Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect and various fake antivirus programs popping up


  • This topic is locked This topic is locked
22 replies to this topic

#1 motley

motley

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 13 January 2010 - 06:34 PM

Hi,

I'm not sure what I'm infected with but it started when I was getting redirected. I would go enter in something in the google search bar and then it would bring up the google search page but when I clicked on a link, it would take me to a page with a bunch of links on it. Then Desktop Defender 2010 popped up and I had to fight through it to run Mal Aware to get rid of it. I thought everything was fine and then searched again and got redirected. Then another phony anti virus program popped up on my windows. I have d/led spybot but it can't connect to finish installing and also installed Avira but it's unable to connect in order to update. I appreciate any and all help. Thanks ahead of time!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 19:03:40.37 on Tue 01/12/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.32 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_02\bin\ssv.dll
BHO: My Web Search Bar BHO: {8eab99c1-f9ec-4b64-a4ba-d9bcae8779c2} - c:\program files\mywebsearchwb\bar\1.bin\W6BAR.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
dRun: [cnegeykl] c:\windows\system32\config\systemprofile\local settings\application data\vokhdf\jjotsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-us\bin\WindowsSearch.exe
IE: Open in new background tab - c:\program files\msn toolbar suite\tab\02.05.0000.1110\en-us\msntabres.dll/229?13711ee343474db69a8a182aa9f1c986
IE: Open in new foreground tab - c:\program files\msn toolbar suite\tab\02.05.0000.1110\en-us\msntabres.dll/230?13711ee343474db69a8a182aa9f1c986
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\owner\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\bi2hgpcs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={A17AED3F-C748-F557-195F-2904919865D6}&q=
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox 3.1 beta 3\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-21 200192]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2007-3-28 44816]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-3-28 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-3-28 60816]

=============== Created Last 30 ================

2010-01-13 01:48:11 0 d-----w- c:\program files\Trend Micro
2010-01-13 00:23:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-05 23:42:07 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-05 23:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 23:40:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-05 23:40:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 23:40:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 22:59:16 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-02 19:23:49 2450 --sh--w- c:\docume~1\owner\applic~1\pacman.exe
2010-01-01 08:37:54 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2009-12-25 03:57:45 0 d-----w- c:\docume~1\owner\applic~1\Coby Media Manager
2009-12-25 03:56:12 0 d-----w- c:\program files\Coby

==================== Find3M ====================

2009-12-13 03:54:30 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-12 22:31:23 87608 ----a-w- c:\docume~1\owner\applic~1\inst.exe
2009-12-12 22:31:23 47360 ----a-w- c:\docume~1\owner\applic~1\pcouffin.sys
2009-12-06 17:29:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-04 17:02:05 1422 -c--a-w- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 19:05:42.12 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/21/2005 4:24:19 PM
System Uptime: 1/12/2010 6:44:48 PM (1 hours ago)

Motherboard: Quanta | | 3096
Processor: Mobile AMD Sempron™ Processor 2800+ | U23 | 1591/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 18.709 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP367: 1/6/2010 4:10:37 PM - System Checkpoint
RP368: 1/10/2010 3:02:14 PM - System Checkpoint
RP369: 1/12/2010 4:49:25 PM - Removed AVG Free 9.0
RP370: 1/12/2010 4:53:23 PM - Installed AVG Free 9.0
RP371: 1/12/2010 5:19:48 PM - Avira AntiVir Personal - 1/12/2010 17:19
RP372: 1/12/2010 6:41:39 PM - Avira AntiVir Personal - 1/12/2010 18:41

==== Installed Programs ======================

Absolute Poker
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
BitPim 0.9.12
Broadcom 802.11 Wireless LAN Adapter
BufferChm
Coby Media Manager
Conexant AC-Link Audio
Connect
CustomerResearchQFolder
Data Fax SoftModem with SmartCP
Desktop Weather by The Weather Channel
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DIGOpt
DIGReqEx
DivX
DivX Player
DivX User Guide
eSupportQFolder
Garmin c320 City Navigator North America NT v8
Garmin Communicator Plugin
Garmin USB Drivers
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Deskjet 3900 series
HP Extended Capabilities 5.0
HP Help and Support
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HP User Guides 0002
HP Wireless Assistant 1.01 A2
HPDeskjet3900Series
HPProductAssistant
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
K-Lite Codec Pack 5.4.4 (Basic)
kuler
LG PC Sync
LG USB Drivers
LG USB Modem driver
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync 4.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.0.7)
Mozilla Firefox (3.5.7)
MP3 Cutter Plus 1.0
MSN
MSN Encarta Plus Support Files
MSN Search Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
Nero 7 Premium
neroxml
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
Paint Shop Pro 6.02 CD
PC Sync
PDF Manual NW-S200 Series
PDF Settings CS4
PeerGuardian 2.0
Photoshop Camera Raw
PokerStars
Quick Launch Buttons 5.10 B2
QuickLink Mobile
QuickTime
RarZilla Free Unrar 2.52
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SonicStage 4.0
Status
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TextTwist Deluxe
Tiger Woods PGA TOUR 2002
TIxx21
TrayApp
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
VideoCam Suite
VideoCam Suite 1.0
Viewpoint Media Player
WeatherBug Browser Bar - powered by MyWebSearch
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

1/7/2010 8:24:38 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest" on line 0.
1/7/2010 8:24:37 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: Error Message is unavailable .
1/7/2010 8:24:37 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\WININET.dll. Reference error message: Error Message is unavailable .
1/7/2010 8:24:36 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: Not enough storage is available to complete this operation. .
1/7/2010 8:24:35 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WindowsShell.Manifest. Reference error message: The operation completed successfully. .
1/7/2010 8:24:35 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy" on line 9.
1/7/2010 8:24:35 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy" on line 0.
1/7/2010 8:24:35 PM, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\system32\SHELL32.dll" on line 20.
1/7/2010 8:03:36 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\WININET.dll. Reference error message: The operation completed successfully. .
1/7/2010 8:03:35 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\SHELL32.dll. Reference error message: The operation completed successfully. .
1/7/2010 5:27:31 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
1/7/2010 5:27:31 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/6/2010 8:01:28 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/6/2010 5:11:37 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/6/2010 3:59:43 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.
1/6/2010 3:45:58 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
1/6/2010 3:45:58 PM, error: Service Control Manager [7000] - The HP Pci Information service failed to start due to the following error: The system cannot find the file specified.
1/6/2010 3:43:36 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/6/2010 3:43:36 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
1/5/2010 3:59:44 PM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
1/5/2010 3:57:49 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'avgcorex.dll.old' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
1/12/2010 4:18:53 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 20 January 2010 - 02:18 AM

Hello and welcome.gif to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards
Net_Surfer

horse.gif

#3 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 20 January 2010 - 06:31 PM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 16:22:54.67 on Wed 01/20/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.31 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - SSVHelper Class
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: {8eab99c1-f9ec-4b64-a4ba-d9bcae8779c2} - My Web Search Bar BHO
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
dRun: [cnegeykl] c:\windows\system32\config\systemprofile\local settings\application data\vokhdf\jjotsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-us\bin\WindowsSearch.exe
IE: Open in new background tab - c:\program files\msn toolbar suite\tab\02.05.0000.1110\en-us\msntabres.dll/229?13711ee343474db69a8a182aa9f1c986
IE: Open in new foreground tab - c:\program files\msn toolbar suite\tab\02.05.0000.1110\en-us\msntabres.dll/230?13711ee343474db69a8a182aa9f1c986
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\owner\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\bi2hgpcs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={A17AED3F-C748-F557-195F-2904919865D6}&q=
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox 3.1 beta 3\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-12 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-17 486280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-12 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-12 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-12 55656]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-21 200192]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [2007-3-28 44816]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2007-3-28 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2007-3-28 60816]

=============== Created Last 30 ================

2010-01-17 18:29:48 0 d-----w- c:\docume~1\owner\applic~1\IObit
2010-01-17 18:29:46 0 d-----w- c:\program files\IObit
2010-01-17 17:06:35 0 d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-01-17 17:05:49 0 d-----w- c:\program files\CheckPoint
2010-01-17 17:05:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-17 17:05:00 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-17 17:04:59 0 d-----w- c:\windows\system32\ZoneLabs
2010-01-17 17:04:55 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-01-17 17:04:52 0 d-----w- c:\program files\Zone Labs
2010-01-17 17:04:14 0 d-----w- c:\windows\Internet Logs
2010-01-13 02:25:07 0 d-----w- c:\program files\Avira
2010-01-13 02:25:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-13 01:48:11 0 d-----w- c:\program files\Trend Micro
2010-01-13 00:23:37 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-05 23:42:07 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-05 23:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 23:40:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-05 23:40:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 23:40:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 22:59:16 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-02 19:23:49 2450 --sh--w- c:\docume~1\owner\applic~1\pacman.exe
2010-01-01 08:37:54 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2009-12-25 03:57:45 0 d-----w- c:\docume~1\owner\applic~1\Coby Media Manager
2009-12-25 03:56:12 0 d-----w- c:\program files\Coby

==================== Find3M ====================

2009-12-13 03:54:30 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-12 22:31:23 87608 ----a-w- c:\docume~1\owner\applic~1\inst.exe
2009-12-12 22:31:23 47360 ----a-w- c:\docume~1\owner\applic~1\pcouffin.sys
2009-12-06 17:29:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-04 17:02:05 1422 -c--a-w- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 16:28:01.02 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 22 January 2010 - 05:19 AM

Hi motley,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please go to Add/Remove programs and uninstall the following adware/spyware program:

    WeatherBug Browser Bar - powered by MyWebSearch

  2. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#5 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 22 January 2010 - 07:05 PM

Ok tried to uninstall weatherbug but got this message:

ERROR LOADING

C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\W6BAR.DLL


I didn't want to go any further before knowing if this is a big problem.


Thanks for your help btw. thumbup.gif

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 23 January 2010 - 01:00 AM

This is not a big problem. We will take care of it later on after we have got rid of the major issue. Please proceed.

#7 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 23 January 2010 - 11:26 AM

I've noticed that since I posted the first post and ran malware and anti virus programs that the google direct doesn't seem to be happening ( so far). But, now I can't hibernate my laptop or update any virus software. I can't even install some because they seem to be blocked. IE: spybot and HouseCall. Avira is unable to connect to update software. Is this a symptom? Anyway, the GMER log is posted below. Just wanted to keep you updated. Thanks.







GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 09:19:41
Windows 5.1.2600 Service Pack 3
Running: 73rh11id.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwxdrfod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF61D8630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF61D1D80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF61F6070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF61D8E40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF61EFD30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF61F0150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF61FA240]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF61D8FB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF61D2C60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF61F7780]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF61F7160]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF61EEE70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF61F8080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF61F82B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF61D2750]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF61F2450]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF61F2020]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF61F9430]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF61F8A40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF61D8180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF61F90D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF61D8910]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF61D3080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xF61F98E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF61F6970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF61F0D20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF61F0A50]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device -> \Driver\atapi \Device\Harddisk0\DR0 81A78841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 24 January 2010 - 05:58 AM

Thanks for the log and the update. However, the redirecting should not have stopped as the infection is not removed.

QUOTE
But, now I can't hibernate my laptop or update any virus software. I can't even install some because they seem to be blocked.


From my first post:

QUOTE
Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Did you installed or uninstalled anything or removed anything or run any scan from the time I've replied?

Edited by farbar, 24 January 2010 - 05:59 AM.
Spelling


#9 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 24 January 2010 - 10:47 AM

No. Just tried to uninstall that weatherbug program. I ran all those programs when I was waiting for someone to respond to my first post.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 24 January 2010 - 12:13 PM

Good. thumbup2.gif

Note: In case ComboFix did not run rename it to far.exe and run it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 25 January 2010 - 05:06 AM.
Removed the warning about the bug


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 24 January 2010 - 05:56 PM

Please hold on running ComboFix until I tell you to do that. There is a possible bug, and we are waiting to be addressed soon.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 25 January 2010 - 05:08 AM

The bug is fixed and you may run ComboFix now.

#13 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 25 January 2010 - 09:38 PM

ComboFix 10-01-25.02 - Owner 01/25/2010 18:56:20.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.27 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\MSN6
c:\documents and settings\All Users\Application Data\MSN6\au.ini
c:\documents and settings\Amy\Application Data\MSN6
c:\documents and settings\Amy\Application Data\MSN6\au.ini
c:\documents and settings\Amy\Application Data\MSN6\OLTS.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\localfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\roamingfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\adrsps.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\allowblock.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\apinfo.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\buddies\tiles\2040240737.bmp
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\CategoryCache.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\emailallow.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favcache.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favorites.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favthumb.dbx
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localSettings.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\autocomplete0x1.txt
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\mfreq0x1.2
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnmenufeed.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnuser.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\myParentalControls.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\pcs.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\relationships.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\roamingfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\usertile.bmp
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\adrsps.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\allowblock.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\apinfo.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\CategoryCache.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\downloads.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\emailallow.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favcache.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favorites.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favthumb.dbx
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localSettings.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\msnmenufeed.xml
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\pcs.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\relationships.txc
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\roamingfastsettings.dat
c:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\usertile.bmp
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_afternoon.wav
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_evening.wav
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_morning.wav
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_evening.wav
c:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_morning.wav
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\Application Data\MSN6
c:\documents and settings\Owner\Application Data\MSN6\au.ini
c:\documents and settings\Owner\Application Data\MSN6\MSNCoreFiles.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}\manifest.xml
c:\documents and settings\Owner\Application Data\MSN6\msndata.dat
c:\documents and settings\Owner\Application Data\MSN6\msnplog.xml
c:\documents and settings\Owner\Application Data\MSN6\OLTS.dat
c:\documents and settings\Owner\Application Data\MSN6\QOSLog.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\adrsps.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\allowblock.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\apinfo.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\buddies\tiles\2040240737.bmp
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\CategoryCache.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloadhist.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloads.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\emailallow.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favcache.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favorites.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favthumb.dbx
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localSettings.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\autocomplete0x1.txt
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\mfreq0x1.2
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\MSNConfig.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\msnmenufeed.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\myParentalControls.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\pcs.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\relationships.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\roamingfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\usertile.bmp
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\adrsps.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\allowblock.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\apinfo.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\2040240737.bmp
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\3827224586.bmp
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\CategoryCache.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloadhist.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloads.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\emailallow.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favcache.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favorites.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favthumb.dbx
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localSettings.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\autocomplete0x1.txt
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.2
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.3
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\MSNConfig.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnmenufeed.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnuser.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\myParentalControls.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\pcs.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\relationships.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\roamingfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\usertile.bmp
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\adrsps.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\allowblock.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\apinfo.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\CategoryCache.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\emailallow.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favbac.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favcache.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favorites.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favthumb.dbx
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localSettings.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\autocomplete0x1.txt
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.2
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.3
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\MSNConfig.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\msnmenufeed.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\myParentalControls.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\pcs.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\relationships.txc
c:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\roamingfastsettings.dat
c:\documents and settings\Owner\Application Data\MSN6\UserData\downloadlinks.xml
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_afternoon.wav
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_evening.wav
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_morning.wav
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_evening.wav
c:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_morning.wav
c:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\msniasvc.xml
c:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\QOSLog.xml
c:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\user.txt
c:\windows\Fonts\MyriadPro-Regular.otf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-17 18:29 . 2010-01-17 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2010-01-17 18:29 . 2010-01-17 18:29 -------- d-----w- c:\program files\IObit
2010-01-17 17:06 . 2010-01-17 17:06 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-01-17 17:05 . 2010-01-17 17:05 -------- d-----w- c:\program files\CheckPoint
2010-01-17 17:05 . 2010-01-17 17:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-17 17:05 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-17 17:05 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-17 17:05 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-17 17:04 . 2010-01-17 17:05 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-17 17:04 . 2010-01-17 17:04 -------- d-----w- c:\program files\Zone Labs
2010-01-17 17:04 . 2010-01-26 02:15 -------- d-----w- c:\windows\Internet Logs
2010-01-13 01:48 . 2010-01-13 01:48 -------- d-----w- c:\program files\Trend Micro
2010-01-13 00:23 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-05 23:42 . 2010-01-05 23:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-05 23:41 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 23:40 . 2010-01-05 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 23:40 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 23:40 . 2010-01-05 23:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 23:24 . 2010-01-12 23:23 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-01-03 22:59 . 2010-01-12 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-03 17:06 . 2010-01-03 17:06 -------- d-----w- c:\program files\Alwil Software
2010-01-02 21:23 . 2010-01-02 21:30 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-02 20:17 . 2010-01-03 22:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-02 20:11 . 2010-01-03 16:13 -------- d-----w- c:\program files\Google
2010-01-01 08:37 . 2010-01-01 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 01:54 . 2010-01-17 19:57 284670 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-26 01:22 . 2009-03-28 06:32 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2010-01-23 22:07 . 2006-07-16 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-01-23 22:07 . 2007-04-21 06:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-01-23 22:06 . 2010-01-23 22:06 138689 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_01_23_15_00_43_small.dmp.zip
2010-01-03 22:59 . 2008-09-22 22:24 -------- d-----w- c:\program files\AVG
2010-01-02 21:27 . 2005-09-10 19:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-02 19:23 . 2010-01-02 19:23 2450 --sh--w- c:\documents and settings\Owner\Application Data\pacman.exe
2010-01-02 19:23 . 2010-01-02 19:23 2450 --sh--w- c:\documents and settings\Owner\Application Data\pacman.exe
2010-01-01 08:38 . 2010-01-01 08:38 2605832 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-12-28 11:34 . 2005-09-10 21:20 -------- d-----w- c:\program files\Yahoo!
2009-12-25 04:40 . 2009-12-25 03:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Coby Media Manager
2009-12-25 03:57 . 2009-12-25 03:57 50098 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\controlPanelIcon.exe
2009-12-25 03:57 . 2009-12-25 03:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\SystemFolder_msiexec.exe
2009-12-25 03:56 . 2009-12-25 03:56 -------- d-----w- c:\program files\Coby
2009-12-13 15:07 . 2009-12-08 00:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-12-13 03:54 . 2009-12-13 03:54 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-13 03:35 . 2009-12-13 03:25 -------- d-----w- c:\program files\DivX
2009-12-12 23:28 . 2009-12-12 23:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2009-12-12 23:14 . 2009-12-12 22:40 -------- d-----w- c:\program files\WinAVI Video Converter
2009-12-12 22:31 . 2009-12-06 17:29 -------- d-----w- c:\program files\VSO
2009-12-12 22:31 . 2009-12-06 17:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-12-12 22:31 . 2009-12-06 17:17 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-12-12 22:31 . 2009-12-06 17:17 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-12-12 22:26 . 2009-12-12 22:26 -------- d-----w- c:\program files\Cucusoft
2009-12-12 04:46 . 2009-12-12 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-12-08 00:34 . 2009-12-08 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-12-08 00:32 . 2009-12-08 00:27 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\Nero
2009-12-06 17:29 . 2009-12-06 17:17 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-06 17:01 . 2009-12-06 16:59 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-04 17:02 . 2006-05-25 23:16 1422 -c--a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-9-20 238080]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk
backup=c:\windows\pss\Auto run of VideoCam Suite 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 21:01 233534 -c--a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 -c--a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 02:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-01 22:11 794624 -c--a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-10-13 23:04 278528 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 04:36 50688 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-19 01:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 12:17 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-03-04 10:36 36975 -c--a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-28 00:28 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MpfService"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"hpqwmi"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"bgsvcgen"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox 3.1 Beta 3\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 6:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 6:30 AM 476528]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/21/2005 5:00 PM 200192]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\drivers\fd_dbus.sys [3/28/2007 6:40 PM 44816]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [3/28/2007 7:24 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [3/28/2007 7:14 PM 60816]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/26/2009 7:04 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?13711ee343474db69a8a182aa9f1c986
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?13711ee343474db69a8a182aa9f1c986
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bi2hgpcs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={A17AED3F-C748-F557-195F-2904919865D6}&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox 3.1 Beta 3\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-svcWRSSSDK
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Desktop Defender 2010 - c:\program files\Desktop Defender 2010\Desktop Defender 2010.exe
MSConfigStartUp-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-k1hoslmwefwf - c:\windows\system32\k1hosllwefff.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-PUT2VIDQLG - c:\docume~1\Owner\LOCALS~1\Temp\c.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe
MSConfigStartUp-WinsysMon - c:\docume~1\Owner\LOCALS~1\Temp\nsd8.tmp\googletoolbarupdate.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(320)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-01-25 19:30:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 02:30

Pre-Run: 19,542,351,872 bytes free
Post-Run: 19,492,204,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7503ABE22BFE071AE6FC37F5FCADC80D


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:32 AM

Posted 26 January 2010 - 03:58 AM

Well done. thumbup2.gif
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    DeQuarantine::
    C:\Qoobox\Quarantine\c\documents and settings\All Users\Application Data\MSN6
    C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6
    C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6
    SkipFix::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce two logs log for you ( "C:\ComboFix.txt" and C:\DeQuarantine_log.txt). Please copy and paste both the logs to your reply.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#15 motley

motley
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 26 January 2010 - 07:24 PM

ComboFix 10-01-26.02 - Owner 01/26/2010 16:31:33.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.57 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 23:31 . 2010-01-26 23:31 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-26 23:31 . 2010-01-26 23:31 -------- d-----w- c:\documents and settings\Amy\Application Data\MSN6
2010-01-26 23:31 . 2010-01-26 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-01-17 18:29 . 2010-01-17 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2010-01-17 18:29 . 2010-01-17 18:29 -------- d-----w- c:\program files\IObit
2010-01-17 17:06 . 2010-01-17 17:06 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-01-17 17:05 . 2010-01-17 17:05 -------- d-----w- c:\program files\CheckPoint
2010-01-17 17:05 . 2010-01-17 17:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-17 17:05 . 2009-11-22 22:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-17 17:05 . 2009-11-22 22:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-17 17:05 . 2009-11-22 22:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-17 17:04 . 2010-01-17 17:05 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-17 17:04 . 2010-01-17 17:04 -------- d-----w- c:\program files\Zone Labs
2010-01-17 17:04 . 2010-01-26 23:31 -------- d-----w- c:\windows\Internet Logs
2010-01-13 01:48 . 2010-01-13 01:48 -------- d-----w- c:\program files\Trend Micro
2010-01-13 00:23 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-05 23:42 . 2010-01-05 23:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-05 23:41 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 23:40 . 2010-01-05 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 23:40 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 23:40 . 2010-01-05 23:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 23:24 . 2010-01-12 23:23 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-01-03 22:59 . 2010-01-12 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-03 17:06 . 2010-01-03 17:06 -------- d-----w- c:\program files\Alwil Software
2010-01-02 21:23 . 2010-01-02 21:30 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-02 20:17 . 2010-01-03 22:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-02 20:11 . 2010-01-03 16:13 -------- d-----w- c:\program files\Google
2010-01-01 08:37 . 2010-01-01 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 23:17 . 2009-03-28 06:32 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2010-01-26 01:54 . 2010-01-17 19:57 284670 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-23 22:07 . 2006-07-16 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-01-23 22:07 . 2007-04-21 06:44 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-01-23 22:06 . 2010-01-23 22:06 138689 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_01_23_15_00_43_small.dmp.zip
2010-01-03 22:59 . 2008-09-22 22:24 -------- d-----w- c:\program files\AVG
2010-01-02 21:27 . 2005-09-10 19:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-02 19:23 . 2010-01-02 19:23 2450 --sh--w- c:\documents and settings\Owner\Application Data\pacman.exe
2010-01-02 19:23 . 2010-01-02 19:23 2450 --sh--w- c:\documents and settings\Owner\Application Data\pacman.exe
2010-01-01 08:38 . 2010-01-01 08:38 2605832 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-12-28 11:34 . 2005-09-10 21:20 -------- d-----w- c:\program files\Yahoo!
2009-12-25 04:40 . 2009-12-25 03:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Coby Media Manager
2009-12-25 03:57 . 2009-12-25 03:57 50098 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\controlPanelIcon.exe
2009-12-25 03:57 . 2009-12-25 03:57 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\SystemFolder_msiexec.exe
2009-12-25 03:56 . 2009-12-25 03:56 -------- d-----w- c:\program files\Coby
2009-12-13 15:07 . 2009-12-08 00:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-12-13 03:54 . 2009-12-13 03:54 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-13 03:35 . 2009-12-13 03:25 -------- d-----w- c:\program files\DivX
2009-12-12 23:28 . 2009-12-12 23:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2009-12-12 23:14 . 2009-12-12 22:40 -------- d-----w- c:\program files\WinAVI Video Converter
2009-12-12 22:31 . 2009-12-06 17:29 -------- d-----w- c:\program files\VSO
2009-12-12 22:31 . 2009-12-06 17:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-12-12 22:31 . 2009-12-06 17:17 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-12-12 22:31 . 2009-12-06 17:17 47360 ----a-w- c:\documents and settings\Owner\Application Data\pcouffin.sys
2009-12-12 22:26 . 2009-12-12 22:26 -------- d-----w- c:\program files\Cucusoft
2009-12-12 04:46 . 2009-12-12 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-12-08 00:34 . 2009-12-08 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-12-08 00:32 . 2009-12-08 00:27 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-08 00:27 . 2009-12-08 00:27 -------- d-----w- c:\program files\Nero
2009-12-06 17:29 . 2009-12-06 17:17 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-06 17:01 . 2009-12-06 16:59 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-04 17:02 . 2006-05-25 23:16 1422 -c--a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-9-20 238080]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Auto run of VideoCam Suite 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk
backup=c:\windows\pss\Auto run of VideoCam Suite 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 21:01 233534 -c--a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
2004-12-03 20:24 290816 -c--a-w- c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 02:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 -c--a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2005-04-01 22:11 794624 -c--a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-10-13 23:04 278528 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 04:36 50688 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 22:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
2005-09-19 01:40 1421824 ----a-w- c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 12:17 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-03-04 10:36 36975 -c--a-w- c:\program files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 12:11 692316 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 12:12 102492 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-28 00:28 180269 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MpfService"=2 (0x2)
"MCVSRte"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"hpqwmi"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"bgsvcgen"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitPim\\bitpim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox 3.1 Beta 3\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 pciinfo;HP Pci Information;c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [x]
R3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\fd_dbus.sys [2005-01-18 44816]
R3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\DRIVERS\lgatmdm.sys [2005-01-18 77104]
R3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\DRIVERS\lgatserd.sys [2005-01-18 60816]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]

.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?13711ee343474db69a8a182aa9f1c986
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?13711ee343474db69a8a182aa9f1c986
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bi2hgpcs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={A17AED3F-C748-F557-195F-2904919865D6}&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox 3.1 Beta 3\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-26 16:46:50
ComboFix-quarantined-files.txt 2010-01-26 23:46
ComboFix2.txt 2010-01-26 02:30
C:\DeQuarantine.txt

Pre-Run: 19,340,615,680 bytes free
Post-Run: 19,282,173,952 bytes free

- - End Of File - - 269ECD7C04E75735AC2333990BB078BB


C:\Qoobox\Quarantine\c\documents and settings\All Users\Application Data\MSN6\au.ini -> C:\documents and settings\All Users\Application Data\MSN6\au.ini
1 File(s) copied
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\au.ini -> C:\documents and settings\Amy\Application Data\MSN6\au.ini
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\OLTS.dat -> C:\documents and settings\Amy\Application Data\MSN6\OLTS.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_afternoon.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_afternoon.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_evening.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_evening.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_morning.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Amy_morning.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_evening.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_evening.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_morning.wav -> C:\documents and settings\Amy\Application Data\MSN6\UserData\sound\Eddie_morning.wav
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\localfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\roamingfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{288D5B2A-55B0-01C6-1400-0000B6524EDE}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\adrsps.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\adrsps.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\allowblock.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\allowblock.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\apinfo.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\apinfo.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\CategoryCache.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\CategoryCache.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\emailallow.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\emailallow.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favcache.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favcache.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favorites.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favorites.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favthumb.dbx -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\favthumb.dbx
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localSettings.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\localSettings.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnmenufeed.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnmenufeed.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnuser.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\msnuser.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\myParentalControls.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\myParentalControls.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\pcs.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\pcs.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\relationships.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\relationships.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\roamingfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\usertile.bmp -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\usertile.bmp
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\buddies\tiles\2040240737.bmp -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\buddies\tiles\2040240737.bmp
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\autocomplete0x1.txt -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\autocomplete0x1.txt
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\mfreq0x1.2 -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51A3970-C76B-01C5-0100-00002CBFC056}\Mail\mfreq0x1.2
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\adrsps.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\adrsps.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\allowblock.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\allowblock.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\apinfo.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\apinfo.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\CategoryCache.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\CategoryCache.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\downloads.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\downloads.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\emailallow.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\emailallow.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favcache.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favcache.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favorites.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favorites.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favthumb.dbx -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\favthumb.dbx
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localSettings.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\localSettings.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\msnmenufeed.xml -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\msnmenufeed.xml
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\pcs.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\pcs.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\relationships.txc -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\relationships.txc
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\roamingfastsettings.dat -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\usertile.bmp -> C:\documents and settings\Amy\Application Data\MSN6\UserData\{B51EFE24-C76B-01C5-0200-0000EC8D839A}\usertile.bmp
46 File(s) copied
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\au.ini -> C:\documents and settings\Owner\Application Data\MSN6\au.ini
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\msndata.dat -> C:\documents and settings\Owner\Application Data\MSN6\msndata.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\msnplog.xml -> C:\documents and settings\Owner\Application Data\MSN6\msnplog.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\OLTS.dat -> C:\documents and settings\Owner\Application Data\MSN6\OLTS.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\QOSLog.xml -> C:\documents and settings\Owner\Application Data\MSN6\QOSLog.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\MSNCoreFiles.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}\manifest.xml -> C:\documents and settings\Owner\Application Data\MSN6\MSNCoreFiles.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}\manifest.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\downloadlinks.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\downloadlinks.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_afternoon.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_afternoon.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_evening.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_evening.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_morning.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Amy_morning.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_afternoon.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_evening.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_evening.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_morning.wav -> C:\documents and settings\Owner\Application Data\MSN6\UserData\sound\Eddie_morning.wav
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\adrsps.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\adrsps.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\allowblock.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\allowblock.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\apinfo.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\apinfo.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\CategoryCache.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\CategoryCache.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloadhist.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloadhist.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloads.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\downloads.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\emailallow.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\emailallow.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favcache.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favcache.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favorites.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favorites.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favthumb.dbx -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\favthumb.dbx
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localSettings.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\localSettings.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\MSNConfig.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\MSNConfig.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\msnmenufeed.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\msnmenufeed.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\myParentalControls.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\myParentalControls.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\pcs.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\pcs.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\relationships.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\relationships.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\roamingfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\usertile.bmp -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\usertile.bmp
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\buddies\tiles\2040240737.bmp -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\buddies\tiles\2040240737.bmp
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\autocomplete0x1.txt -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\autocomplete0x1.txt
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\mfreq0x1.2 -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA19C1AC-ABFF-01C5-0200-0000C2267450}\Mail\mfreq0x1.2
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\adrsps.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\adrsps.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\allowblock.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\allowblock.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\apinfo.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\apinfo.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\CategoryCache.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\CategoryCache.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloadhist.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloadhist.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloads.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\downloads.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\emailallow.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\emailallow.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favcache.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favcache.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favorites.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favorites.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favthumb.dbx -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\favthumb.dbx
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localSettings.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\localSettings.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\MSNConfig.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\MSNConfig.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnmenufeed.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnmenufeed.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnuser.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\msnuser.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\myParentalControls.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\myParentalControls.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\pcs.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\pcs.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\relationships.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\relationships.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\roamingfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\usertile.bmp -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\usertile.bmp
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\2040240737.bmp -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\2040240737.bmp
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\3827224586.bmp -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\buddies\tiles\3827224586.bmp
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\autocomplete0x1.txt -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\autocomplete0x1.txt
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.2 -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.2
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.3 -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{BA1C2406-ABFF-01C5-0300-00009A1A677D}\Mail\mfreq0x1.3
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\adrsps.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\adrsps.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\allowblock.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\allowblock.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\apinfo.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\apinfo.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\CategoryCache.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\CategoryCache.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\emailallow.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\emailallow.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favbac.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favbac.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favcache.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favcache.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favorites.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favorites.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favthumb.dbx -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\favthumb.dbx
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localSettings.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\localSettings.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\MSNConfig.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\MSNConfig.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\msnmenufeed.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\msnmenufeed.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\myParentalControls.xml -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\myParentalControls.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\pcs.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\pcs.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\relationships.txc -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\relationships.txc
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\roamingfastsettings.dat -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\roamingfastsettings.dat
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\autocomplete0x1.txt -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\autocomplete0x1.txt
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.2 -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.2
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.3 -> C:\documents and settings\Owner\Application Data\MSN6\UserData\{D4B4E55A-4083-01C6-2100-000021C42FFB}\Mail\mfreq0x1.3
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\WatsonReporting\msniasvc.xml -> C:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\msniasvc.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\WatsonReporting\QOSLog.xml -> C:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\QOSLog.xml
C:\Qoobox\Quarantine\c\documents and settings\Owner\Application Data\MSN6\WatsonReporting\user.txt -> C:\documents and settings\Owner\Application Data\MSN6\WatsonReporting\user.txt
83 File(s) copied


Malwarebytes' Anti-Malware 1.44
Database version: 3642
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/26/2010 5:18:48 PM
mbam-log-2010-01-26 (17-18-48).txt

Scan type: Quick Scan
Objects scanned: 119131
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users