Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting and shutting down after the NT warning msg


  • This topic is locked This topic is locked
19 replies to this topic

#1 balti gorom

balti gorom

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 January 2010 - 06:32 AM

After opening a supposed scanned attachment in my yahoo mail, my computer almost instantly went crazy, the background changed with a red box in the centre stating that my computer was infected, I was suspicious of this immediately and went about trying to get around it without clicking on any of the pop ups, after running avg a few times the problem seemed to go away, however after going back online another window popped up saying NT AUTHORITY/WINDOWS and a countdown started after which my computer restarted, after reading some forums i managed to get around this by running CMD shutdown -a. this was'nt a huge problem but then whilst surfing i am constantly redirected to random websites and search engines. I suspect it is quite a serious but common problem and I would be greatful for any help please, I have done the dds and rootrepeal and have posted them with this message, thanks again. 'HERE IS THE LOG'!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rebecca Bayfield at 10:21:34.64 on 28/01/2010
Internet Explorer: 7.0.5730.11
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} -
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6.3; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.dressupgames88.com/play/403/Talladega-Nights.htm"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [nwiz] nwiz.exe /install
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\rebecc~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177795821218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-22 18:10:32 0 d-----w- C:\SOPHTEMP
2010-01-20 18:01:56 0 d-----w- c:\docume~1\rebecc~1\applic~1\Registry Mechanic
2010-01-19 22:29:16 0 d--h--w- C:\$AVG
2010-01-19 22:29:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-19 22:29:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-19 22:28:50 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-19 22:28:42 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-19 22:28:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-19 21:58:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-19 21:58:31 0 d-----w- C:\ComboFix
2010-01-19 21:10:03 0 d-----w- C:\RECYCLER(2)
2010-01-19 20:51:57 0 d-----w- c:\windows\system32\lowsec
2010-01-19 20:24:03 0 d-sha-r- C:\cmdcons
2010-01-19 20:20:27 98816 ----a-w- c:\windows\sed.exe
2010-01-19 20:20:27 77312 ----a-w- c:\windows\MBR.exe
2010-01-19 20:20:27 261632 ----a-w- c:\windows\PEV.exe
2010-01-19 20:20:27 161792 ----a-w- c:\windows\SWREG.exe
2010-01-19 20:06:31 0 d-----w- C:\AVGTemp
2010-01-18 21:11:08 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-18 20:49:10 69168 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-18 20:49:10 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-18 17:54:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-01-18 17:54:08 0 d-----w- c:\docume~1\rebecc~1\applic~1\Sunbelt
2010-01-18 17:44:47 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-01-18 17:44:21 0 d-----w- c:\program files\Sunbelt Software
2010-01-18 17:01:44 0 d-----w- c:\docume~1\rebecc~1\applic~1\AdwareBot
2010-01-16 19:21:04 0 d-----w- c:\docume~1\rebecc~1\applic~1\Malwarebytes
2010-01-16 19:20:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 15:45:27 0 d-----w- C:\spoolerlogs
2010-01-13 21:03:07 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-28 09:46:30 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2007-01-28 10:29:32 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe
2008-09-18 21:10:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 10:23:37.06 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/30 12:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8622000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\I386\85F874.FO_
Status: Could not get file information (Error 0xc0000008)

Path: C:\SWSetup\MISC2\setup.exe
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: msls50.dll]
Process: HPQWA_UI.EXE (PID: 3856) Address: 0x016c0000 Size: 102400

==EOF==




Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:48 AM

Posted 07 February 2010 - 04:30 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 10 February 2010 - 04:51 AM

thanks for your response, i'll post as soon as i can.
smile.gif

#4 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 12 February 2010 - 04:03 AM

I ran the DDS and also i've attached the neccessary files, in addition to the redirection and shutting down, new windows have begun opening by themselves, please hellllllp! Thinking about a format, but worried that the virus or whatever the nasty thing is will get on to my portable drive. Any thing you can assist me with i would be very grateful.

Thanks Mark


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rebecca Bayfield at 23:54:15.53 on 11/02/2010
Internet Explorer: 7.0.5730.11
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} -
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6.3; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.dressupgames88.com/play/403/Talladega-Nights.htm"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [nwiz] nwiz.exe /install
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [GroupManager] c:\windows\msiUpdate.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177795821218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-07 18:41:29 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-07 18:41:29 1409 ----a-w- c:\windows\QTFont.for
2010-02-05 17:13:20 94720 ----a-w- c:\temp\MsiZap.exe
2010-02-05 17:13:20 6338 ----a-w- c:\temp\VClean1.vbs
2010-02-05 17:13:20 2539 ----a-w- c:\temp\VClean2.vbs
2010-02-05 17:13:20 10569 ----a-w- c:\temp\uninst-vipre3.reg
2010-02-05 17:13:20 0 d-----w- C:\Temp
2010-01-22 18:10:32 0 d-----w- C:\SOPHTEMP
2010-01-20 18:01:56 0 d-----w- c:\docume~1\rebecc~1\applic~1\Registry Mechanic
2010-01-19 22:29:16 0 d--h--w- C:\$AVG
2010-01-19 22:29:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-19 22:29:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-19 22:28:50 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-19 22:28:42 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-19 22:28:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-19 21:58:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-19 21:58:31 0 d-----w- C:\ComboFix
2010-01-19 21:10:03 0 d-----w- C:\RECYCLER(2)
2010-01-19 20:24:03 0 d-sha-r- C:\cmdcons
2010-01-19 20:20:27 98816 ----a-w- c:\windows\sed.exe
2010-01-19 20:20:27 77312 ----a-w- c:\windows\MBR.exe
2010-01-19 20:20:27 261632 ----a-w- c:\windows\PEV.exe
2010-01-19 20:20:27 161792 ----a-w- c:\windows\SWREG.exe
2010-01-19 20:06:31 0 d-----w- C:\AVGTemp
2010-01-18 21:11:08 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-18 20:49:10 69168 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-18 20:49:10 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-18 17:54:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-01-18 17:54:08 0 d-----w- c:\docume~1\rebecc~1\applic~1\Sunbelt
2010-01-18 17:44:47 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-01-18 17:44:21 0 d-----w- c:\program files\Sunbelt Software
2010-01-18 17:01:44 0 d-----w- c:\docume~1\rebecc~1\applic~1\AdwareBot
2010-01-16 19:21:04 0 d-----w- c:\docume~1\rebecc~1\applic~1\Malwarebytes
2010-01-16 19:20:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 15:45:27 0 d-----w- C:\spoolerlogs
2010-01-13 21:03:07 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-11 23:33:31 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2007-01-28 10:29:32 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe
2008-09-18 21:10:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 23:56:23.76 ===============

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:48 AM

Posted 12 February 2010 - 07:27 AM

Hi balti gorom,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.

  3. You seem to have run Combofix. Delete your copy and download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:48 AM

Posted 12 February 2010 - 11:58 AM

I Removed the reply which accidentally was posted here.

Please disregard this post and perform the steps outlined in my previous post.

Regards,

farbar

Edited by farbar, 14 February 2010 - 09:21 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 14 February 2010 - 08:21 AM

Hi thanks for your help, i have not installed any new programs or changed any settings
here are the combofix results and i have attached the malwarebytes results to.


Malwarebytes' Anti-Malware 1.44
Database version: 3737
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

14/02/2010 12:30:10
mbam-log-2010-02-14 (12-29-59).txt

Scan type: Quick Scan
Objects scanned: 134186
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{50d5107a-d278-4871-8989-f4ceaaf59cfc} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\groupmanager (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Log (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Settings (Rogue.AdwareBot) -> No action taken.

Files Infected:
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\rs.dat (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Log\2010 Jan 18 - 05_01_44 PM_234.log (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Log\2010 Jan 18 - 05_04_44 PM_265.log (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Log\2010 Jan 18 - 05_07_24 PM_203.log (Rogue.AdwareBot) -> No action taken.
C:\Documents and Settings\Rebecca Bayfield\Application Data\AdwareBot\Settings\ScanResults.pie (Rogue.AdwareBot) -> No action taken.
C:\WINDOWS\system32\msls50.dll (Trojan.Agent) -> No action taken.


ComboFix 10-02-12.01 - Rebecca Bayfield 14/02/2010 12:44:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.515 [GMT 0:00]
Running from: c:\documents and settings\Rebecca Bayfield\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rebecca Bayfield\Application Data\rbap550.dll

Infected copy of c:\windows\system32\DRIVERS\nvata.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 12:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 12:18 . 2010-02-14 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 12:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 17:13 . 2010-02-05 17:13 -------- d-----w- C:\Temp
2010-02-05 17:13 . 2008-08-29 13:23 2539 ----a-w- c:\temp\VClean2.vbs
2010-02-05 17:13 . 2008-08-29 13:22 6338 ----a-w- c:\temp\VClean1.vbs
2010-02-05 17:13 . 2008-08-29 10:22 10569 ----a-w- c:\temp\uninst-vipre3.reg
2010-02-05 17:13 . 2006-06-16 03:21 94720 ----a-w- c:\temp\MsiZap.exe
2010-01-22 18:10 . 2010-01-22 18:11 -------- d-----w- C:\SOPHTEMP
2010-01-20 18:01 . 2010-01-20 18:01 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Registry Mechanic
2010-01-19 22:29 . 2010-01-19 22:29 -------- d-----w- C:\$AVG
2010-01-19 22:29 . 2010-01-19 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-19 22:29 . 2010-01-19 22:29 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-19 22:28 . 2010-01-19 22:28 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-19 22:28 . 2010-01-19 22:28 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-19 22:28 . 2010-02-14 12:08 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-19 22:28 . 2010-02-11 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-19 21:58 . 2010-01-19 21:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-19 21:10 . 2010-01-19 21:58 -------- d-----w- C:\RECYCLER(2)
2010-01-19 20:06 . 2010-01-19 20:06 -------- d-----w- C:\AVGTemp
2010-01-18 21:11 . 2009-12-18 13:05 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-18 20:49 . 2008-09-12 11:12 69168 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-18 20:49 . 2008-09-12 11:12 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-18 20:37 . 2010-01-18 20:37 -------- d-sh--w- c:\documents and settings\NetworkService\Temporary Internet Files
2010-01-18 20:37 . 2010-01-18 20:37 -------- d-sh--w- c:\documents and settings\NetworkService\History
2010-01-18 17:54 . 2010-01-18 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-01-18 17:54 . 2010-01-18 17:54 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Sunbelt
2010-01-18 17:44 . 2008-10-09 10:21 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-01-18 17:44 . 2010-01-18 17:46 -------- d-----w- c:\program files\Sunbelt Software
2010-01-17 11:29 . 2010-01-17 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-16 19:21 . 2010-01-16 19:21 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Malwarebytes
2010-01-16 19:20 . 2010-01-16 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-15 15:45 . 2010-01-15 15:45 -------- d-----w- C:\spoolerlogs
2010-01-15 15:30 . 2010-01-15 15:30 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Local Settings\Application Data\Threat Expert

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 12:03 . 2006-10-20 12:53 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-02-11 10:29 . 2007-03-15 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 08:41 . 2008-11-23 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-07 18:20 . 2007-05-05 15:56 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Azureus
2010-02-05 08:31 . 2006-10-20 06:47 -------- d-----w- c:\program files\Google
2010-01-20 09:14 . 2009-03-05 21:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:28 . 2010-01-27 14:44 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-19 22:28 . 2010-01-27 14:44 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-19 22:28 . 2008-08-11 18:58 -------- d-----w- c:\program files\AVG
2010-01-18 16:50 . 2007-10-29 19:46 -------- d-----w- c:\program files\btbb_wcm
2010-01-18 16:49 . 2008-12-25 09:26 -------- d-----w- c:\program files\ArcSoft
2010-01-17 12:48 . 2007-11-18 14:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-12 14:26 . 2006-10-20 06:00 114336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 14:04 . 2006-10-20 06:38 -------- d-----w- c:\program files\Microsoft Works
2010-01-09 23:14 . 2006-10-20 12:52 -------- d-----w- c:\program files\Java
2010-01-09 23:12 . 2010-01-09 23:12 152576 ----a-w- c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 23:12 . 2010-01-09 23:12 79488 ----a-w- c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 18:56 . 2007-05-05 15:56 -------- d-----w- c:\program files\Azureus
2010-01-05 10:00 . 2006-03-16 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-03-16 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-16 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 08:36 . 2007-06-04 14:55 -------- d-----w- c:\program files\Fantastic 4 Print Studio
2009-12-31 16:50 . 2005-05-10 08:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-19 15:02 . 2009-12-19 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-12-19 15:01 . 2009-12-19 15:01 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Nero
2009-12-19 14:53 . 2009-12-19 14:53 -------- d-----w- c:\program files\NeroInstall.bak
2009-12-19 14:49 . 2009-12-19 14:46 -------- d-----w- c:\program files\Common Files\Nero
2009-12-19 14:46 . 2009-12-19 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-19 14:46 . 2009-12-19 14:46 -------- d-----w- c:\program files\Nero
2009-12-19 12:53 . 2006-10-20 12:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-19 12:52 . 2006-10-20 12:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-19 12:42 . 2006-10-20 12:52 -------- d-----w- c:\program files\Sonic
2009-12-16 18:43 . 2006-03-16 04:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-03-16 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2005-01-19 12:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-03-16 04:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-08-30 12:13 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2006-03-16 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-03-16 04:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2006-03-16 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2006-03-16 04:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2006-03-16 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2007-01-28 10:29 . 2007-01-28 10:29 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"nwiz"="nwiz.exe" [2006-08-24 1617920]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-19 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6irxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7dnxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rebecca Bayfield^Start Menu^Programs^StartUp^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\lxdiih.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [27/06/2007 20:42 15172]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/01/2010 22:28 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/01/2010 22:29 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [19/01/2010 22:28 285392]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S0 ati6irxx;ati6irxx;c:\windows\system32\Drivers\ati6irxx.sys --> c:\windows\system32\Drivers\ati6irxx.sys [?]
S0 ati7dnxx;ati7dnxx;c:\windows\system32\Drivers\ati7dnxx.sys --> c:\windows\system32\Drivers\ati7dnxx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 08:31 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [29/09/2008 16:53 99248]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [21/11/2007 22:12 1527900]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [21/11/2007 22:11 544768]
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:31]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ?????????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2010-02-14 13:09:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 13:09

Pre-Run: 43,804,291,072 bytes free
Post-Run: 44,160,835,584 bytes free

- - End Of File - - 5E15AF72B9CCF4A7F8D39F23768068FD

Attached Files


Edited by farbar, 14 February 2010 - 09:23 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:48 AM

Posted 14 February 2010 - 09:25 AM

From malwarebytes log:
QUOTE
HKEY_CLASSES_ROOT\CLSID\{50d5107a-d278-4871-8989-f4ceaaf59cfc} (Trojan.Agent) -> No action taken.

This doesn't remove the malware. Please run malwarebytes again as instructed and copy and paste the log.

Edited by farbar, 14 February 2010 - 09:34 AM.
Spelling


#9 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 14 February 2010 - 11:42 AM

Thanks for your swift response, i ran the scan again, this time it does not appear to have found anything!

Malwarebytes' Anti-Malware 1.44
Database version: 3739
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

14/02/2010 16:36:46
mbam-log-2010-02-14 (16-36-46).txt

Scan type: Quick Scan
Objects scanned: 132098
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:48 AM

Posted 14 February 2010 - 11:57 AM

Both Malwarebytes and ComboFix cleaned all the active malware. There should be no errors or redirecting any more.

But we want to look for any inactive one.

  1. You have Java 6 Update 17 and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 11
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1


  2. Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.



#11 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 15 February 2010 - 12:11 AM

Hello, sorry for the delayed reply, I ran the scan and here are the results.


KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 15, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, February 14, 2010 18:21:40
Records in database: 3502382


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Objects scanned 141058
Threats found 8
Infected objects found 14
Suspicious objects found 0
Scan duration 06:05:44

File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67A46114.dll Infected: Trojan-Downloader.Win32.Agent.bfj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69BC46C7.dll Infected: Trojan-Downloader.Win32.Agent.bfj 1

C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\25\575b3459-713ba0ee Infected: Trojan.Java.ClassLoader.as 3

C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-67a7637e Infected: Trojan.Java.ClassLoader.as 3

C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\45\51b521ed-5a8f4e19 Infected: Trojan-Downloader.Java.OpenConnection.ar 1

C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\51\52c741f3-11d4aa45 Infected: Exploit.Java.Gimsh.a 1

C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-781592d1 Infected: Trojan-Downloader.Java.OpenConnection.at 1

C:\Program Files\EasyBits\KidsReady\Setup.exe Infected: Trojan.Win32.KillWin.iy 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nvata.sys.vir Infected: Rootkit.Win32.TDSS.y 1

C:\WINDOWS\system32\msls50.dll~RFb0051b8.TMP Infected: Trojan.Win32.FraudPack.ajyl 1

Selected area has been scanned.



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:48 AM

Posted 15 February 2010 - 02:25 AM

No worries for the delay.
  1. To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
      • Delete Files
      • View Applications
      • View Applets
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.

  2. You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  3. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    File::
    C:\WINDOWS\system32\msls50.dll~RFb0051b8.TMP
    Folder::
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine
    C:\Documents and Settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0
    skip fix::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  4. Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    "C:\Program Files\EasyBits\KidsReady\Setup.exe"

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  5. Please tell me how is your computer running.




#13 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 15 February 2010 - 11:28 AM

Hi again many thanks for your continuing assistance, my computer appears to be working almost perfectly with no redirects or shutdown wornings to report, here are the scan results you requested.

ComboFix 10-02-12.01 - Rebecca Bayfield 15/02/2010 15:58:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.373 [GMT 0:00]
Running from: c:\documents and settings\Rebecca Bayfield\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebecca Bayfield\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\msls50.dll~RFb0051b8.TMP"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\0\4b9c5340-363e842c
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\1\747db6c1-316b81c3
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\10\1773430a-6935492d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\10\323bf7ca-509dc7d8
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\11\3842bfcb-119d3204
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-11e74d0e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-172fa3bf
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-179c49ed
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-181c0bc2
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-1a70981e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-1ebdc942
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-1fd6a355
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-22effb82
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-251f6f93
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-25b040ca
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-26eac239
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-26eeb804
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-326aefdc
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-32f309fd
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-3320ee64
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-338b2734
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-375e24de
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-37e58c2d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-3c2d1d32
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-3ebd5a34
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-421665cd
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-44b222ff
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-48ffb757
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-4c0f7f05
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-4c6b3489
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-4f6a6d17
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-52896f83
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-531c00f5
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-6339da98
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-659613f7
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-664eb0d2
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-6e1f531d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-70122e8b
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\168bdd8c-7b9bfaed
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\12\7db9170c-55a753a8
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\245443cd-199df123
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\245443cd-65837a89
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\245443cd-7a5ea242
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\4fd0144d-2e957d6a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\4fd0144d-3abaaa0d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\7abc814d-2b8a6093
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\13\7eece84d-5da473d7
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\15\63a1068f-5beff87e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\17\119ef3d1-13a98358
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\17\1b82add1-37d0cb46
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\18\52cfa8d2-496fb647
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\19\24f1b213-7205b76a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\19\758fd913-77a5f670
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\2\24284442-63d774db
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\2\3e674902-73194ec7
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\20\45974f54-5173f923
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\20\53f94914-53f5bc38
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\22\28d246d6-66d77d93
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\22\ea9b596-38f0aba3
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\23\22b21bd7-58191615
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\24\cf6ac98-11a99384
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\25\39c2919-14902993
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\25\6745b119-4c710c32
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\26\239be35a-3431f531
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\26\2ba2de5a-7865ce38
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\26\6be5aa5a-108c93de
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\26\6be5aa5a-35b482e8
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\26\6be5aa5a-3dd0514f
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\27\14ce8ddb-5e16f233
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\27\21cd059b-6a8ccf0d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\28\62a66c1c-40906d70
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\28\67ce5b1c-42fe405d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\29\5076731d-46c7d59e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\29\76d32d1d-341fb365
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\3\14f7b5c3-6a71199d
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\30\176448de-2e8b350c
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\30\3d48dd5e-71ea4f00
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\30\7cd60d9e-1d4f08fc
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\31\2e69a21f-1a66adea
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\31\6c02d25f-2c249489
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\32\1c547720-57ccf279
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\32\36c184a0-127c7dfa
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\32\36c184a0-5a61fa9f
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\33\3205da21-18912b1b
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\33\5e11d0a1-6eed1cf0
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\34\36c00a22-634c1625
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\34\6acc0922-25268ee3
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\34\6b10a122-1825b71e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\35\2d88ed23-4dd5cdf5
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\35\46d8f3e3-14123a1a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\1ecc065-3db4363c
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\2e18f6a5-2e811d9a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\2e18f6a5-72f41fef
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\55386165-5b26bda6
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\6053c825-341103e9
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\616fc765-261a8ecd
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\616fc765-6aa9d389
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\37\715f86e5-2f864598
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\38\390f7b26-1049f58f
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\38\758a7426-60a06dd6
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\4\14296744-3aaf8434
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\4\2e8cf5c4-55973f24
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\4\601a84c4-1a5d12e0
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\40\2f652de8-4dfd5809
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\40\36e43de8-62fc5aa4
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\41\151d1d29-5ff6c2dd
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\41\46748a9-2c442698
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\42\107a3daa-6db16901
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\42\29dd78aa-4e178b9b
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\42\dde436a-614e0d2e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\44\e0305ac-4c62289a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\45\1ba054ad-32aa4f56
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\47\1ee4a5af-57ed671e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\48\5b0515f0-797a6d95
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\48\6b57a9f0-40c0b8ea
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\49\77add9b1-75e31f3a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\5\1f47c45-5cfae813
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\5\7a4a3cc5-5ce6e3b5
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\50\3343a7f2-2d89021f
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\50\33dd7db2-25a9b6ca
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\51\42e93e73-456e4241
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\52\58d768b4-7452d34b
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\52\6d6d9734-50887491
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\53\6756f075-53f8cf83
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\54\24096076-1af7210c
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\55\239011b7-71280376
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\55\fb99937-29886f04
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-781592d1
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\53305d39-53af7320
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\5c582ef9-17d9bf99
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\5c582ef9-18ab5774
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\57\5c582ef9-1d991401
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\282cfa46-3d4fb4a2
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\5895bf46-54fc22ae
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\5de72246-3c453514
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\7be59f86-1475c6e2
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\7be59f86-1c0bc6aa
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\6\7be59f86-4d9f9f36
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\61\3942c47d-30201ff1
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\61\45c1a23d-31e81ff6
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\61\5093bc3d-7dece77e
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\61\725cd1bd-4c0ac63a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\62\3f3b793e-46461d39
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\62\5a9e8dbe-27660f49
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\62\5a9e8dbe-286b2716
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\63\7882d37f-58841ddc
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\7\35c83c07-17968af7
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\7\6c0b4b07-31a761f5
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\7\6c0b4b07-7a6381e4
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\8\13a0e9c8-346872cf
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\8\7300ab88-7912cab7
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\9\1c7215c9-74f12e7a
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\126b9b42-1be1543a.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\16837643-3421e1e8.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\16bef960-53c21703.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\21deecfa-22cb76d8.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\22a7bf8b-6dfc2aae.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\260722f0-72b08cf7.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\28a70bbb-5f2bc749.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\28f3214b-1e566b63.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\2a48f359-6dd45221.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\2ceaa963-2f94b5b3.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3082f5c3-550c17c7.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\32c495ee-68b4b4d2.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\332b19df-30f05ea8.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\35b77c4f-51689d27.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-11c8941f.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-156d5dcd.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-2f30d68d.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-64f4493c.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-71973590.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\363b9c63-754ca796.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\39386ebd-2edc4562.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3969fbf2-2ecd0576.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3969fbf2-7773356a.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\39c3e011-4ee26b57.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\39d1ab27-20093cf0.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3af1b00b-171afd11.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3c265fcb-2d79e9a4.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3de996f5-70bf87f5.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3df9e146-1fca7885.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3e3e2459-40b46b1e.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3e3e2459-5e7e3784.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3e3e2459-64f1bfae.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\3f3a7504-2b530bc7.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\458b658c-3f32a0f6.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\46b2c7a6-1333404f.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\5311debd-6abb7133.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\53f43ad2-292ff1bd.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\55bc3720-67d1fc79.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\57b6901e-77e48f24.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\5fc105ac-2a89ca65.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\60202257-4b8bae12.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\6678f9dd-53c092c4.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\69b8b09e-1ca2f9d1.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\6aeee419-43b3397e.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\6b15c871-66ec8113.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\715a3682-4c430e2c.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\71df5684-554d3d2f.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7631e531-33ed311c.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7850456a-7d2c3668.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7c1abffe-21885075.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7de4f897-429129bf.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7ecac31-252b1ae2.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7ecac31-4db207a1.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\7ecac31-59ab7c97.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\9b0a5a2-104b0f00.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\9dfa0c4-79b312c4.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\host\b8992b7-73263797.hst
c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed
c:\windows\system32\msls50.dll~RFb0051b8.TMP

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-14 12:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 12:18 . 2010-02-14 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 12:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 17:13 . 2010-02-05 17:13 -------- d-----w- C:\Temp
2010-02-05 17:13 . 2008-08-29 13:23 2539 ----a-w- c:\temp\VClean2.vbs
2010-02-05 17:13 . 2008-08-29 13:22 6338 ----a-w- c:\temp\VClean1.vbs
2010-02-05 17:13 . 2008-08-29 10:22 10569 ----a-w- c:\temp\uninst-vipre3.reg
2010-02-05 17:13 . 2006-06-16 03:21 94720 ----a-w- c:\temp\MsiZap.exe
2010-01-27 14:44 . 2010-01-19 22:28 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-27 14:44 . 2010-01-19 22:28 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-22 18:10 . 2010-01-22 18:11 -------- d-----w- C:\SOPHTEMP
2010-01-20 18:01 . 2010-01-20 18:01 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Registry Mechanic
2010-01-19 22:29 . 2010-01-19 22:29 -------- d-----w- C:\$AVG
2010-01-19 22:29 . 2010-01-19 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-19 22:29 . 2010-01-19 22:29 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-19 22:28 . 2010-01-19 22:28 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-19 22:28 . 2010-01-19 22:28 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-19 22:28 . 2010-02-15 08:30 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-19 22:28 . 2010-02-11 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-19 21:58 . 2010-01-19 21:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-19 21:10 . 2010-01-19 21:58 -------- d-----w- C:\RECYCLER(2)
2010-01-19 20:06 . 2010-01-19 20:06 -------- d-----w- C:\AVGTemp
2010-01-18 21:11 . 2009-12-18 13:05 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-01-18 20:49 . 2008-09-12 11:12 69168 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-18 20:49 . 2008-09-12 11:12 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-18 20:37 . 2010-01-18 20:37 -------- d-sh--w- c:\documents and settings\NetworkService\Temporary Internet Files
2010-01-18 20:37 . 2010-01-18 20:37 -------- d-sh--w- c:\documents and settings\NetworkService\History
2010-01-18 17:54 . 2010-01-18 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-01-18 17:54 . 2010-01-18 17:54 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Sunbelt
2010-01-18 17:44 . 2008-10-09 10:21 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-01-18 17:44 . 2010-01-18 17:46 -------- d-----w- c:\program files\Sunbelt Software
2010-01-17 11:29 . 2010-01-17 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-16 19:21 . 2010-01-16 19:21 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Malwarebytes
2010-01-16 19:20 . 2010-01-16 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 18:00 . 2006-10-20 12:52 -------- d-----w- c:\program files\Java
2010-02-14 12:03 . 2006-10-20 12:53 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2010-02-11 10:29 . 2007-03-15 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 08:41 . 2008-11-23 17:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-07 18:20 . 2007-05-05 15:56 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Azureus
2010-02-05 08:31 . 2006-10-20 06:47 -------- d-----w- c:\program files\Google
2010-01-20 09:14 . 2009-03-05 21:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:28 . 2008-08-11 18:58 -------- d-----w- c:\program files\AVG
2010-01-18 16:50 . 2007-10-29 19:46 -------- d-----w- c:\program files\btbb_wcm
2010-01-18 16:49 . 2008-12-25 09:26 -------- d-----w- c:\program files\ArcSoft
2010-01-17 12:48 . 2007-11-18 14:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-12 14:26 . 2006-10-20 06:00 114336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 14:04 . 2006-10-20 06:38 -------- d-----w- c:\program files\Microsoft Works
2010-01-09 23:12 . 2010-01-09 23:12 152576 ----a-w- c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 23:12 . 2010-01-09 23:12 79488 ----a-w- c:\documents and settings\Rebecca Bayfield\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 18:56 . 2007-05-05 15:56 -------- d-----w- c:\program files\Azureus
2010-01-05 10:00 . 2006-03-16 04:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-03-16 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-16 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 08:36 . 2007-06-04 14:55 -------- d-----w- c:\program files\Fantastic 4 Print Studio
2009-12-31 16:50 . 2005-05-10 08:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-19 15:02 . 2009-12-19 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-12-19 15:01 . 2009-12-19 15:01 -------- d-----w- c:\documents and settings\Rebecca Bayfield\Application Data\Nero
2009-12-19 14:53 . 2009-12-19 14:53 -------- d-----w- c:\program files\NeroInstall.bak
2009-12-19 14:49 . 2009-12-19 14:46 -------- d-----w- c:\program files\Common Files\Nero
2009-12-19 14:46 . 2009-12-19 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-19 14:46 . 2009-12-19 14:46 -------- d-----w- c:\program files\Nero
2009-12-19 12:53 . 2006-10-20 12:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-19 12:52 . 2006-10-20 12:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-19 12:42 . 2006-10-20 12:52 -------- d-----w- c:\program files\Sonic
2009-12-16 18:43 . 2006-03-16 04:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-03-16 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2005-01-19 12:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-03-16 04:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-08-30 12:13 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2006-03-16 04:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-03-16 04:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2006-03-16 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2006-03-16 04:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2006-03-16 04:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-21 15:51 . 2006-03-16 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-01-28 10:29 . 2007-01-28 10:29 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"nwiz"="nwiz.exe" [2006-08-24 1617920]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-03-25 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-19 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6irxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7dnxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rebecca Bayfield^Start Menu^Programs^StartUp^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\lxdiih.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [27/06/2007 20:42 15172]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/01/2010 22:28 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/01/2010 22:29 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [19/01/2010 22:28 285392]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S0 ati6irxx;ati6irxx;c:\windows\system32\Drivers\ati6irxx.sys --> c:\windows\system32\Drivers\ati6irxx.sys [?]
S0 ati7dnxx;ati7dnxx;c:\windows\system32\Drivers\ati7dnxx.sys --> c:\windows\system32\Drivers\ati7dnxx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 08:31 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [29/09/2008 16:53 99248]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [21/11/2007 22:12 1527900]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [21/11/2007 22:11 544768]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:31]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {3527C5BD-4A46-4362-94B6-12341D087A4B} - hxxp://echospin.com/wizard/files/esWizard.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ?????????????@???????@

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-02-15 16:09:44
ComboFix-quarantined-files.txt 2010-02-15 16:09
ComboFix2.txt 2010-02-14 13:09

Pre-Run: 44,344,864,768 bytes free
Post-Run: 44,461,608,960 bytes free

- - End Of File - - 55804879BC2EB4FFADF6CCE73D4691CD


a-squared 4.5.0.50 2010.02.15 Trojan.Win32.KillWin!IK
AhnLab-V3 5.0.0.2 2010.02.15 Win-Trojan/Killwin.1263616
AntiVir 7.9.1.170 2010.02.15 TR/Killwin.IY
Antiy-AVL 2.0.3.7 2010.02.15 -
Authentium 5.2.0.5 2010.02.15 -
Avast 4.8.1351.0 2010.02.15 -
AVG 9.0.0.730 2010.02.15 -
BitDefender 7.2 2010.02.15 Trojan.Generic.1239606
CAT-QuickHeal 10.00 2010.02.15 -
ClamAV 0.96.0.0-git 2010.02.15 -
Comodo 3945 2010.02.15 TrojWare.Win32.KillWin.iy
DrWeb 5.0.1.12222 2010.02.15 -
eSafe 7.0.17.0 2010.02.15 -
eTrust-Vet 35.2.7303 2010.02.15 -
F-Prot 4.5.1.85 2010.02.15 -
F-Secure 9.0.15370.0 2010.02.15 Trojan.Generic.1239606
Fortinet 4.0.14.0 2010.02.15 W32/KillWin.IY!tr
GData 19 2010.02.15 Trojan.Generic.1239606
Ikarus T3.1.1.80.0 2010.02.15 Trojan.Win32.KillWin
Jiangmin 13.0.900 2010.02.15 -
K7AntiVirus 7.10.972 2010.02.12 Trojan.Win32.KillWin.iy
Kaspersky 7.0.0.125 2010.02.15 Trojan.Win32.KillWin.iy
McAfee 5892 2010.02.14 -
McAfee+Artemis 5892 2010.02.14 Artemis!75FA3000CE72
McAfee-GW-Edition 6.8.5 2010.02.15 Trojan.Killwin.IY
Microsoft 1.5406 2010.02.15 -
NOD32 4868 2010.02.15 -
Norman 6.04.08 2010.02.15 -
nProtect 2009.1.8.0 2010.02.15 Trojan/W32.Agent.1263616.B
Panda 10.0.2.2 2010.02.14 Trj/Killwin.S
PCTools 7.0.3.5 2010.02.15 -
Prevx 3.0 2010.02.15 High Risk Cloaked Malware
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.15 Mal/Generic-A
Sunbelt 5678 2010.02.15 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.15 -
TheHacker 6.5.1.4.194 2010.02.15 Trojan/KillWin.iy
TrendMicro 9.120.0.1004 2010.02.15 -
VBA32 3.12.12.2 2010.02.15 Trojan.Win32.KillWin.iy
ViRobot 2010.2.13.2186 2010.02.13 -
VirusBuster 5.0.21.0 2010.02.15 Trojan.KillWin.FU
Additional information
File size: 1263616 bytes
MD5...: 75fa3000ce72a748c81af16d54bd6a84
SHA1..: 20aa102127bad15791a7d021c953b8009a3678a7
SHA256: 66aba73f7fd0e2535c0dfe792eb3ec761192c38f7d9e2610036834088f1ded9d
ssdeep: 24576:Uskn+dkikSOIsfH9v1QgLVPVG789a6HFPNQN7Vk3VQTeO:3kncqfUCFVG7
89a+8Bk3aTe

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x82674
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x816fc 0x81800 6.55 51e0e83470aff693fa98b06399638e00
DATA 0x83000 0x2110 0x2200 4.72 afa98d32c465d284923b693fcc847400
BSS 0x86000 0x26c9 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x89000 0x255e 0x2600 4.99 c7deeefa4dbadabbd8235168c452dd61
.tls 0x8c000 0x24 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x8d000 0x18 0x200 0.20 c3019f0e3de179fd2397f3fe4c95a273
.reloc 0x8e000 0x7900 0x7a00 6.66 99c9cd0cb5f963379fab03f42ef41946
.rsrc 0x96000 0xa6800 0xa6800 7.74 1a6cd055327d64565be4e2c78bcc381c

( 14 imports )
> kernel32.dll: GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, CreateDirectoryA, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, GetModuleFileNameA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
> kernel32.dll: lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetSystemDirectoryA, GetProcAddress, GetPrivateProfileStringA, GetOEMCP, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoW, GetLocaleInfoA, GetLocalTime, GetLastError, GetExitCodeProcess, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentDirectoryA, GetComputerNameA, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumSystemLocalesA, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileA, CreateEventA, ConvertDefaultLocale, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt
> msimg32.dll: AlphaBlend
> user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClipCursor, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, AdjustWindowRectEx, ActivateKeyboardLayout
> ole32.dll: CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, CoTaskMemAlloc, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
> oleaut32.dll: GetErrorInfo, GetActiveObject, SysFreeString
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Borland Delphi 5 (93.9%)
Win32 Executable Delphi generic (3.0%)
Win32 Executable Generic (1.7%)
Win16/32 Executable Delphi generic (0.4%)
Generic Win/DOS Executable (0.4%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=72F47FE60083EC6648C81384DF7AEC00B26C0225' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=72F47FE60083EC6648C81384DF7AEC00B26C0225</a>
sigcheck:
publisher....: EasyBits Software Corp.
copyright....: EasyBits Software Corp.
product......:
description..: EasyBits Magic Desktop Setup
original name:
internal name:
file version.: 2.0.0.85
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned





#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:48 AM

Posted 15 February 2010 - 12:08 PM

Very well done. thumbup2.gif

The file you just uploaded to be scanned is a know Trojan downloader. It is inside the Program Files directory, but there is now reference to it on the installed programs list. Before we go remove it please tell me if you know the program. I'm going to remove the whole EasyBits and everything in it after I got feedback from you:

C:\Program Files\EasyBits\KidsReady\Setup.exe <==== Trojan

**********

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c dir /a / b /s /oe C:\Program Files\EasyBits > log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

#15 balti gorom

balti gorom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 16 February 2010 - 12:47 AM

Hi,

Hope you are well today.

I know the program it is of no use,also the kids ready program is in the program files. i have run the command and saved the log, however the note appears to be blank! I,ve attached instead as there appears to be nothing to copy and paste.
I am working today now so i will be back in touch later.

Thanks for all the time your spending helping.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users