so kind to help??

Thanks in advance!

Chris



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/19 18:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB899E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0557000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_618.dat
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: c:\documents and settings\chris\local settings\temp\~df6fd9.tmp
Status: Allocation size mismatch (API: 49152, Raw: 16384)

Path: c:\documents and settings\chris\local settings\temporary internet files\antiphishing\b3bb5bba-e7d5-40ab-a041-a5b1c0b26c8f.dat
Status: Allocation size mismatch (API: 8192, Raw: 12288)

Path: c:\documents and settings\chris\local settings\temporary internet files\content.ie5\ldz4ixg1\rootrepeal_googlepages_com[1].htm
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: c:\program files\avg\avg8\identityprotection\agent\quarantine\3487eac8-0000-1000-8000-000000000000.zip
Status: Allocation size mismatch (API: 49152, Raw: 45056)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf77508a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf7750980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf7750a20

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3568) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3508) Address: 0x01000000 Size: 20480

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf7750440

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf77503b0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf77503f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf7750330

==EOF==

And a HiJackThis logfile also:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:39, on 17/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\George\George.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en&rl...yUK%7CcountryGB
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c991568dc1eca2) (gupdate1c991568dc1eca2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 8690 bytes

And an SDFIX log file which then ran the program and found nothing!!!!

SDFix: Version 1.240
Run by Chris on 19/08/2009 at 11:54

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\GILLSI~1\COOKIES\NYMOWEME.BAN - Deleted
C:\DOCUME~1\GILLSI~1\COOKIES\AKOJYCYR.BIN - Deleted
C:\DOCUME~1\GILLSI~1\COOKIES\FUFU.LIB - Deleted
C:\DOCUME~1\GILLSI~1\COOKIES\LYKIHE.REG - Deleted
C:\DOCUME~1\GILLSI~1\COOKIES\XORU.SYS - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 12:12:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000016a
"TracesSuccessful"=dword:00000029
source file error: C:\Documents and Settings\Chris\ntuser.dat

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :

Attached File  Clipboard01q.jpg   134.67KB   6 downloads

Edited by Bodchris, 20 August 2009 - 02:02 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 21 August 2009 - 12:39 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Bodchris

Bodchris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 21 August 2009 - 03:40 PM

Hi Sam

Many thanks for replying with an offer to help.

Here is what you requested:


Malwarebytes' Anti-Malware 1.40
Database version: 2671
Windows 5.1.2600 Service Pack 2

21/08/2009 21:37:24
mbam-log-2009-08-21 (21-37-24).txt

Scan type: Quick Scan
Objects scanned: 148511
Time elapsed: 14 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\11406714 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Start Menu\Programs\Startup\ikowin32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


OTL logfile created on: 21/08/2009 21:22:59 - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = S:\KEEP DO NOT DELETE
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 0.74 Gb Available Physical Memory | 49.61% Memory free
3.35 Gb Paging File | 2.26 Gb Available in Paging File | 67.36% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 152.66 Gb Total Space | 134.75 Gb Free Space | 88.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive H: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive L: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive M: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive S: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive X: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive Y: | 464.75 Gb Total Space | 251.58 Gb Free Space | 54.13% Space Free | Partition Type: NTFS
Drive Z: | 232.77 Gb Total Space | 32.55 Gb Free Space | 13.98% Space Free | Partition Type: NTFS

Computer Name: CHRIS-PC
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/02/26 13:46:20 | 05,576,712 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
PRC - [2007/09/11 01:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2009/07/31 11:52:42 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/02/26 13:46:22 | 00,563,720 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
PRC - [2009/07/31 11:52:51 | 00,832,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe
PRC - [2009/07/31 11:53:00 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/07/31 11:52:56 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2004/08/04 08:56:49 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/11/10 06:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/03/03 22:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe
PRC - [2009/04/08 11:38:14 | 00,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/08/13 09:53:09 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/02/26 13:46:22 | 01,579,528 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
PRC - [2009/02/26 13:46:20 | 00,596,488 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
PRC - [2005/02/09 22:56:12 | 00,098,304 | ---- | M] (6XGate Incorporated) -- C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
PRC - [2009/08/05 22:52:36 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/08/14 00:46:45 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/12/19 06:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/03 13:36:10 | 01,295,632 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/07/31 11:52:59 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/21 20:58:04 | 00,514,048 | ---- | M] (OldTimer Tools) -- S:\KEEP DO NOT DELETE\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/09/11 01:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0 [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/09/29 03:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
SRV - [2009/07/31 11:52:53 | 00,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Stopped])
SRV - [2009/07/31 11:52:42 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2009/02/26 13:46:20 | 05,576,712 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent [Auto | Running])
SRV - [2009/02/26 13:46:22 | 00,563,720 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe -- (AVGIDSWatcher [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/11/08 12:41:04 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/10/12 00:12:02 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c991568dc1eca2 [Auto | Stopped])
SRV - [2009/02/25 09:53:54 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2004/08/04 08:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/05/20 11:37:12 | 00,081,920 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE -- (HP Port Resolver [On_Demand | Stopped])
SRV - [2004/10/16 06:31:06 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE -- (HP Status Server [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/11/10 06:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/08/24 07:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 04:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/03/03 22:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Running])
SRV - [2009/04/08 11:38:14 | 00,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService [Auto | Running])
SRV - [2004/08/04 08:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2007/03/08 15:34:46 | 04,027,840 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2006/02/21 21:46:26 | 01,505,792 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2009/02/26 13:46:56 | 00,121,352 | R--- | M] (AVG Technologies ) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys -- (AVGIDSDriver [On_Demand | Running])
DRV - [2009/02/26 13:46:56 | 00,025,608 | ---- | M] (AVG Technologies ) -- C:\WINDOWS\System32\Drivers\AVGIDSErHr.sys -- (AVGIDSErHr [Boot | Running])
DRV - [2009/02/26 13:46:56 | 00,030,216 | ---- | M] (AVG Technologies ) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys -- (AVGIDSFilter [On_Demand | Running])
DRV - [2009/02/26 13:46:56 | 00,027,232 | ---- | M] (AVG Technologies ) -- C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys -- (AVGIDSShim [On_Demand | Running])
DRV - [2009/07/31 11:52:59 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/07/31 11:53:00 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/04/25 23:22:11 | 00,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86 [Boot | Running])
DRV - [2009/04/25 23:22:37 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2009/08/21 07:21:16 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\beep.sys -- (Beep [System | Running])
DRV - [2003/07/01 01:15:24 | 00,733,248 | ---- | M] (C-Media Inc) -- C:\WINDOWS\System32\drivers\cmuda.sys -- (cmuda [On_Demand | Stopped])
DRV - [2006/04/13 01:04:39 | 00,049,664 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2006/04/13 01:04:39 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2006/04/13 01:04:39 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2008/10/09 16:42:42 | 00,017,408 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\DRIVERS\KMWDFILTER.sys -- (KMWDFILTER [On_Demand | Stopped])
DRV - [2007/06/18 21:18:26 | 00,023,680 | ---- | M] (Motorola) -- C:\WINDOWS\System32\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Stopped])
DRV - [2009/08/14 22:31:05 | 00,619,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys -- (Ntfs [Disabled | Running])
DRV - [2004/08/04 06:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/31 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/11/08 12:33:33 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2003/08/13 08:27:22 | 00,065,280 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys -- (RTL8023 [On_Demand | Running])
DRV - [2003/03/31 13:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\S-1-5-21-1214440339-1604221776-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/firefox?client=firefox-a&rlz=1R0GGGL_en-GB"
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.4
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090324W
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/07 15:11:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/05 22:52:43 | 00,000,000 | ---D | M]

[2009/07/12 16:53:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Extensions
[2009/07/12 16:53:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/05 17:30:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Extensions\home2@tomtom.com
[2009/08/16 21:19:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions
[2009/08/02 22:07:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/07/12 23:08:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/07/12 17:17:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/07/15 16:04:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2009/07/28 09:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\iz2f9x6x.default\extensions\PICLENS@COOLIRIS.COM-TRASH
[2009/08/20 12:23:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\kruezqa3.LuftwaffeChris\extensions
[2009/08/16 21:31:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\kruezqa3.LuftwaffeChris\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/08/16 22:01:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\mozilla\Firefox\Profiles\kruezqa3.LuftwaffeChris\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
[2009/07/12 16:53:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/05 22:52:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/05 22:52:36 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/05 22:52:36 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/05 22:52:38 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/08/05 22:52:38 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/08/05 22:52:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/05 22:52:38 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/08/05 22:52:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/05 22:52:38 | 00,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2009/08/05 22:52:38 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/05 22:52:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/05 22:52:38 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4329.1504\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVGIDS] C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe (AVG)
O4 - HKLM..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe ()
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe (6XGate Incorporated)
O4 - Startup: C:\Documents and Settings\Chris\Start Menu\Programs\Startup\ikowin32.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeStartMenu = 0
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 0
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 1
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMFUprogramsList = 0
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = [binary data]
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowCpl = 1
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm ()
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 71 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 53 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 53 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1214440339-1604221776-725345543-1003\..Trusted Domains: 56 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 194.98.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (cru629.dat\System32\) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/27 21:43:49 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bb522bf3-394a-11de-bd9e-000c76bd471c}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 90 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/08/21 20:55:24 | 00,000,246 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Rootkit.M.url
[2009/08/21 20:53:53 | 00,000,714 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/21 20:53:44 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/21 20:41:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\New Folder
[2009/08/20 19:24:17 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\beep.sys
[2009/08/20 10:48:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\Virus stuff
[2009/08/20 07:58:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\11406714
[2009/08/19 12:09:28 | 16,101,41696 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/19 11:53:27 | 00,577,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/08/19 11:51:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2009/08/19 11:50:30 | 00,000,000 | ---D | C] -- C:\Program Files\SDFix
[2009/08/19 09:07:30 | 00,000,000 | ---D | C] -- C:\SDFix
[2009/08/18 18:23:13 | 00,000,247 | ---- | C] () -- C:\WINDOWS\prxid93ps.dat
[2009/08/17 10:08:16 | 00,001,397 | ---- | C] () -- C:\HijackThis.lnk
[2009/08/17 10:04:27 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/16 15:31:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\$regcmp$
[2009/08/16 13:42:34 | 00,000,288 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Cider Making Made Easy.url
[2009/08/14 11:39:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\Malwarebytes
[2009/08/14 11:39:26 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/14 11:39:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2009/08/14 11:39:07 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/06 17:51:30 | 00,266,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\TweakUI.exe
[2009/08/06 17:51:30 | 00,160,217 | ---- | C] () -- C:\WINDOWS\System32\PowerToysLicense.rtf
[2009/08/06 17:47:54 | 00,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2009/08/06 16:25:26 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/08/02 22:11:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\SeriousBit
[2009/08/02 22:09:08 | 00,000,000 | ---D | C] -- C:\Program Files\ghostscript-8.64
[2009/08/02 21:59:39 | 00,000,000 | ---D | C] -- C:\Program Files\ImageMagick-6.5.4-Q16
[2009/08/02 21:50:45 | 00,001,610 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\ImageMagick Display.lnk
[2009/08/02 21:31:39 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Free PDF to Word Converterr.lnk
[2009/08/02 21:31:38 | 00,000,000 | ---D | C] -- C:\Program Files\Free PDF to Word Converter
[2009/07/31 11:53:00 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/07/28 12:23:31 | 00,001,704 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Firefox Preloader.lnk
[2009/07/28 12:23:30 | 00,028,672 | ---- | C] (6XGate Systems, Inc.) -- C:\WINDOWS\System32\regclass.dll
[2009/07/28 12:23:30 | 00,000,000 | ---D | C] -- C:\Program Files\FirefoxPreloader
[2009/07/21 00:42:11 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Clean Expert
[2009/07/15 16:22:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\uniblue
[2009/07/15 16:20:42 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/07/14 11:33:28 | 00,000,000 | ---D | C] -- C:\Program Files\pref.bac
[2009/07/12 17:27:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\My Documents\Downloads
[2009/07/12 17:06:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\Cooliris
[2009/07/12 16:53:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/07/12 16:53:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla
[2009/07/12 16:53:12 | 00,001,608 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2009/07/12 16:53:04 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/07/02 23:04:54 | 00,000,685 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\IrfanView.lnk
[2009/07/02 10:58:36 | 00,000,430 | ---- | C] () -- C:\WINDOWS\tasks\Error Fix Scan.job
[2009/07/02 10:58:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\Error Fix
[2009/06/26 18:19:11 | 00,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/06/26 18:19:10 | 00,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/06/25 23:08:36 | 00,000,367 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\simhq.com-forum-ubbthreads.php-topics-2744697-Re_Ace_s_Multi_skinned_He_111s.html.url
[2009/06/25 23:08:36 | 00,000,109 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Ace's Multi-skinned Bombers - W.I.P - Attention BIG pictures - SimHQ Homepage.url
[2009/06/24 04:54:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\MS & Adobe
[2009/06/23 20:52:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\Cleaning
[2009/06/22 12:31:01 | 00,000,296 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\H-Images on 'LinkStation NAS (Storage)' (H).lnk
[2009/06/20 22:50:48 | 00,000,459 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\DeWalt DW997 18V Cordless Combi Drill - Screwfix.com, Where the Trade Buys.url
[2009/06/18 15:21:22 | 00,002,719 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Triplosimac EVT 500 - Promotion 90 OFF Price Amazon.co.uk Kitchen & Home.url
[2009/06/13 18:40:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PhotoStitch
[2009/06/10 20:39:56 | 00,000,293 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\utilitywarehouse.co.uk-home-index.tafexref=.url
[2009/06/10 14:13:13 | 00,000,000 | ---D | C] -- C:\PSRemote
[2008/12/04 22:49:52 | 00,000,034 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/10/29 15:10:08 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/10/29 08:59:49 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/28 22:53:15 | 00,619,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2008/10/28 22:53:15 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2008/10/28 18:31:31 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2008/10/28 17:58:39 | 00,147,456 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/10/28 17:58:29 | 00,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2008/10/27 22:11:01 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2008/10/27 22:11:01 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2008/10/27 22:11:00 | 00,000,754 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2008/10/27 22:10:59 | 01,900,544 | ---- | C] () -- C:\WINDOWS\System32\cmiwcnfg.dll
[2008/10/27 22:10:59 | 00,058,716 | ---- | C] () -- C:\WINDOWS\Cmuda.ini
[2008/10/27 22:10:59 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2008/10/27 22:10:56 | 00,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2003/03/31 13:00:00 | 00,000,647 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/31 13:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/07 04:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Files - Modified Within 90 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/08/21 21:24:02 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/08/21 21:19:12 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{54C0651B-B264-4796-92E8-08B67A81D809}.job
[2009/08/21 20:55:24 | 00,000,246 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Rootkit.M.url
[2009/08/21 20:53:53 | 00,000,714 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/21 20:25:40 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Office Outlook 2007.lnk
[2009/08/21 20:24:43 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/08/21 18:24:07 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/08/21 12:00:01 | 00,000,430 | ---- | M] () -- C:\WINDOWS\tasks\Error Fix Scan.job
[2009/08/21 08:43:14 | 40,031,073 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/08/21 08:43:14 | 00,067,907 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/08/21 07:21:16 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\beep.sys
[2009/08/21 07:20:13 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/21 07:18:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/21 07:18:25 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/21 07:18:20 | 16,101,41696 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/20 23:43:55 | 04,837,140 | -H-- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\IconCache.db
[2009/08/19 11:54:46 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/08/19 11:53:27 | 00,577,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/08/18 18:23:13 | 00,000,247 | ---- | M] () -- C:\WINDOWS\prxid93ps.dat
[2009/08/17 10:08:17 | 00,001,397 | ---- | M] () -- C:\HijackThis.lnk
[2009/08/16 22:52:27 | 00,001,515 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Windows Explorer.lnk
[2009/08/16 14:11:11 | 00,000,288 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Cider Making Made Easy.url
[2009/08/14 22:31:05 | 00,619,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2009/08/06 00:20:28 | 00,000,647 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/06 00:20:28 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/06 00:20:28 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/02 22:00:09 | 00,001,610 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\ImageMagick Display.lnk
[2009/08/02 21:31:39 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Free PDF to Word Converterr.lnk
[2009/07/31 22:49:24 | 00,195,584 | ---- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/31 11:53:00 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/07/31 11:53:00 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/07/31 11:52:59 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/07/28 12:23:31 | 00,001,704 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Firefox Preloader.lnk
[2009/07/27 00:40:21 | 00,291,255 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090727-004057.backup
[2009/07/12 16:53:37 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/07/12 16:53:12 | 00,001,608 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2009/07/12 16:34:34 | 00,000,586 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\LEMB Hurricane ccc8cbe46c3fc43.url
[2009/07/12 14:24:54 | 00,000,275 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\12 O'Clock High! - Luftwaffe ChrisS 96533515.url
[2009/07/11 23:10:25 | 00,002,767 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\MegamagZone hurricane2 j4vpj9jqy.url
[2009/07/10 21:55:46 | 00,000,202 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\luftwaffe_codes.url
[2009/07/09 21:30:19 | 00,000,367 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\simhq.com-forum-ubbthreads.php-topics-2744697-Re_Ace_s_Multi_skinned_He_111s.html.url
[2009/07/07 18:24:22 | 00,000,178 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\DigiHouse - About.url
[2009/07/07 17:37:50 | 00,011,231 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\ebay uk.url
[2009/06/30 09:59:01 | 00,463,779 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/06/28 09:38:26 | 00,000,685 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\IrfanView.lnk
[2009/06/25 23:08:36 | 00,000,109 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Ace's Multi-skinned Bombers - W.I.P - Attention BIG pictures - SimHQ Homepage.url
[2009/06/24 17:43:31 | 00,000,272 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\PaperPlus+ Display Books 11-20 Pockets.url
[2009/06/22 12:31:01 | 00,000,296 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\H-Images on 'LinkStation NAS (Storage)' (H).lnk
[2009/06/20 22:50:48 | 00,000,459 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\DeWalt DW997 18V Cordless Combi Drill - Screwfix.com, Where the Trade Buys.url
[2009/06/19 23:31:44 | 00,000,293 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\utilitywarehouse.co.uk-home-index.tafexref=.url
[2009/06/18 16:08:23 | 00,002,719 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Triplosimac EVT 500 - Promotion 90 OFF Price Amazon.co.uk Kitchen & Home.url
[2009/06/01 09:51:14 | 23,635,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Files - Unicode (All) ==========
[2008/10/29 17:24:23 | 00,000,170 | ---- | C] ()(C:\Documents and Settings\Chris\Desktop\Farposst ???????.url) -- C:\Documents and Settings\Chris\Desktop\Farposst Главная.url
[2009/07/12 14:39:46 | 00,000,170 | ---- | M] ()(C:\Documents and Settings\Chris\Desktop\Farposst ???????.url) -- C:\Documents and Settings\Chris\Desktop\Farposst Главная.url
< End of report >

Many thanks in advance, I greatly look forward to your reply.

Chris


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 22 August 2009 - 10:53 AM

How is your computer behaving now?
Are you still getting indications that you are infected?


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Bodchris

Bodchris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 03 September 2009 - 04:24 AM

Hello again

Sorry for the delay, annual vacation/holiday!

Here is the log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=b31f5960ccdd9d4ca9851819a0228da0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-29 07:13:27
# local_time=2009-08-29 08:13:27 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1027 21 83 72 6416679859381
# compatibility_mode=5889 62 0 16 889952056265631
# scanned=71705
# found=5
# cleaned=4
# scan_time=2955
C:\Program Files\SDFix\SDFix.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\SDFix\SDFix\apps\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\SDFix\apps\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\dllcache\ntfs.sys a variant of Win32/Kryptik.ABX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\ntfs.sys a variant of Win32/Kryptik.ABX trojan (unable to clean) 00000000000000000000000000000000 I

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 03 September 2009 - 11:23 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Bodchris

Bodchris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 September 2009 - 07:27 AM

Thanks again, here is the logfile:

ComboFix 09-09-03.02 - Chris 04/09/2009 13:15.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1080 [GMT 1:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\GillSimmons\Local Settings\Application Data\vukaqiqum.reg
c:\documents and settings\GillSimmons\Local Settings\Application Data\woqevaloci.bat
c:\documents and settings\GillSimmons\Local Settings\Application Data\ycibi.vbs
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\epaluwy.vbs
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\epocahaju.sys
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\nolazetuk.reg
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\okufuny.ban
c:\documents and settings\LocalService.NT AUTHORITY\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-299502267-1202660629-1801674531-1003
c:\windows\Installer\28b1658.msp
c:\windows\Installer\394de.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 11:54 . 2009-09-04 11:54 -------- dc----w- c:\documents and settings\log
2009-09-02 21:24 . 2009-09-03 09:12 -------- dc----w- c:\program files\Windows Live Safety Center
2009-08-21 19:53 . 2009-08-21 19:54 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 10:53 . 2009-08-19 10:53 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-19 10:51 . 2009-08-19 10:51 -------- dc----w- c:\windows\ERUNT
2009-08-19 10:50 . 2009-08-29 18:49 -------- dc----w- c:\program files\SDFix
2009-08-19 08:07 . 2009-08-19 11:14 -------- dc----w- C:\SDFix
2009-08-17 09:04 . 2009-08-17 09:08 -------- dc----w- c:\program files\Trend Micro
2009-08-16 14:31 . 2009-08-16 14:36 -------- dc----w- c:\windows\$regcmp$
2009-08-14 10:39 . 2009-08-14 10:39 -------- dc----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-08-14 10:39 . 2009-08-03 12:36 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 10:39 . 2009-08-14 10:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-14 10:39 . 2009-08-03 12:36 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 16:51 . 2003-06-25 15:05 266360 -c--a-w- c:\windows\system32\TweakUI.exe
2009-08-06 16:47 . 2009-08-06 16:47 -------- dc----w- c:\program files\Defraggler
2009-08-06 15:25 . 2009-08-06 15:25 -------- dc----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 11:33 . 2008-11-01 19:53 -------- dc----w- c:\program files\FlashGet
2009-09-03 17:11 . 2008-11-26 14:06 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-09-03 10:29 . 2009-06-13 17:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\PhotoStitch
2009-08-22 08:59 . 2008-10-28 21:53 574592 -c--a-w- c:\windows\system32\drivers\ntfs.sys
2009-08-18 17:23 . 2009-02-13 17:13 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-08-16 17:05 . 2008-10-29 14:56 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-13 18:19 . 2008-10-22 11:48 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-13 18:00 . 2008-11-06 22:04 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-02 21:11 . 2009-08-02 21:11 -------- dc----w- c:\documents and settings\Chris\Application Data\SeriousBit
2009-08-02 21:10 . 2009-08-02 21:09 -------- dc----w- c:\program files\ghostscript-8.64
2009-08-02 21:07 . 2009-08-02 20:31 -------- dc----w- c:\program files\Free PDF to Word Converter
2009-08-02 21:00 . 2009-08-02 20:59 -------- dc----w- c:\program files\ImageMagick-6.5.4-Q16
2009-07-31 10:53 . 2009-07-31 10:53 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 10:53 . 2008-10-28 17:08 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-31 10:52 . 2009-02-13 17:15 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 11:23 . 2009-07-28 11:23 -------- dc----w- c:\program files\FirefoxPreloader
2009-07-20 23:42 . 2009-07-20 23:42 -------- dc----w- c:\program files\Registry Clean Expert
2009-07-16 23:25 . 2008-10-30 20:36 -------- dc----w- c:\documents and settings\Chris\Application Data\AdobeUM
2009-07-15 16:38 . 2009-07-15 16:38 165968 -c--a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-15 15:22 . 2009-07-15 15:22 -------- dc----w- c:\documents and settings\Chris\Application Data\uniblue
2009-07-15 15:20 . 2009-07-15 15:20 -------- dc----w- c:\program files\Uniblue
2009-07-14 10:33 . 2009-07-14 10:33 -------- dc----w- c:\program files\pref.bac
2009-07-12 15:53 . 2009-07-12 15:53 0 -c--a-w- c:\windows\nsreg.dat
2008-10-22 09:58 . 2008-10-22 09:58 18160 -c--a-w- c:\program files\Common Files\howu.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-13 2007832]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"RAM Idle Professional"="c:\program files\RAM Idle LE\RAM_XP.exe" [2006-01-17 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-7-28 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 1 (0x1)
"DisallowCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:53 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"\\\\Storage\\Chris\\KEEP DO NOT DELETE\\nistime-32bit.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [26/02/2009 13:46 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [13/02/2009 18:15 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/02/2009 18:15 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/02/2009 18:15 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:52 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:52 297752]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [26/02/2009 13:46 563720]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [26/02/2009 13:46 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [26/02/2009 13:46 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [26/02/2009 13:46 27232]
S0 fkytbnjn;fkytbnjn;c:\windows\system32\drivers\roswlbpu.sys --> c:\windows\system32\drivers\roswlbpu.sys [?]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [11/09/2007 01:45 124832]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [26/02/2009 13:46 5576712]
S2 gupdate1c991568dc1eca2;Google Update Service (gupdate1c991568dc1eca2);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2008 00:03 133104]
S3 AutorunDirectIO;AutorunDirectIO;\??\d:\autorun\DIODrvr.sys --> d:\autorun\DIODrvr.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-13 08:53]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 23:12]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 23:12]

2009-09-03 c:\windows\Tasks\User_Feed_Synchronization-{54C0651B-B264-4796-92E8-08B67A81D809}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\kruezqa3.LuftwaffeChris\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 13:23
ComboFix-quarantined-files.txt 2009-09-04 12:23
ComboFix2.txt 2007-07-13 22:11

Pre-Run: 144,614,645,760 bytes free
Post-Run: 144,612,634,624 bytes free

197 --- E O F --- 2009-02-15 14:19

Thanks again, here is the logfile:

ComboFix 09-09-03.02 - Chris 04/09/2009 13:15.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1535.1080 [GMT 1:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\GillSimmons\Local Settings\Application Data\vukaqiqum.reg
c:\documents and settings\GillSimmons\Local Settings\Application Data\woqevaloci.bat
c:\documents and settings\GillSimmons\Local Settings\Application Data\ycibi.vbs
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\epaluwy.vbs
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\epocahaju.sys
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\nolazetuk.reg
c:\documents and settings\GillSimmons\Local Settings\Temporary Internet Files\okufuny.ban
c:\documents and settings\LocalService.NT AUTHORITY\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\recycler\S-1-5-21-299502267-1202660629-1801674531-1003
c:\windows\Installer\28b1658.msp
c:\windows\Installer\394de.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-04 11:54 . 2009-09-04 11:54 -------- dc----w- c:\documents and settings\log
2009-09-02 21:24 . 2009-09-03 09:12 -------- dc----w- c:\program files\Windows Live Safety Center
2009-08-21 19:53 . 2009-08-21 19:54 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 10:53 . 2009-08-19 10:53 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-19 10:51 . 2009-08-19 10:51 -------- dc----w- c:\windows\ERUNT
2009-08-19 10:50 . 2009-08-29 18:49 -------- dc----w- c:\program files\SDFix
2009-08-19 08:07 . 2009-08-19 11:14 -------- dc----w- C:\SDFix
2009-08-17 09:04 . 2009-08-17 09:08 -------- dc----w- c:\program files\Trend Micro
2009-08-16 14:31 . 2009-08-16 14:36 -------- dc----w- c:\windows\$regcmp$
2009-08-14 10:39 . 2009-08-14 10:39 -------- dc----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-08-14 10:39 . 2009-08-03 12:36 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 10:39 . 2009-08-14 10:39 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-14 10:39 . 2009-08-03 12:36 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 16:51 . 2003-06-25 15:05 266360 -c--a-w- c:\windows\system32\TweakUI.exe
2009-08-06 16:47 . 2009-08-06 16:47 -------- dc----w- c:\program files\Defraggler
2009-08-06 15:25 . 2009-08-06 15:25 -------- dc----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 11:33 . 2008-11-01 19:53 -------- dc----w- c:\program files\FlashGet
2009-09-03 17:11 . 2008-11-26 14:06 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2009-09-03 10:29 . 2009-06-13 17:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\PhotoStitch
2009-08-22 08:59 . 2008-10-28 21:53 574592 -c--a-w- c:\windows\system32\drivers\ntfs.sys
2009-08-18 17:23 . 2009-02-13 17:13 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-08-16 17:05 . 2008-10-29 14:56 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-13 18:19 . 2008-10-22 11:48 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-08-13 18:00 . 2008-11-06 22:04 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-02 21:11 . 2009-08-02 21:11 -------- dc----w- c:\documents and settings\Chris\Application Data\SeriousBit
2009-08-02 21:10 . 2009-08-02 21:09 -------- dc----w- c:\program files\ghostscript-8.64
2009-08-02 21:07 . 2009-08-02 20:31 -------- dc----w- c:\program files\Free PDF to Word Converter
2009-08-02 21:00 . 2009-08-02 20:59 -------- dc----w- c:\program files\ImageMagick-6.5.4-Q16
2009-07-31 10:53 . 2009-07-31 10:53 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 10:53 . 2008-10-28 17:08 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-31 10:52 . 2009-02-13 17:15 335240 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 11:23 . 2009-07-28 11:23 -------- dc----w- c:\program files\FirefoxPreloader
2009-07-20 23:42 . 2009-07-20 23:42 -------- dc----w- c:\program files\Registry Clean Expert
2009-07-16 23:25 . 2008-10-30 20:36 -------- dc----w- c:\documents and settings\Chris\Application Data\AdobeUM
2009-07-15 16:38 . 2009-07-15 16:38 165968 -c--a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-15 15:22 . 2009-07-15 15:22 -------- dc----w- c:\documents and settings\Chris\Application Data\uniblue
2009-07-15 15:20 . 2009-07-15 15:20 -------- dc----w- c:\program files\Uniblue
2009-07-14 10:33 . 2009-07-14 10:33 -------- dc----w- c:\program files\pref.bac
2009-07-12 15:53 . 2009-07-12 15:53 0 -c--a-w- c:\windows\nsreg.dat
2008-10-22 09:58 . 2008-10-22 09:58 18160 -c--a-w- c:\program files\Common Files\howu.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-13 2007832]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"RAM Idle Professional"="c:\program files\RAM Idle LE\RAM_XP.exe" [2006-01-17 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-7-28 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 1 (0x1)
"DisallowCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 10:53 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"\\\\Storage\\Chris\\KEEP DO NOT DELETE\\nistime-32bit.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [26/02/2009 13:46 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [13/02/2009 18:15 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/02/2009 18:15 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/02/2009 18:15 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/07/2009 11:52 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/07/2009 11:52 297752]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [26/02/2009 13:46 563720]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [26/02/2009 13:46 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [26/02/2009 13:46 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [26/02/2009 13:46 27232]
S0 fkytbnjn;fkytbnjn;c:\windows\system32\drivers\roswlbpu.sys --> c:\windows\system32\drivers\roswlbpu.sys [?]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [11/09/2007 01:45 124832]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [26/02/2009 13:46 5576712]
S2 gupdate1c991568dc1eca2;Google Update Service (gupdate1c991568dc1eca2);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2008 00:03 133104]
S3 AutorunDirectIO;AutorunDirectIO;\??\d:\autorun\DIODrvr.sys --> d:\autorun\DIODrvr.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-13 08:53]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 23:12]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 23:12]

2009-09-03 c:\windows\Tasks\User_Feed_Synchronization-{54C0651B-B264-4796-92E8-08B67A81D809}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\kruezqa3.LuftwaffeChris\
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 13:23
ComboFix-quarantined-files.txt 2009-09-04 12:23
ComboFix2.txt 2007-07-13 22:11

Pre-Run: 144,614,645,760 bytes free
Post-Run: 144,612,634,624 bytes free

197 --- E O F --- 2009-02-15 14:19

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 04 September 2009 - 11:22 AM

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\drivers\ntfs.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Bodchris

Bodchris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 September 2009 - 02:36 PM

Hi Sam

Thanks, but neither of these two sites found anything, does this mean I am free of the so-and-so?

File ntfs.sys received on 2009.08.31 19:35:34 (UTC)
Current status: finished

Result: 0/38 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.31 -
AhnLab-V3 5.0.0.2 2009.08.31 -
AntiVir 7.9.1.7 2009.08.31 -
Antiy-AVL 2.0.3.7 2009.08.31 -
Authentium 5.1.2.4 2009.08.31 -
Avast 4.8.1335.0 2009.08.31 -
BitDefender 7.2 2009.08.31 -
CAT-QuickHeal 10.00 2009.08.31 -
ClamAV 0.94.1 2009.08.31 -
Comodo 2124 2009.08.31 -
DrWeb 5.0.0.12182 2009.08.31 -
eSafe 7.0.17.0 2009.08.31 -
eTrust-Vet 31.6.6712 2009.08.31 -
F-Prot 4.5.1.85 2009.08.31 -
F-Secure 8.0.14470.0 2009.08.31 -
Fortinet 3.120.0.0 2009.08.31 -
GData 19 2009.08.31 -
Ikarus T3.1.1.68.0 2009.08.31 -
K7AntiVirus 7.10.832 2009.08.31 -
Kaspersky 7.0.0.125 2009.08.31 -
McAfee 5726 2009.08.31 -
McAfee+Artemis 5726 2009.08.31 -
McAfee-GW-Edition 6.8.5 2009.08.31 -
Microsoft 1.5005 2009.08.31 -
NOD32 4385 2009.08.31 -
nProtect 2009.1.8.0 2009.08.31 -
Panda 10.0.2.2 2009.08.31 -
PCTools 4.4.2.0 2009.08.31 -
Prevx 3.0 2009.08.31 -
Rising 21.45.04.00 2009.08.31 -
Sophos 4.45.0 2009.08.31 -
Sunbelt 3.2.1858.2 2009.08.31 -
Symantec 1.4.4.12 2009.08.31 -
TheHacker 6.3.4.3.393 2009.08.31 -
TrendMicro 8.950.0.1094 2009.08.30 -
VBA32 3.12.10.10 2009.08.31 -
ViRobot 2009.8.31.1909 2009.08.31 -
VirusBuster 4.6.5.0 2009.08.31 -
Additional information
File size: 574592 bytes
MD5 : b78be402c3f63dd55521f73876951cdd
SHA1 : c353c331a3d3d986822d7a2bad5dbd3b9e5b7dcc
SHA256: 020d75527b4814c544820d29ca064e94f2fcb7b1ba011d63e9d2bfd4cf91ba61
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x85204
timedatestamp.....: 0x41107EEA (Wed Aug 4 08:15:06 2004)
machinetype.......: 0x14C (Intel I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x176A9 0x17700 6.57 c5340c51fe1d76ba37955cdcb5cb65b6
.rdata 0x17A00 0x7070 0x7080 6.30 3036a4b7427610934825625163798e6d
.data 0x1EA80 0x1B10 0x1B80 0.74 76214bbe0ee482c4beb7618eb1d6885c
PAGE 0x20600 0x64B01 0x64B80 6.51 54b840a93e0c49229e1e1e6d429ed0a0
INIT 0x85180 0x36FE 0x3700 6.06 783fa825dbba0b975b0255d6a133a03b
.rsrc 0x88880 0x3F0 0x400 3.38 95e16dc4b27f336449d8f68098320d28
.reloc 0x88C80 0x3794 0x3800 6.73 022190376a3e41ece45f0c6fa9631a53

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 12288:x/Vjn0a9sqnudmcdvye4mh5Lr1zoHbYdqrFzjEjx:hVTDs+udF98mTp01BzjE1
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: NTFS.SYS
( Microsoft )

Disc 2438.5: NTFS.SYSMSDN Disc 2428.4: NTFS.SYSMSDN Disc 2428.5: NTFS.SYSMSDN Disc 2428.8: NTFS.SYSMSDN Disc 2438.7: NTFS.SYSMSDN Disc 2438.8: NTFS.SYSMSDN Disc 2439.6: NTFS.SYSMSDN Disc 2439.7: NTFS.SYSMSDN Disc 2439.8: NTFS.SYSMSDN Disc 2440.3: NTFS.SYSMSDN Disc 2440.4: NTFS.SYSMSDN Disc 2440.5: NTFS.SYSMSDN Disc 2441.5: NTFS.SYSMSDN Disc 2441.6: NTFS.SYSMSDN Disc 2441.7: NTFS.SYSMSDN Disc 2442.4: NTFS.SYSMSDN Disc 2442.6: NTFS.SYSMSDN Disc 2443.2: NTFS.SYSMSDN Disc 2443.4: NTFS.SYSMSDN Disc 2444.3: NTFS.SYSMSDN Disc 2444.3: NTFS.SYSMSDN Disc 2444.4: NTFS.SYSMSDN Disc 2444.6: NTFS.SYSMSDN Disc 2455.6: NTFS.SYSMSDN Disc 2464.5: NTFS.SYSMSDN Disc 2465.4: NTFS.SYSMSDN Disc 2465.5: NTFS.SYSMSDN Disc 2466.2: NTFS.SYSMSDN Disc 2466.4: NTFS.SYSMSDN Disc 2476.2: NTFS.SYSMSDN Disc 2476.4: NTFS.SYSMSDN Disc 2477.2: NTFS.SYSOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: NTFS.SYSVirtual PC for Mac Windows XP Home Edition: NTFS.SYSVirtual PC for Mac Windows XP Professional Edition: NTFS.SYS

Edited by Bodchris, 04 September 2009 - 02:37 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 04 September 2009 - 02:51 PM

It's certainly looking good to me. How are things on your end? Any issues remaining?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Bodchris

Bodchris
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 05 September 2009 - 07:56 AM

Thank you Sam everything looks clear. I'm running AVG as I write just to make sure.

Thank you again!

Chris

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:09 AM

Posted 05 September 2009 - 10:09 AM

Excellent! :)
Just a few last steps and some recommendations and you should be good to go.



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users