Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware Defense


  • This topic is locked This topic is locked
24 replies to this topic

#1 Darkumas

Darkumas

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 29 December 2009 - 06:50 PM

I loaned my laptop to my brother and when I got it back I was infected with Malware Defense. I followed the instructions on this site to remove the virus. I had to go to my other laptop to download the program as I could not on this one (the infected one) Once I was able to get the tools needed I ran malwarebytes anti-malware. The problem is it removed all the items except for one. It said it will remove after reboot. Well the program does not startup back on reboot so the item is still there causing a google error and causing my pc to lock up every so often. When I reboot sometimes my pc reboots to a black screen and I have to do a hard reset to get to the windows log in screen. I cannot run lavasofts adaware, nor spybot search and destroy, cannot re-install my avg (as it appears he took it off for some strange reason) I cannot run malware bytes anti-malware unless I keep running it from the alternate icon as told by the instructions on the site. I cannot run panda online scan, I was able to run housecall and it found the problem to be a hidden rootkit but that also says it will be removed on reboot and it was not. I will upload the dds scan reports, also the last mbam log to show the item I am referring to. I also cannot run rootrepeal as when I tried my computer went to a blue screen. I hope I was detailed enough as to the problem. I tried to save a copy of the google error I get both at the windows log in screen (something about a breakpoint being reached, I couldnt not copy and paste it to save it) and while the system is running I get another one that pops up every so often, it has not yet so I cannot post it in here. Below you will find the logs mentioned.


MBAM LOG

Malwarebytes' Anti-Malware 1.42
Database version: 3443
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/28/2009 9:29:12 AM
mbam-log-2009-12-28 (09-29-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 237392
Time elapsed: 1 hour(s), 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTrxlyxmyvse.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTrxlyxmyvse.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.



DDS LOG


DDS (Ver_09-12-01.01) - NTFSx86
Run by Finesse at 18:06:48.50 on Tue 12/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.178 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Finesse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.zipform.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Me.dium IE Statusbar BHO: {f28d74ec-b064-4402-926d-e00687233421} - "c:\program files\me.dium\browser add-ons\MediumIEStatusbar.dll"
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Toolbar Powered by Me.dium: {9516eb1c-ac77-492d-8fd6-a05afac9ea6e} - "c:\program files\me.dium\browser add-ons\MediumIEToolbar.dll"
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {0483894E-2422-45E0-8384-021AFF1AF3CD} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [DLCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCQtime.dll,_RunDLLEntry@16
mRun: [<NO NAME>]
mRun: [GoToMyPC] c:\program files\citrix\gotomypc\g2svc.exe -logon
mRun: [Logical Volume] slvhost.exe
mRunServices: [Logical Volume] slvhost.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: exitrealty.com\citrix
Trusted Zone: intuit.com\community
Trusted Zone: msn.com\zone
Trusted Zone: rexplorer.net
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: PUFLITE - hxxp://www.hinesville-homes.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - hxxps://www.topproduceronline.com/downloads/msjavx86.exe
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} - hxxp://elliemae.interwise.com/elliemae/English/ActiveX/IWsystemchecks.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://citrix.exitrealty.com/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} - hxxp://sav.mlxchange.com/Control/SISC.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://sav.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://support.rexplorer.net/iftw_install//iftwclix.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} - hxxp://support.f-secure.com/ols3beta/fscax.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167029388656
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://sav.mlxchange.com/Control/MLXClientUtils.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://sav.mlxchange.com/4.2.07.27/Control/IRCSharc.cab
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://www.topproduceronline.com/Downloads/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab72909.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C487F60B-59B9-47D9-BFDF-AB26786F8823} - hxxp://zone.msn.com/bingame/zpagames/zpa_stoo.cab62201.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_5_2_2_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_7.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://flagstar.webex.com/client/T23L/training/ieatgpc.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.mainstreetval.com/ImageUploader4.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\finesse\applic~1\mozilla\firefox\profiles\fckjgmj9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\finesse\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\finesse\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrl.1.0.20806.0.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-29 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-12-29 28552]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-25 47640]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S0 llrvya;llrvya;c:\windows\system32\drivers\wdgnq.sys --> c:\windows\system32\drivers\wdgnq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-28 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-28 30104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-12-6 42512]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-12-29 10:52:14 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-12-29 10:52:14 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-29 10:52:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-29 06:20:32 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-29 06:17:16 0 d-----w- c:\program files\Lavasoft
2009-12-29 05:41:10 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-29 05:40:18 0 d-----w- c:\program files\Panda Security
2009-12-29 05:26:25 674 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-29 04:56:46 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-28 15:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-28 05:13:32 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-28 05:13:32 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-28 05:13:07 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-28 05:04:06 0 d-----w- c:\docume~1\finesse\applic~1\AVG8
2009-12-28 04:44:43 199 ----a-w- c:\windows\system32\srcr.dat
2009-12-21 00:05:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Alawar Stargaze
2009-12-21 00:02:35 0 d-----w- c:\windows\TheTreasuresOfMontezuma2
2009-12-21 00:02:35 0 d-----w- c:\program files\TheTreasuresOfMontezuma2
2009-12-07 21:25:24 0 d-----w- c:\docume~1\finesse\applic~1\Inbox Toolbar
2009-12-07 21:25:20 0 d-----w- c:\program files\Inbox Toolbar
2009-12-07 03:25:46 0 d-----w- c:\windows\4 Elements
2009-12-07 03:25:46 0 d-----w- c:\program files\4 Elements
2009-12-07 01:34:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Playrix Entertainment
2009-12-07 01:24:10 0 d-----w- c:\program files\Playrix Games
2009-12-06 22:05:46 88704 ----a-w- c:\windows\system32\packet.dll
2009-12-06 22:05:46 42512 ----a-w- c:\windows\system32\drivers\npf.sys
2009-12-06 22:05:46 240240 ----a-w- c:\windows\system32\wpcap.dll
2009-12-06 22:05:09 0 d-----w- c:\program files\CardRecovery
2009-12-06 21:49:41 67208 ----a-w- c:\windows\UnDeploy.exe
2009-12-01 21:49:50 0 d-----w- c:\docume~1\finesse\applic~1\iSilo
2009-12-01 21:49:46 0 d-----w- c:\program files\iSilo
2009-12-01 21:38:17 0 d-----w- c:\program files\ABC Amber Palm Converter

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 19:36:44 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-11-08 19:10:48 88 --sh--r- c:\docume~1\alluse~1\applic~1\51A3A397F4.sys
2009-11-08 04:59:50 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2007-10-22 02:42:04 88 --sh--r- c:\windows\system32\51A3A397F4.sys
2007-10-22 02:42:06 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-01 18:19:06 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080120080802\index.dat

============= FINISH: 18:08:48.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 31 December 2009 - 04:16 AM

Hi Darkumas,

I'm going to assist you.

We need a GMER log instead of RootRepeal.

Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 31 December 2009 - 02:53 PM

Ok I downloaded gmer and had to run it twice. It locked up at the end of the first scan, and I had to do another one, the pc keeps locking up. After the scan was completed, it locked up after I saved the log. After I restarted it locked up when I enabled the internet. I restarted and it restarted to a blue screen with the following error STOP: 0X000000D1 (0XAA453198, 0X00000002, 0X00000000, 0XAA44AE22). I had to restart and it restarted to a black screen, the again it got stuck at the start up screen, then finally loaded.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-31 14:15:20
Windows 5.1.2600 Service Pack 3
Running: 0j6oc6j8.exe; Driver: C:\DOCUME~1\Finesse\LOCALS~1\Temp\ffloapog.sys


---- System - GMER 1.0.15 ----

Code 824F1440 ZwEnumerateKey
Code 824F1408 ZwFlushInstructionCache
Code 824CBEBE IofCallDriver
Code 824CC10E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82BD81E8
Device \FileSystem\Fastfat \FatCdrom 827EE790

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8295F1E8
Device \Driver\usbuhci \Device\USBPDO-1 8295F1E8
Device \Driver\usbuhci \Device\USBPDO-2 8295F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8295F1E8
Device \Driver\PCI_NTPNP8348 \Device\00000047 sptd.sys
Device \Driver\PCI_NTPNP8348 \Device\00000047 sptd.sys
Device \Driver\usbehci \Device\USBPDO-4 829481E8
Device \Driver\PCI_NTPNP8348 \Device\00000048 sptd.sys
Device \Driver\PCI_NTPNP8348 \Device\00000048 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 82B6A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82B6A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 82B6A1E8
Device \Driver\atapi \Device\Ide\IdePort0 [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-1b [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-3 [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F8244B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume4 82B6A1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 823BC790
Device \Driver\NetBT \Device\NetbiosSmb 823BC790
Device \Driver\NetBT \Device\NetBT_Tcpip_{8525B93A-5BCD-4BFE-8C05-1DA9D718201A} 823BC790
Device \Driver\usbuhci \Device\USBFDO-0 8295F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8295F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82357790
Device \Driver\usbuhci \Device\USBFDO-2 8295F1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82357790
Device \Driver\usbuhci \Device\USBFDO-3 8295F1E8
Device \Driver\usbehci \Device\USBFDO-4 829481E8
Device \Driver\Ftdisk \Device\FtControl 82B6A1E8
Device \Driver\a7ejfw6b \Device\Scsi\a7ejfw6b1 829B8728
Device \Driver\a7ejfw6b \Device\Scsi\a7ejfw6b1Port3Path0Target1Lun0 829B8728
Device \FileSystem\Fastfat \Fat 827EE790

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 82304698

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTcdjoowpuwm.sys (*** hidden *** ) AA213000-AA22F000 (114688 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTcdjoowpuwm.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTcdjoowpuwm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTcdjoowpuwm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTecbldbbhda.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpqpaswvbqe.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrxlyxmyvse.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0x94 0x7D 0x0E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x8A 0x2C 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFE 0x5A 0x04 0x32 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD5 0x67 0xF9 0xCD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xBB 0xE2 0xA5 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xFE 0x5A 0x04 0x32 ...
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTcdjoowpuwm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTcdjoowpuwm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTecbldbbhda.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpqpaswvbqe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrxlyxmyvse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0x94 0x7D 0x0E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x8A 0x2C 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFE 0x5A 0x04 0x32 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD5 0x67 0xF9 0xCD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xBB 0xE2 0xA5 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xFE 0x5A 0x04 0x32 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Finesse\Local Settings\Temp\H8SRT2528.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\H8SRTcdjoowpuwm.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTecbldbbhda.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRTpqpaswvbqe.dat 205 bytes

---- EOF - GMER 1.0.15 ----

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 31 December 2009 - 10:25 PM

You did a good job and we have what we need to start to deal with this nasty rootkit.
  • We need to restore some file associations. Please go to Start => Run, copy and paste the following command in the run box and click OK:

    cmd /c ftype regfile=regedit.exe "%1" & ftype scrfile="%1" /S

    A windows flashes. it is normal.

  • This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console.

    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

    Double click on Combo-Fix.exe & follow the prompts. If ComboFix needed to reboot please allow it.When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



#5 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 January 2010 - 10:43 AM

Ok I had to run it twice as after the first run it got stuck on trying to create the log for quite some time. Before running it a 2nd time I went under the C drive and noticed a combofix folder with a half of a log report I had every intention of posting it here, but after running the 2nd time that folder is actually no longer present under the drive just the current log report. During the 1st run it found some rootkits and asked me to write them down, but I noticed they are in the 2nd runs log.

ComboFix 09-12-31.08 - Finesse 01/01/2010 10:08:15.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.35 [GMT -5:00]
Running from: c:\documents and settings\Finesse\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\drivers\H8SRTcdjoowpuwm.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\H8SRTecbldbbhda.dll
c:\windows\system32\H8SRTpqpaswvbqe.dat
c:\windows\system32\H8SRTrxlyxmyvse.dll
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\Packet.dll
c:\windows\system32\srcr.dat
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.

2009-12-29 10:52 . 2009-12-29 13:17 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-12-29 10:52 . 2009-12-29 13:17 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-29 10:52 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-29 06:20 . 2009-12-29 06:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-29 06:17 . 2009-12-29 06:17 -------- d-----w- c:\program files\Lavasoft
2009-12-29 05:41 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-29 05:40 . 2009-12-29 05:40 -------- d-----w- c:\program files\Panda Security
2009-12-29 04:56 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-28 21:22 . 2009-12-28 21:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-28 15:19 . 2009-12-28 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-28 05:13 . 2009-12-28 15:17 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-28 05:13 . 2009-12-28 05:13 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-28 05:13 . 2009-12-28 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-28 05:04 . 2009-12-28 05:04 -------- d-----w- c:\documents and settings\Finesse\Application Data\AVG8
2009-12-28 04:44 . 2009-12-28 04:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-21 00:05 . 2009-12-21 00:05 -------- d-----w- c:\documents and settings\Finesse\Local Settings\Application Data\STARGAZE_IMAGE_CACHE
2009-12-21 00:05 . 2009-12-21 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-12-21 00:02 . 2009-12-21 00:03 -------- d-----w- c:\program files\TheTreasuresOfMontezuma2
2009-12-21 00:02 . 2009-12-21 00:02 -------- d-----w- c:\windows\TheTreasuresOfMontezuma2
2009-12-07 21:25 . 2009-12-07 21:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\Inbox Toolbar
2009-12-07 21:25 . 2009-12-07 21:25 -------- d-----w- c:\program files\Inbox Toolbar
2009-12-07 03:25 . 2009-12-17 00:54 -------- d-----w- c:\program files\4 Elements
2009-12-07 03:25 . 2009-12-07 03:25 -------- d-----w- c:\windows\4 Elements
2009-12-07 01:34 . 2009-12-07 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2009-12-07 01:24 . 2009-12-07 02:47 -------- d-----w- c:\program files\Playrix Games
2009-12-06 22:05 . 2009-12-06 22:05 -------- d-----w- c:\program files\CardRecovery
2009-12-06 21:49 . 2009-06-19 08:20 67208 ----a-w- c:\windows\UnDeploy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 15:17 . 2009-07-10 12:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\uTorrent
2010-01-01 14:37 . 2008-02-15 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-29 06:17 . 2008-01-21 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-29 05:57 . 2008-02-15 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-28 12:59 . 2008-07-28 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 05:13 . 2008-07-03 14:22 -------- d-----w- c:\program files\AVG
2009-12-19 18:46 . 2007-12-25 06:14 -------- d-----w- c:\documents and settings\Finesse\Application Data\Big Fish Games
2009-12-19 13:08 . 2006-12-30 16:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-09 03:23 . 2009-11-29 18:43 -------- d-----w- c:\program files\HelperBot
2009-12-09 03:20 . 2008-01-26 20:49 -------- d-----w- c:\program files\Dl_cats
2009-12-03 21:14 . 2008-07-28 21:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-07-28 21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 01:40 . 2009-12-01 21:38 -------- d-----w- c:\program files\ABC Amber Palm Converter
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\documents and settings\Finesse\Application Data\iSilo
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\program files\iSilo
2009-11-29 22:18 . 2009-10-02 23:18 -------- d-----w- c:\documents and settings\Finesse\Application Data\vlc
2009-11-27 16:49 . 2006-12-03 22:23 79200 ----a-w- c:\documents and settings\Finesse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-27 12:59 . 2007-08-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-27 12:49 . 2006-09-13 19:32 -------- d-----w- c:\program files\Microsoft Works
2009-11-19 09:59 . 2009-09-25 03:54 -------- d-----w- c:\program files\bpo5000
2009-11-13 19:36 . 2009-11-08 14:18 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-11-10 18:17 . 2006-09-13 19:38 -------- d-----w- c:\program files\Microsoft SQL Server
2009-11-08 19:14 . 2009-11-08 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Act
2009-11-08 19:10 . 2009-11-08 14:18 88 --sh--r- c:\documents and settings\All Users\Application Data\51A3A397F4.sys
2009-11-08 14:18 . 2009-11-08 14:16 -------- d-----w- c:\documents and settings\Finesse\Application Data\IsolatedStorage
2009-11-08 14:15 . 2006-09-13 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 13:52 . 2007-08-23 23:54 -------- d-----w- c:\program files\Microsoft.NET
2009-11-08 13:50 . 2009-11-08 13:50 -------- d-----w- c:\program files\MSXML 6.0
2009-11-08 13:40 . 2009-11-08 13:40 -------- d-----w- c:\documents and settings\Finesse\Application Data\ACT
2009-11-08 13:39 . 2009-11-08 13:39 -------- d-----w- c:\program files\ACT
2009-11-08 05:17 . 2009-11-08 05:07 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-11-08 05:15 . 2009-11-08 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-11-08 05:14 . 2009-11-08 05:13 -------- d-----w- c:\documents and settings\Finesse\Application Data\DAEMON Tools Pro
2009-11-08 04:59 . 2009-11-08 04:59 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-08 03:01 . 2008-10-30 18:23 -------- d-----w- c:\program files\SpywareBlaster
2009-11-04 17:31 . 2007-12-27 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-04 13:12 . 2006-09-13 19:30 -------- d-----w- c:\program files\Google
2007-10-22 02:42 . 2006-12-08 15:08 88 --sh--r- c:\windows\system32\51A3A397F4.sys
2007-10-22 02:42 . 2006-12-08 15:08 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28D74EC-B064-4402-926D-E00687233421}]
2008-10-23 09:55 61728 ----a-w- c:\program files\Me.dium\Browser Add-ons\MediumIEStatusbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\Me.dium\Browser Add-ons\MediumIEToolbar.dll" [2008-10-23 66336]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\Me.dium\Browser Add-ons\MediumIEToolbar.dll" [2008-10-23 66336]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-10 160592]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-09 289072]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"Logical Volume"="slvhost.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 21:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax 4.2.lnk
backup=c:\windows\pss\eFax 4.2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Finesse^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Finesse\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
c:\program files\ACT\Act for Windows\ActSage.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 19:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 13:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\program files\Common Files\Symantec Shared\ccApp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-09-06 13:08 136136 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcqmon.exe]
2007-06-29 16:47 292080 ----a-w- c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
2006-07-14 20:36 107008 ----a-w- c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-06 18:09 133104 ----atw- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 21:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 21:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 21:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2008-09-09 06:21 623880 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
c:\program files\LogMeIn\x86\LogMeInSystray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-10-17 01:57 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2006-11-07 19:49 1121280 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 15:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-07-20 13:42 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-28 17:48 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-20 13:42 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-10-09 22:48 289072 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:Sam Broadcaster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/29/2009 5:52 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/29/2009 12:41 AM 28552]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2/25/2009 8:44 PM 47640]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S0 llrvya;llrvya;c:\windows\system32\drivers\wdgnq.sys --> c:\windows\system32\drivers\wdgnq.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/7/2009 11:59 PM 685816]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/28/2009 12:46 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-01-01 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-01 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-01 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-01 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2009-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007Core.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007UA.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2006-12-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2010-01-01 c:\windows\Tasks\User_Feed_Synchronization-{9792E8EC-873A-40E2-85EE-939397C650B4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zipform.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: exitrealty.com\citrix
Trusted Zone: intuit.com\community
Trusted Zone: msn.com\zone
Trusted Zone: rexplorer.net
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://www.hinesville-homes.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://sav.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://sav.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://sav.mlxchange.com/4.2.07.27/Control/IRCSharc.cab
FF - ProfilePath - c:\documents and settings\Finesse\Application Data\Mozilla\Firefox\Profiles\fckjgmj9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Finesse\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\3.0.40818.0\npctrl.1.0.20806.0.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Finesse\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 10:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-01-01 10:35:58
ComboFix-quarantined-files.txt 2010-01-01 15:35

Pre-Run: 853,090,304 bytes free
Post-Run: 839,319,552 bytes free

- - End Of File - - E10810885D2C07961EB0091C55C2038B

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 01 January 2010 - 11:05 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • You are missing one important program on that computer: An antivirus. I see traces of McAfee and AVG on the log but no Antivirus protection.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. Besides the paid antivirus programs there are also some free antivirus programs. Tell me if you have a paid antivirus to install or have preference for any free AV.


#7 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 January 2010 - 11:48 AM

I have emptied the download folders. I would like your recommendation on a free AV.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 01 January 2010 - 12:04 PM

  • You have still some leftovers from an incomplete uninstalled McAfee AntiVirus on your computer.
    To remove McAfee AntiVirus I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

    For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

  • Download and run the AVG Uninstaller.

  • I recommend this good free antivirus:

    Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#9 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 January 2010 - 06:53 PM

I let the AV clean what it found though I don't know if it did or not.




Avira AntiVir Personal
Report file date: Friday, January 01, 2010 14:02

Scanning for 1493594 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : D3MSHRB1

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:00:51
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 19:00:51
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 19:00:52
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 19:00:52
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 19:00:52
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 19:00:52
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 19:00:52
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 19:00:52
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 19:00:52
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 19:00:53
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 19:00:53
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 19:00:53
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 19:00:55
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 19:00:56
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 19:00:58
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 19:01:00
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 19:01:02
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 19:01:03
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 19:01:05
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 19:01:07
VBASE021.VDF : 7.10.2.94 2048 Bytes 12/29/2009 19:01:07
VBASE022.VDF : 7.10.2.95 2048 Bytes 12/29/2009 19:01:07
VBASE023.VDF : 7.10.2.96 2048 Bytes 12/29/2009 19:01:07
VBASE024.VDF : 7.10.2.97 2048 Bytes 12/29/2009 19:01:07
VBASE025.VDF : 7.10.2.98 2048 Bytes 12/29/2009 19:01:08
VBASE026.VDF : 7.10.2.99 2048 Bytes 12/29/2009 19:01:08
VBASE027.VDF : 7.10.2.100 2048 Bytes 12/29/2009 19:01:08
VBASE028.VDF : 7.10.2.101 2048 Bytes 12/29/2009 19:01:08
VBASE029.VDF : 7.10.2.102 2048 Bytes 12/29/2009 19:01:08
VBASE030.VDF : 7.10.2.103 2048 Bytes 12/29/2009 19:01:08
VBASE031.VDF : 7.10.2.111 90624 Bytes 1/1/2010 19:01:09
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 12:38:52
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 1/1/2010 19:01:26
AESCN.DLL : 8.1.3.0 127348 Bytes 1/1/2010 19:01:24
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 12:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 1/1/2010 19:01:24
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 12:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 12:38:38
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 1/1/2010 19:01:21
AEHELP.DLL : 8.1.9.0 237943 Bytes 1/1/2010 19:01:13
AEGEN.DLL : 8.1.1.82 369014 Bytes 1/1/2010 19:01:12
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 1/1/2010 19:01:10
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Friday, January 01, 2010 14:03

Starting search for hidden objects.
'74352' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'AxCrypt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'robotaskbaricon.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'fbserver.exe' - '1' Module(s) have been scanned
Scan process 'g2tray.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'sqlbrowser.exe' - '1' Module(s) have been scanned
Scan process 'QBCFMonitorService.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'g2pre.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'g2comm.exe' - '1' Module(s) have been scanned
Scan process 'g2svc.exe' - '1' Module(s) have been scanned
Scan process 'fbguard.exe' - '1' Module(s) have been scanned
Scan process 'dlcqcoms.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
52 processes with 52 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\.update\.target\.intuit\125205
[0] Archive type: CAB (Microsoft)
--> AboutPatch.htm
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{0000372F-0000-0000-75EF-22C43CA43A2A}\DATA.CAB
[0] Archive type: CAB (Microsoft)
--> RESOURCE1
[1] Archive type: HIDDEN
--> MEM\AV000005eb.AV$
[DETECTION] Contains recognition pattern of the DR/WebHancer.390.4 dropper
--> license.txt
[DETECTION] Contains recognition pattern of the ADSPY/Agent.7938.A adware or spyware
--> whAgent.exe
[DETECTION] Contains recognition pattern of the ADSPY/Webhancer.J adware or spyware
--> whiehlpr.dll
[DETECTION] Contains recognition pattern of the ADSPY/Webhancer.2 adware or spyware
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTecbldbbhda.dll.vir
[DETECTION] Is the TR/PCK.Tdss.AA.2862 Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <Backup>

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{0000372F-0000-0000-75EF-22C43CA43A2A}\DATA.CAB
[NOTE] The file was moved to '4b928a00.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTecbldbbhda.dll.vir
[DETECTION] Is the TR/PCK.Tdss.AA.2862 Trojan
[NOTE] The file was moved to '4b9189f7.qua'!


End of the scan: Friday, January 01, 2010 18:48
Used time: 1:48:53 Hour(s)

The scan has been done completely.

11387 Scanned directories
404598 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
404589 Files not concerned
5343 Archives were scanned
5 Warnings
4 Notes
74352 Objects were scanned with rootkit scan
0 Hidden objects were found

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 01 January 2010 - 07:01 PM

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download and run Javara for Java update. Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 17. Please uninstall any version remaining versions if the tool could not uninstall them.

  • I see the traces of URL Assistant on the log. This is usually preinstalled on Dell computer without the consent of the user. You may uninstall via Add/Remove programs. If you decide to uninstall it also remove the following folder: C:\Program Files\BAE

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a c:\slvhost.* > log.txt&start log.txt

    A text file (log.txt) will be open. Please post its content to your reply.

  • Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#11 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 01 January 2010 - 09:47 PM

I updated the Java and uninstalled the url assistant.

First Log

Volume in drive C has no label.
Volume Serial Number is 98F8-7CB5

Directory of c:\


MBAM Log

Malwarebytes' Anti-Malware 1.43
Database version: 3472
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/1/2010 9:43:15 PM
mbam-log-2010-01-01 (21-43-15).txt

Scan type: Quick Scan
Objects scanned: 133246
Time elapsed: 13 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jgaw400.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 02 January 2010 - 06:55 AM

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    driver::
    llrvya
    LMIRfsClientNP
    Registry:
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    [-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    [-HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
    [-HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [-HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
    [-HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logical Volume"=-
    "UserFaultCheck"=-
    "KernelFaultCheck"=
    "ccApp"=-
    dds::
    Trusted Zone: exitrealty.com\citrix
    Trusted Zone: intuit.com\community
    Trusted Zone: msn.com\zone
    Trusted Zone: rexplorer.net

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Tell me how is the computer running.


#13 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 02 January 2010 - 10:43 AM

The computer is running fine so far. Also about 2-3 weeks ago I noticed my notepad icon was missing from my accessories menu. Is there a way to get it back as I use it often. I am forced to open an old one and go to file-->new and open one that way.

ComboFix 09-12-31.08 - Finesse 01/02/2010 9:59.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.177 [GMT -5:00]
Running from: c:\documents and settings\Finesse\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Finesse\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LMIRFSCLIENTNP
-------\Service_llrvya
-------\Service_LMIRfsClientNP


((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 18:52 . 2010-01-01 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-29 06:20 . 2009-12-29 06:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-28 21:22 . 2009-12-28 21:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-28 21:17 . 2006-09-13 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2009-12-28 21:17 . 2006-09-13 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-12-28 05:13 . 2009-12-28 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-28 05:04 . 2009-12-28 05:04 -------- d-----w- c:\documents and settings\Finesse\Application Data\AVG8
2009-12-21 00:05 . 2009-12-21 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-12-07 21:25 . 2009-12-07 21:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\Inbox Toolbar
2009-12-07 01:34 . 2009-12-07 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 15:20 . 2009-07-10 12:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\uTorrent
2010-01-02 03:10 . 2008-02-16 17:07 -------- d-----w- c:\program files\Java
2010-01-02 01:14 . 2008-07-28 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 18:52 . 2010-01-01 18:52 -------- d-----w- c:\program files\Avira
2010-01-01 14:37 . 2008-02-15 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 19:55 . 2008-07-28 21:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2008-07-28 21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 13:17 . 2009-12-29 10:52 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-12-29 13:17 . 2009-12-29 10:52 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-29 06:17 . 2009-12-29 06:17 -------- d-----w- c:\program files\Lavasoft
2009-12-29 06:17 . 2008-01-21 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-29 05:57 . 2008-02-15 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-29 05:40 . 2009-12-29 05:40 -------- d-----w- c:\program files\Panda Security
2009-12-28 15:17 . 2009-12-28 05:13 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-28 05:13 . 2009-12-28 05:13 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-28 05:13 . 2008-07-03 14:22 -------- d-----w- c:\program files\AVG
2009-12-21 00:03 . 2009-12-21 00:02 -------- d-----w- c:\program files\TheTreasuresOfMontezuma2
2009-12-19 18:46 . 2007-12-25 06:14 -------- d-----w- c:\documents and settings\Finesse\Application Data\Big Fish Games
2009-12-19 13:08 . 2006-12-30 16:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 00:54 . 2009-12-07 03:25 -------- d-----w- c:\program files\4 Elements
2009-12-09 03:23 . 2009-11-29 18:43 -------- d-----w- c:\program files\HelperBot
2009-12-09 03:20 . 2008-01-26 20:49 -------- d-----w- c:\program files\Dl_cats
2009-12-07 21:25 . 2009-12-07 21:25 -------- d-----w- c:\program files\Inbox Toolbar
2009-12-07 02:47 . 2009-12-07 01:24 -------- d-----w- c:\program files\Playrix Games
2009-12-06 22:05 . 2009-12-06 22:05 -------- d-----w- c:\program files\CardRecovery
2009-12-02 13:19 . 2009-12-29 10:52 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-02 01:40 . 2009-12-01 21:38 -------- d-----w- c:\program files\ABC Amber Palm Converter
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\documents and settings\Finesse\Application Data\iSilo
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\program files\iSilo
2009-11-29 22:18 . 2009-10-02 23:18 -------- d-----w- c:\documents and settings\Finesse\Application Data\vlc
2009-11-27 16:49 . 2006-12-03 22:23 79200 ----a-w- c:\documents and settings\Finesse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-27 12:59 . 2007-08-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-27 12:49 . 2006-09-13 19:32 -------- d-----w- c:\program files\Microsoft Works
2009-11-25 16:19 . 2010-01-01 18:52 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-19 09:59 . 2009-09-25 03:54 -------- d-----w- c:\program files\bpo5000
2009-11-13 19:36 . 2009-11-08 14:18 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-11-10 18:17 . 2006-09-13 19:38 -------- d-----w- c:\program files\Microsoft SQL Server
2009-11-08 19:14 . 2009-11-08 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Act
2009-11-08 19:10 . 2009-11-08 14:18 88 --sh--r- c:\documents and settings\All Users\Application Data\51A3A397F4.sys
2009-11-08 14:18 . 2009-11-08 14:16 -------- d-----w- c:\documents and settings\Finesse\Application Data\IsolatedStorage
2009-11-08 14:15 . 2006-09-13 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 13:52 . 2007-08-23 23:54 -------- d-----w- c:\program files\Microsoft.NET
2009-11-08 13:50 . 2009-11-08 13:50 -------- d-----w- c:\program files\MSXML 6.0
2009-11-08 13:40 . 2009-11-08 13:40 -------- d-----w- c:\documents and settings\Finesse\Application Data\ACT
2009-11-08 13:39 . 2009-11-08 13:39 -------- d-----w- c:\program files\ACT
2009-11-08 05:17 . 2009-11-08 05:07 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-11-08 05:15 . 2009-11-08 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-11-08 05:14 . 2009-11-08 05:13 -------- d-----w- c:\documents and settings\Finesse\Application Data\DAEMON Tools Pro
2009-11-08 04:59 . 2009-11-08 04:59 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-08 03:01 . 2008-10-30 18:23 -------- d-----w- c:\program files\SpywareBlaster
2009-11-04 17:31 . 2007-12-27 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-04 13:12 . 2006-09-13 19:30 -------- d-----w- c:\program files\Google
2009-10-11 09:17 . 2008-11-28 17:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-10-22 02:42 . 2006-12-08 15:08 88 --sh--r- c:\windows\system32\51A3A397F4.sys
2007-10-22 02:42 . 2006-12-08 15:08 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28D74EC-B064-4402-926D-E00687233421}]
2008-10-23 09:55 61728 ----a-w- c:\program files\Me.dium\Browser Add-ons\MediumIEStatusbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\Me.dium\Browser Add-ons\MediumIEToolbar.dll" [2008-10-23 66336]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E}"= "c:\program files\Me.dium\Browser Add-ons\MediumIEToolbar.dll" [2008-10-23 66336]

[HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
[HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-10 160592]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-09 289072]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"Logical Volume"="slvhost.exe" [BU]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 21:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax 4.2.lnk
backup=c:\windows\pss\eFax 4.2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Finesse^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Finesse\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
c:\program files\ACT\Act for Windows\ActSage.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 19:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 13:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\program files\Common Files\Symantec Shared\ccApp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-09-06 13:08 136136 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcqmon.exe]
2007-06-29 16:47 292080 ----a-w- c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
2006-07-14 20:36 107008 ----a-w- c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-06 18:09 133104 ----atw- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 21:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 21:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 21:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2008-09-09 06:21 623880 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
c:\program files\LogMeIn\x86\LogMeInSystray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-10-17 01:57 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 15:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-07-20 13:42 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-20 13:42 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-10-09 22:48 289072 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:Sam Broadcaster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/29/2009 5:52 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/29/2009 12:41 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/7/2009 11:59 PM 685816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/1/2010 1:52 PM 108289]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2/25/2009 8:44 PM 47640]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/28/2009 12:46 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2009-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007Core.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007UA.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2006-12-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2010-01-02 c:\windows\Tasks\User_Feed_Synchronization-{9792E8EC-873A-40E2-85EE-939397C650B4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zipform.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://www.hinesville-homes.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://sav.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://sav.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://sav.mlxchange.com/4.2.07.27/Control/IRCSharc.cab
FF - ProfilePath - c:\documents and settings\Finesse\Application Data\Mozilla\Firefox\Profiles\fckjgmj9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Finesse\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\3.0.40818.0\npctrl.1.0.20806.0.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sptd.sys hal.dll >>UNKNOWN [0x82B888AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84f9f28
\Driver\ACPI -> ACPI.sys @ 0xf828acb8
\Driver\atapi -> atapi.sys @ 0xf8245b40
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Dell Wireless 1390 WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xf8139bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8146a21
SendHandler -> NDIS.sys @ 0xf812487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1224)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\dlcqcoms.exe
c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-02 10:36:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 15:36
ComboFix2.txt 2010-01-01 15:36

Pre-Run: 865,898,496 bytes free
Post-Run: 881,119,232 bytes free

- - End Of File - - 98A14E9AE80A0D57ED9231B08E595FF1

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:09 AM

Posted 02 January 2010 - 12:04 PM

Let's run Combofix once more.
  • To repair the notepad shortcut:

    Go to C:\Windows\System32\notepad.exe. Right-click notepad.exe and select "Pin to Start menu" from the context menu.
    Then go to Start => Select and hold down the notepad.exe and drag it to All Programs => Accessories and put it somewhere there.
    There should now be a Shortcut to Notepad under Accessories. Right-click it and rename it to Notepad.
    You may now remove notepad.exe from start menu by right-clicking it and selecting "Remove from this list".
    If you use notepad more often you can put a shortcut on your Quick Launch menu, or on your desktop or on start menu. Just right-click the shortcut you just made in Accessories and you can select "Pin to Start menu" or "Send to" => Desktop.

  • Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    [-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    [-HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
    [-HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [-HKEY_CLASSES_ROOT\clsid\{9516eb1c-ac77-492d-8fd6-a05afac9ea6e}]
    [-HKEY_CLASSES_ROOT\TypeLib\{A7A86710-D3B4-42A1-8350-217072343052}]
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logical Volume"=-
    "UserFaultCheck"=-
    "KernelFaultCheck"=-
    "ccApp"=-
    Skipfix::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#15 Darkumas

Darkumas
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 02 January 2010 - 02:10 PM

Did what you said about notepad, got it to the start menu but no matter how many times I try to drag it to accessories it wont go there. Also while I was going to run combofix it said there was a newer version available and asked if I wanted to update it, I chose no not sure what I should have done there. There is a noticeable slow down on the computer, longer lag times if I try to open a folder not sure why. Below is the log. Thanks again Farbar.

ComboFix 09-12-31.08 - Finesse 01/02/2010 13:48:36.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.206 [GMT -5:00]
Running from: c:\documents and settings\Finesse\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Finesse\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-01 18:52 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-01 18:52 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-01 18:52 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-01 18:52 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-01 18:52 . 2010-01-01 18:52 -------- d-----w- c:\program files\Avira
2010-01-01 18:52 . 2010-01-01 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-29 10:52 . 2009-12-29 13:17 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-12-29 10:52 . 2009-12-29 13:17 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-29 10:52 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-29 06:20 . 2009-12-29 06:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-29 06:17 . 2009-12-29 06:17 -------- d-----w- c:\program files\Lavasoft
2009-12-29 05:41 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-29 05:40 . 2009-12-29 05:40 -------- d-----w- c:\program files\Panda Security
2009-12-29 04:56 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-28 21:22 . 2009-12-28 21:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-28 05:13 . 2009-12-28 15:17 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-28 05:13 . 2009-12-28 05:13 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-28 05:13 . 2009-12-28 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-28 05:04 . 2009-12-28 05:04 -------- d-----w- c:\documents and settings\Finesse\Application Data\AVG8
2009-12-28 04:44 . 2009-12-28 04:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-21 00:05 . 2009-12-21 00:05 -------- d-----w- c:\documents and settings\Finesse\Local Settings\Application Data\STARGAZE_IMAGE_CACHE
2009-12-21 00:05 . 2009-12-21 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-12-21 00:02 . 2009-12-21 00:03 -------- d-----w- c:\program files\TheTreasuresOfMontezuma2
2009-12-21 00:02 . 2009-12-21 00:02 -------- d-----w- c:\windows\TheTreasuresOfMontezuma2
2009-12-07 21:25 . 2009-12-07 21:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\Inbox Toolbar
2009-12-07 21:25 . 2009-12-07 21:25 -------- d-----w- c:\program files\Inbox Toolbar
2009-12-07 03:25 . 2009-12-17 00:54 -------- d-----w- c:\program files\4 Elements
2009-12-07 03:25 . 2009-12-07 03:25 -------- d-----w- c:\windows\4 Elements
2009-12-07 01:34 . 2009-12-07 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2009-12-07 01:24 . 2009-12-07 02:47 -------- d-----w- c:\program files\Playrix Games
2009-12-06 22:05 . 2009-12-06 22:05 -------- d-----w- c:\program files\CardRecovery
2009-12-06 21:49 . 2009-06-19 08:20 67208 ----a-w- c:\windows\UnDeploy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 18:26 . 2009-07-10 12:26 -------- d-----w- c:\documents and settings\Finesse\Application Data\uTorrent
2010-01-02 03:10 . 2008-02-16 17:07 -------- d-----w- c:\program files\Java
2010-01-02 02:59 . 2010-01-02 02:59 152576 ----a-w- c:\documents and settings\Finesse\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-02 02:58 . 2010-01-02 02:58 79488 ----a-w- c:\documents and settings\Finesse\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-02 01:14 . 2008-07-28 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 01:14 . 2008-07-31 04:32 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-01 14:37 . 2008-02-15 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 19:55 . 2008-07-28 21:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2008-07-28 21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 06:27 . 2009-12-29 06:27 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-29 06:27 . 2009-12-29 06:27 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-29 06:27 . 2009-12-29 06:27 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-29 06:27 . 2009-12-29 06:27 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-29 06:27 . 2009-12-29 06:27 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-29 06:27 . 2009-12-29 06:27 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-29 06:26 . 2009-12-29 06:26 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-29 06:26 . 2009-12-29 06:26 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-29 06:26 . 2009-12-29 06:26 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-29 06:26 . 2009-12-29 06:26 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-29 06:26 . 2009-12-29 06:26 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-29 06:26 . 2009-12-29 06:26 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-29 06:26 . 2009-12-29 06:26 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-29 06:17 . 2008-01-21 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-29 05:57 . 2008-02-15 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-28 05:13 . 2008-07-03 14:22 -------- d-----w- c:\program files\AVG
2009-12-19 18:46 . 2007-12-25 06:14 -------- d-----w- c:\documents and settings\Finesse\Application Data\Big Fish Games
2009-12-19 13:08 . 2006-12-30 16:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-09 03:23 . 2009-11-29 18:43 -------- d-----w- c:\program files\HelperBot
2009-12-09 03:20 . 2008-01-26 20:49 -------- d-----w- c:\program files\Dl_cats
2009-12-07 14:10 . 2009-12-29 06:20 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Finesse\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-02 01:40 . 2009-12-01 21:38 -------- d-----w- c:\program files\ABC Amber Palm Converter
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\documents and settings\Finesse\Application Data\iSilo
2009-12-01 21:49 . 2009-12-01 21:49 -------- d-----w- c:\program files\iSilo
2009-11-29 22:18 . 2009-10-02 23:18 -------- d-----w- c:\documents and settings\Finesse\Application Data\vlc
2009-11-29 18:43 . 2009-11-29 18:43 22486 ----a-r- c:\documents and settings\Finesse\Application Data\Microsoft\Installer\{A0B6DD4E-5FA8-4BE3-817D-5D98FA9C6310}\_e205790.exe
2009-11-29 18:43 . 2009-11-29 18:43 22486 ----a-r- c:\documents and settings\Finesse\Application Data\Microsoft\Installer\{A0B6DD4E-5FA8-4BE3-817D-5D98FA9C6310}\_2b052989.exe
2009-11-27 16:49 . 2006-12-03 22:23 79200 ----a-w- c:\documents and settings\Finesse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-27 12:59 . 2007-08-23 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-27 12:49 . 2006-09-13 19:32 -------- d-----w- c:\program files\Microsoft Works
2009-11-19 09:59 . 2009-09-25 03:54 -------- d-----w- c:\program files\bpo5000
2009-11-13 19:36 . 2009-11-08 14:18 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-11-13 19:36 . 2009-11-08 14:18 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-11-10 18:17 . 2006-09-13 19:38 -------- d-----w- c:\program files\Microsoft SQL Server
2009-11-08 19:14 . 2009-11-08 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Act
2009-11-08 19:10 . 2009-11-08 14:18 88 --sh--r- c:\documents and settings\All Users\Application Data\51A3A397F4.sys
2009-11-08 19:10 . 2009-11-08 14:18 88 --sh--r- c:\documents and settings\All Users\Application Data\51A3A397F4.sys
2009-11-08 14:18 . 2009-11-08 14:16 -------- d-----w- c:\documents and settings\Finesse\Application Data\IsolatedStorage
2009-11-08 14:15 . 2006-09-13 19:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 13:52 . 2007-08-23 23:54 -------- d-----w- c:\program files\Microsoft.NET
2009-11-08 13:50 . 2009-11-08 13:50 -------- d-----w- c:\program files\MSXML 6.0
2009-11-08 13:40 . 2009-11-08 13:40 -------- d-----w- c:\documents and settings\Finesse\Application Data\ACT
2009-11-08 13:39 . 2009-11-08 13:39 -------- d-----w- c:\program files\ACT
2009-11-08 05:17 . 2009-11-08 05:07 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-11-08 05:15 . 2009-11-08 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-11-08 05:14 . 2009-11-08 05:13 -------- d-----w- c:\documents and settings\Finesse\Application Data\DAEMON Tools Pro
2009-11-08 04:59 . 2009-11-08 04:59 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-08 03:01 . 2008-10-30 18:23 -------- d-----w- c:\program files\SpywareBlaster
2009-11-04 17:31 . 2007-12-27 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-04 13:12 . 2006-09-13 19:30 -------- d-----w- c:\program files\Google
2009-10-13 03:12 . 2008-12-29 03:15 2320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-10-11 09:17 . 2008-11-28 17:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-10-22 02:42 . 2006-12-08 15:08 88 --sh--r- c:\windows\system32\51A3A397F4.sys
2007-10-22 02:42 . 2006-12-08 15:08 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28D74EC-B064-4402-926D-E00687233421}]
2008-10-23 09:55 61728 ----a-w- c:\program files\Me.dium\Browser Add-ons\MediumIEStatusbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-10 160592]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-09 289072]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 21:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax 4.2.lnk
backup=c:\windows\pss\eFax 4.2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Finesse^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\documents and settings\Finesse\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
c:\program files\ACT\Act for Windows\ActSage.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 19:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 13:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2006-02-09 22:34 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-09-06 13:08 136136 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcqmon.exe]
2007-06-29 16:47 292080 ----a-w- c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
2006-07-14 20:36 107008 ----a-w- c:\program files\eFax Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-06 18:09 133104 ----atw- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 21:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 21:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 21:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2008-09-09 06:21 623880 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
c:\program files\LogMeIn\x86\LogMeInSystray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-10-17 01:57 4347120 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 15:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-07-20 13:42 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-20 13:42 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-10-09 22:48 289072 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Finesse\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:Sam Broadcaster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/29/2009 5:52 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/29/2009 12:41 AM 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/1/2010 1:52 PM 108289]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2/25/2009 8:44 PM 47640]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/7/2009 11:59 PM 685816]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/28/2009 12:46 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/28/2009 12:13 AM 30104]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance --> c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2010-01-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:26]

2009-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 17:46]

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007Core.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2010-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-871554862-3987393492-1306162655-1007UA.job
- c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 18:09]

2006-12-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2010-01-02 c:\windows\Tasks\User_Feed_Synchronization-{9792E8EC-873A-40E2-85EE-939397C650B4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zipform.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PUFLITE - hxxp://www.hinesville-homes.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://sav.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://sav.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://sav.mlxchange.com/4.2.07.27/Control/IRCSharc.cab
FF - ProfilePath - c:\documents and settings\Finesse\Application Data\Mozilla\Firefox\Profiles\fckjgmj9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Finesse\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Finesse\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\3.0.40818.0\npctrl.1.0.20806.0.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)
WebBrowser-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 13:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-01-02 14:00:15
ComboFix-quarantined-files.txt 2010-01-02 19:00
ComboFix2.txt 2010-01-02 15:36
ComboFix3.txt 2010-01-01 15:36

Pre-Run: 889,729,024 bytes free
Post-Run: 879,763,456 bytes free

- - End Of File - - DC5228A27DAF3A3035C7C58D69DDD7CF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users