Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

axwin svchost.exe application error


  • This topic is locked This topic is locked
23 replies to this topic

#1 footeswitch

footeswitch

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 15 February 2010 - 10:52 PM

It started with a hotfix update by windows xp containing kb977165, and I deleted it through the recovery panel and in control panel. Then I keep getting all these axwin errors and my screen keeps going stange at the bottom bar. I also get a generic host process for win32 services error. Please help. I have done all the preparation steps except for gmer which I cannot get it to complete.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 16 February 2010 - 08:25 AM

As no logs have been posted, I am shifting this topic from the specialized Malware Removal forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 16 February 2010 - 08:44 AM

I thought I was supposed to post logs only after requested. I do have logs, just could not get one from gmer. I cannot start my computer in safe mode. I get the blue screen that has a Stop: 0x0000007E (0x0000005, 0x80537009, 0xF7A83508, 0X7A83204) error. I get an axwin Frame svchost.exe. Application error Instruction 0X036CF790 reference, and generic host process for win32 services dep error.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 16 February 2010 - 09:16 AM

I think this is a misunderstanding smile.gif
Did you read the Preparation guide?
QUOTE
9 - Create a new malware removal topic and post the DDS logs and the GMER log


You can try to run GMER with the "devices" box unchecked.

If you add the logs, I can move your topic back in the Malware Removal forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 16 February 2010 - 08:21 PM

These are my dds and gmer logs

DDS (Ver_09-12-01.01) - NTFSx86
Run by Tim Foote at 23:03:31.58 on 2010-02-12
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.342 [GMT -3.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\brss01a.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Click-N-Type\Click-N-Type.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Tim Foote\Desktop\Defogger.exe
C:\Documents and Settings\Tim Foote\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ipspy.metropipe.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [Shockwave Updater] c:\windows\system32\macromed\shockw~1\SWHELP~1.EXE -Update -1020023 -udxfytw.sys2.1
StartupFolder: c:\docume~1\timfoo~1\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\moffice.lnk - c:\windows\system\sgcxcxxaspf080831.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: antimalwareguard.com
DPF: vdfdesigner - hxxp://www.printswift.com/staples/(rtlyqt55ewvhk0qfz2ofxz45)/VDFDesigner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timfoo~1\applic~1\mozilla\firefox\profiles\9c132sth.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\tim foote\application data\mozilla\firefox\profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\tim foote\application data\mozilla\firefox\profiles\9c132sth.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\tim foote\application data\mozilla\firefox\profiles\9c132sth.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsdc.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-16 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-16 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-16 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-16 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-16 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-11 14336]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-16 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-1-16 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-16 5832712]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-7-10 70016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-16 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-16 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-16 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-16 25736]
S0 siontgy;siontgy; [x]
S2 BroadCamService;BroadCam Service;"c:\program files\nch software\broadcam\broadcam.exe" -service --> c:\program files\nch software\broadcam\broadCam.exe [?]
S2 EyelineService;Eyeline Service;"c:\program files\nch software\eyeline\eyeline.exe" -service --> c:\program files\nch software\eyeline\eyeline.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe --> c:\windows\system32\SOLEWXTE.EXE [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-16 30104]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\timfoo~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\timfoo~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 RDID1003;EDIROL UM-2;c:\windows\system32\drivers\Rdwm1003.sys [2010-1-3 66530]
S3 RDID1029;Roland Digital Piano;c:\windows\system32\drivers\rdwm1029.sys [2003-8-28 60698]

=============== Created Last 30 ================

2010-02-13 02:31:57 0 ----a-w- c:\documents and settings\tim foote\defogger_reenable
2010-02-12 17:42:08 0 d-----w- c:\program files\Cobian Backup 8
2010-02-12 16:30:27 0 d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 03:31:15 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-12 03:31:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-12 03:31:15 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-12 03:31:15 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-12 03:31:15 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 03:31:15 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-05 15:50:09 0 d-----w- c:\program files\common files\Akamai
2010-01-28 03:28:59 0 d-----w- c:\program files\Amazon
2010-01-19 17:59:34 0 d-----w- c:\docume~1\timfoo~1\applic~1\IBP
2010-01-19 04:24:44 0 d-----w- c:\docume~1\timfoo~1\applic~1\FreeFixer
2010-01-19 04:24:34 0 d-----w- c:\program files\FreeFixer
2010-01-16 23:51:38 0 d--h--w- C:\$AVG
2010-01-16 23:50:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-16 23:50:58 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-16 23:50:55 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-01-16 23:50:32 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-16 23:50:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-16 23:50:31 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-16 23:50:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-16 23:49:58 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-16 23:49:58 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-16 23:49:58 0 d-----w- c:\program files\AVG
2010-01-16 23:49:54 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-16 18:56:28 61440 ----a-w- c:\windows\system32\drivers\cdwtu.sys
2010-01-16 18:33:03 901508 ----a-w- c:\windows\system32\xa.tmp

==================== Find3M ====================

2010-02-10 13:55:21 23317 ----a-w- c:\windows\system32\nvModes.dat
2010-01-16 18:56:28 168 ----a-w- c:\program files\uxymrzzj.txt
2010-01-07 19:37:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:37:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 22:24:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2007-12-14 20:39:04 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-09-05 02:20:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 23:06:51.36 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-16 20:12:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TIMFOO~1\LOCALS~1\Temp\pxtdipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF619B470]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF619B520]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF619B5C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF619B660]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 17 February 2010 - 06:41 AM

Hello, lets get started here. Please post me also attach.txt (produced by DDS).

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 17 February 2010 - 08:12 AM

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2006-07-05 8:03:40 PM
System Uptime: 2010-02-12 5:12:20 PM (6 hours ago)

Motherboard: Dell Inc. | | 0JF240
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Microprocessor | 1664/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 15.955 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 419.515 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acoustica Effects Pack
Acoustica Mixcraft
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0.8
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
Adobe® Photoshop® Album Starter Edition 3.0
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Akamai NetSession Interface
ALPS Touch Pad Driver
Amazon MP3 Downloader 1.0.9
AndreaMosaic 3.32.3
Apple Mobile Device Support
Apple Software Update
ArcSoft Collage Creator
ArcSoft PhotoStudio 5.5
ASIO4ALL
Audacity 1.3.2 (Unicode)
Audio Flash 1.2
AVG 9.0
Battleship SURFACE THUNDER
Blaze Media Pro
BoldChat v5.0
Bonjour
Broadcom Advanced Control Suite
Broadcom TPM Driver Installer
Brother MFL-Pro Suite
businesscardmonster
Byki
Byki Express
CamStudio
Camtasia Studio 5
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon iP3500 series
Canon MX320 series MP Drivers
Canon My Printer
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
CCleaner
Click-N-Type
Cobian Backup 8
Collab
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Connect
Core FTP LE 2.1
Critical Update for Windows Media Player 11 (KB959772)
Debut Video Capture Software
Deckadance
Dell Embassy Trust Suite by Wave Systems
Digital Line Detect
DivX Content Uploader
DivX Web Player
Document Manager Lite
EMBASSY Security Center
EMBASSY Trust Suite by Wave Systems
eMusic Download Manager 4.1.2
ETS Launch Pad
Fast Estimate 5
Feedback Analyzer
FileZilla Client 3.3.1
FL Studio 7
Free Spanish CD-ROM
FreeFixer
GMF
Google Earth
Google SketchUp 6
Google Update Helper
Google Updater
GoToMeeting 4.1.0.366
Graboid Video 1.65
Handy Recovery 4.0
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Home Plan Pro 5.1.81
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
hp deskjet 3500
HP Photo and Imaging 2.0 - Deskjet Series
HP Photosmart Essential
hp print screen utility
IL Download Manager
Intel® PROSet/Wireless Software
iTunes
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 17
KRISTAL Audio Engine
kuler
Line 6 Edit (remove only)
Line 6 Uninstaller
LinguaSaver_11
Live 7.0.16
Live 8.0.5
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
LogoEase
LogoSmartz 5.0 Trial
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
mIWA
MixPad
mLogView
mMHouse
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.0.17)
Mozilla Sunbird 0.3a2
Mozilla Thunderbird (1.5.0.13)
Mpeg2Decoder 1.3
mPfMgr
mPfWiz
mProSafe
MSN Music Assistant
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
Musicnotes Player V1.23.2
mWlsSafe
mWMI
mXML
My Pictures 3D 1.1
My Pictures 3D Album 0.95
MyDSC2
mZConfig
NCH Toolbox Uninstall
Nero Suite
NetWaiting
NTRU Hybrid TSS v2.0.7
NVIDIA Drivers
Nvu 1.0
OpenAL
OpenOffice.org 2.0
PaperPort
PDF Settings CS4
Photoshop Camera Raw
PicsToCD
PowerDVD 5.7
Preboot Manager
Primo
Private Information Manager
QuickBooks
QuickBooks Pro 2010
QuickBooks Simple Start 2008
QuickSet
QuickTime
RealArcade
RealPlayer
RescuePRO 3.3
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Runtime
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
SC DVD Copier 3.2.0.0
Secure Update
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Security Wizards
SiteSpinner
Skype web features
Skype™ 4.1
SmartDraw 2009
SmartDraw PDF Filter
Sonic Update Manager
Sony Picture Utility
SopCast 3.0.3
SpellingBee
Suite Shared Configuration CS4
SupportSoft Assisted Service
Switch
Synthesia (remove only)
t@b ZS4 Video Editor v0.958-686
TVUPlayer 2.4.7.2
UMVPLStandalone
Universal Document Converter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
USB Disk Win98 Driver
VideoLAN VLC media player 0.8.6d
Visual Studio 2005 Tools for Office Second Edition Runtime
Wave Infrastructure Installer
Wave Support Software
WavePad Uninstall
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

2010-02-12 12:23:13 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit QuickBooks FCS service to connect.
2010-02-12 12:23:13 AM, error: Service Control Manager [7000] - The Intuit QuickBooks FCS service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2010-02-12 12:23:13 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service QBFCService with arguments "" in order to run the server: {E2F551B5-D7E4-351C-A975-2E8EEE4D1917}
2010-02-12 1:44:02 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
2010-02-12 1:44:02 PM, error: Service Control Manager [7034] - The NTRU Hybrid TSS v2.0.7 TCS service terminated unexpectedly. It has done this 1 time(s).
2010-02-11 7:40:34 PM, error: Print [6161] - The document Microsoft Word - From The Inside Out.doc owned by Tim Foote failed to print on printer Canon iP3500 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 131072. Number of bytes printed: 125036. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\TDF. Win32 error code returned by the print processor: 13 (0xd).
2010-02-11 4:11:05 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
2010-02-11 4:10:51 PM, error: SRService [104] - The System Restore initialization process failed.
2010-02-11 3:57:03 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
2010-02-11 3:41:32 AM, error: Dhcp [1002] - The IP address lease 192.168.0.104 for the Network Card with network address 001302A0A53A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
2010-02-11 2:57:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
2010-02-11 10:48:41 AM, error: RemoteAccess [20106] - Unable to add the interface {0333C76F-1D44-4D45-AFFD-51600DE3D910} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.
2010-02-11 1:33:28 PM, error: Service Control Manager [7000] - The solewxte Service service failed to start due to the following error: The system cannot find the file specified.
2010-02-11 1:32:05 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
2010-02-11 1:32:05 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
2010-02-09 9:44:46 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TMAN-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F777C2E7-9CFF-4FE1-8. The master browser is stopping or an election is being forced.
2010-02-09 3:49:50 AM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 001302A0A53A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 17 February 2010 - 09:41 AM

Please continue with the Combofix steps.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 17 February 2010 - 07:59 PM

Combo Fix log


ComboFix 10-02-16.02 - Tim Foote 02/17/2010 20:59:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -3.5:30]
Running from: c:\documents and settings\Tim Foote\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mx
c:\windows\system32\skinboxer43.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\xa.tmp

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-14 16:59 . 2009-08-04 23:14 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 16:59 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-14 16:59 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 16:59 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 16:59 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 16:59 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-12 17:42 . 2010-02-12 17:42 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-12 16:30 . 2010-02-12 16:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-05 17:02 . 2010-02-05 17:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-05 15:50 . 2010-02-18 00:44 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-04 22:47 . 2010-02-04 23:00 -------- d-----w- c:\documents and settings\Tim Foote\Local Settings\Application Data\Deployment
2010-01-28 03:28 . 2010-01-28 03:28 -------- d-----w- c:\program files\Amazon
2010-01-23 23:32 . 2010-01-23 23:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-23 21:35 . 2010-02-03 20:27 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\FileZilla
2010-01-23 21:35 . 2010-01-23 21:35 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-19 17:59 . 2010-01-19 18:08 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\IBP
2010-01-19 04:24 . 2010-01-19 04:24 -------- d-----w- c:\documents and settings\Tim Foote\Local Settings\Application Data\FreeFixer
2010-01-19 04:24 . 2010-01-19 04:24 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\FreeFixer
2010-01-19 04:24 . 2010-01-19 04:24 -------- d-----w- c:\program files\FreeFixer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 00:29 . 2008-12-31 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-17 12:45 . 2006-06-23 12:57 23317 ----a-w- c:\windows\system32\nvModes.dat
2010-02-13 03:34 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-13 02:44 . 2009-01-06 01:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 15:22 . 2006-06-23 13:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 15:18 . 2007-11-13 02:38 -------- d-----w- c:\program files\AudioLabel
2010-02-12 15:16 . 2007-12-25 16:47 -------- d-----w- c:\program files\NCH Software
2010-02-12 14:30 . 2008-02-09 05:07 -------- d-----w- c:\program files\Line6
2010-02-12 14:21 . 2006-07-19 13:17 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\OpenOffice.org2
2010-02-11 14:56 . 2007-02-09 15:14 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\Skype
2010-02-11 14:41 . 2008-11-11 22:06 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\skypePM
2010-02-11 07:13 . 2010-01-16 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-06 08:51 . 2008-08-11 18:46 -------- d-----w- c:\program files\Google
2010-02-05 17:54 . 2006-07-10 16:24 43384 -c----w- c:\documents and settings\Tim Foote\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 17:09 . 2006-07-12 19:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 16:45 . 2010-01-18 16:45 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-18 16:08 . 2010-01-03 21:24 -------- d-----w- c:\program files\Jusched Removal Tool
2010-01-16 23:50 . 2010-01-16 23:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-16 23:50 . 2010-01-16 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-16 23:50 . 2010-01-16 23:50 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-16 23:50 . 2010-01-16 23:50 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-16 23:50 . 2010-01-16 23:50 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-16 23:50 . 2010-01-16 23:50 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-16 23:50 . 2010-01-16 23:50 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-16 23:49 . 2010-01-16 23:49 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-16 23:49 . 2010-01-16 23:49 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-16 23:49 . 2010-01-16 23:49 -------- d-----w- c:\program files\AVG
2010-01-16 19:14 . 2009-01-10 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 18:56 . 2010-01-16 18:56 61440 ----a-w- c:\windows\system32\drivers\cdwtu.sys
2010-01-16 18:56 . 2010-01-16 18:56 168 ----a-w- c:\program files\uxymrzzj.txt
2010-01-11 00:28 . 2010-01-11 00:28 -------- d-----w- c:\program files\Samsung
2010-01-07 19:37 . 2009-01-10 22:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:37 . 2009-01-10 22:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 00:27 . 2006-06-23 13:08 -------- d-----w- c:\program files\Java
2010-01-04 00:26 . 2010-01-04 00:26 -------- d-----w- c:\program files\Common Files\Java
2010-01-03 22:24 . 2008-12-26 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 20:46 . 2010-01-03 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-03 19:59 . 2010-01-03 19:59 -------- d-----w- c:\program files\RdDrv001
2010-01-02 16:15 . 2010-01-02 16:14 -------- d-----w- c:\program files\LogoSmartzTrial
2009-12-31 22:10 . 2009-12-31 22:10 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\Virtual Mechanics
2009-12-31 22:10 . 2009-12-31 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Virtual Mechanics
2009-12-31 21:57 . 2009-12-31 21:57 -------- d-----w- c:\program files\Virtual Mechanics
2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:07 . 2009-12-31 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-12-31 15:58 . 2007-11-15 18:15 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-31 15:57 . 2007-11-15 18:14 -------- d-----w- c:\program files\Intuit
2009-12-31 15:57 . 2007-11-15 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-12-26 01:41 . 2009-12-26 01:41 -------- d-----w- c:\program files\USB Disk Win98 Driver
2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-11 22:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 22:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-12-14 20:39 . 2007-12-14 20:39 774144 -c--a-w- c:\program files\RngInterstitial.dll
1601-01-01 00:12 . 1601-01-01 00:12 69737 --sha-w- c:\windows\system32\yubihimo.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 16:32 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-12-10 139264]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-13 933888]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-01 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\Tim Foote\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-7-18 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-23 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-16 23:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=rddv1029.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tim Foote^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Tim Foote\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-16 23:50 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-03-09 17:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 13:17 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-03 22:24 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Apoint\\hidfind.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe"=
"c:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Wave Systems Corp\\Services Manager\\Secure Update\\AutoUpdate.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"86:TCP"= 86:TCP:BroadCam Web Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/16/2010 8:20 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/16/2010 8:20 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/16/2010 8:20 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/16/2010 8:20 PM 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 6:30 PM 14336]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/16/2010 8:20 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [1/16/2010 8:20 PM 2304192]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [7/10/2006 3:52 PM 70016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/16/2010 8:19 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/16/2010 8:20 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/16/2010 8:20 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/16/2010 8:20 PM 25736]
S0 siontgy;siontgy; [x]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/16/2010 8:20 PM 5832712]
S2 BroadCamService;BroadCam Service;"c:\program files\NCH Software\BroadCam\broadCam.exe" -service --> c:\program files\NCH Software\BroadCam\broadCam.exe [?]
S2 EyelineService;Eyeline Service;"c:\program files\NCH Software\Eyeline\eyeline.exe" -service --> c:\program files\NCH Software\Eyeline\eyeline.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:13 PM 135664]
S2 solewxte;solewxte Service;c:\windows\SYSTEM32\SOLEWXTE.EXE --> c:\windows\SYSTEM32\SOLEWXTE.EXE [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/16/2010 8:19 PM 30104]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\TIMFOO~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\TIMFOO~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 RDID1003;EDIROL UM-2;c:\windows\system32\drivers\Rdwm1003.sys [1/3/2010 4:29 PM 66530]
S3 RDID1029;Roland Digital Piano;c:\windows\system32\drivers\rdwm1029.sys [8/28/2003 60698]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:04]

2010-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-31 00:41]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:43]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ipspy.metropipe.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: vdfdesigner - hxxp://www.printswift.com/staples/(rtlyqt55ewvhk0qfz2ofxz45)/VDFDesigner.cab
FF - ProfilePath - c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsdc.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3647.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3647.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1376)
c:\windows\system32\rddv1029.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(7236)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\PENUSA.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Logitech\QuickCam10\COCIManager.exe
c:\progra~1\COMMON~1\MICROS~1\DW\DW20.EXE
.
**************************************************************************
.
Completion time: 2010-02-17 21:24:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 00:54
ComboFix2.txt 2009-05-05 21:18

Pre-Run: 16,515,129,344 bytes free
Post-Run: 17,367,814,144 bytes free

- - End Of File - - 8CF3E819BEB7555C05F16DC9C670AC61


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 18 February 2010 - 06:10 AM

Hello, that took care of quite some stuff! However, you had a nasty rootkit, please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Open notepad and copy/paste the text in the quotebox below into it:

CODE


Collect::
c:\windows\system32\yubihimo.dll.tmp


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Edited by elise025, 18 February 2010 - 06:10 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 18 February 2010 - 08:29 AM

I use click and type keyboard to enter any passwords. I believe that helps my security, not completely sure though.


ComboFix 10-02-17.01 - Tim Foote 02/18/2010 9:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.219 [GMT -3.5:30]
Running from: c:\documents and settings\Tim Foote\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim Foote\Desktop\CFScript.txt
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

file zipped: c:\windows\system32\yubihimo.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\yubihimo.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-14 16:59 . 2009-08-04 23:14 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 16:59 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 16:59 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-14 16:59 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 16:59 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 16:59 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-12 17:42 . 2010-02-12 17:42 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-12 16:30 . 2010-02-12 16:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-05 17:02 . 2010-02-05 17:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-05 15:50 . 2010-02-18 13:24 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-04 22:47 . 2010-02-04 23:00 -------- d-----w- c:\documents and settings\Tim Foote\Local Settings\Application Data\Deployment
2010-02-02 04:56 . 2010-02-02 04:55 869720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB19\Patch\qbpatch.exe
2010-01-28 03:28 . 2010-01-28 03:28 -------- d-----w- c:\program files\Amazon
2010-01-23 21:35 . 2010-02-03 20:27 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\FileZilla
2010-01-23 21:35 . 2010-01-23 21:35 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-19 17:59 . 2010-01-19 18:08 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\IBP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 13:06 . 2006-06-23 12:57 23317 ----a-w- c:\windows\system32\nvModes.dat
2010-02-18 00:29 . 2008-12-31 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-18 00:25 . 2007-11-15 19:34 3631 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2010-02-13 03:34 . 2004-08-04 03:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-13 02:44 . 2009-01-06 01:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 15:22 . 2006-06-23 13:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 15:18 . 2007-11-13 02:38 -------- d-----w- c:\program files\AudioLabel
2010-02-12 15:16 . 2007-12-25 16:47 -------- d-----w- c:\program files\NCH Software
2010-02-12 14:30 . 2008-02-09 05:07 -------- d-----w- c:\program files\Line6
2010-02-12 14:21 . 2006-07-19 13:17 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\OpenOffice.org2
2010-02-11 14:56 . 2007-02-09 15:14 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\Skype
2010-02-11 14:41 . 2008-11-11 22:06 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\skypePM
2010-02-11 07:13 . 2010-01-16 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-10 04:08 . 2010-01-01 01:24 3070 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-02-06 08:51 . 2008-08-11 18:46 -------- d-----w- c:\program files\Google
2010-02-05 17:54 . 2006-07-10 16:24 43384 -c----w- c:\documents and settings\Tim Foote\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 17:09 . 2006-07-12 19:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-19 04:24 . 2010-01-19 04:24 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\FreeFixer
2010-01-19 04:24 . 2010-01-19 04:24 -------- d-----w- c:\program files\FreeFixer
2010-01-19 03:56 . 2010-01-19 03:57 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB19\Patch\msvcp71.dll
2010-01-19 03:56 . 2010-01-19 03:57 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB19\Patch\msvcr71.dll
2010-01-18 16:45 . 2010-01-18 16:45 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-18 16:08 . 2010-01-03 21:24 -------- d-----w- c:\program files\Jusched Removal Tool
2010-01-16 23:50 . 2010-01-16 23:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-16 23:50 . 2010-01-16 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-16 23:50 . 2010-01-16 23:50 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-16 23:50 . 2010-01-16 23:50 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-16 23:50 . 2010-01-16 23:50 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-16 23:50 . 2010-01-16 23:50 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-16 23:50 . 2010-01-16 23:50 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-16 23:49 . 2010-01-16 23:49 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-16 23:49 . 2010-01-16 23:49 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-16 23:49 . 2010-01-16 23:49 -------- d-----w- c:\program files\AVG
2010-01-16 19:14 . 2009-01-10 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 19:14 . 2009-01-18 01:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-16 18:56 . 2010-01-16 18:56 61440 ----a-w- c:\windows\system32\drivers\cdwtu.sys
2010-01-16 18:56 . 2010-01-16 18:56 168 ----a-w- c:\program files\uxymrzzj.txt
2010-01-11 00:28 . 2010-01-11 00:28 -------- d-----w- c:\program files\Samsung
2010-01-07 19:37 . 2009-01-10 22:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:37 . 2009-01-10 22:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 00:27 . 2006-06-23 13:08 -------- d-----w- c:\program files\Java
2010-01-04 00:26 . 2010-01-04 00:26 -------- d-----w- c:\program files\Common Files\Java
2010-01-03 22:28 . 2010-01-03 20:44 152576 ------w- c:\documents and settings\Tim Foote\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-03 22:24 . 2008-12-26 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 22:23 . 2009-11-13 00:15 79488 ------w- c:\documents and settings\Tim Foote\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-03 20:46 . 2010-01-03 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-03 19:59 . 2010-01-03 19:59 -------- d-----w- c:\program files\RdDrv001
2010-01-02 16:15 . 2010-01-02 16:14 -------- d-----w- c:\program files\LogoSmartzTrial
2009-12-31 22:10 . 2009-12-31 22:10 -------- d-----w- c:\documents and settings\Tim Foote\Application Data\Virtual Mechanics
2009-12-31 22:10 . 2009-12-31 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Virtual Mechanics
2009-12-31 21:57 . 2009-12-31 21:57 -------- d-----w- c:\program files\Virtual Mechanics
2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:07 . 2009-12-31 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-12-31 15:58 . 2007-11-15 18:15 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-31 15:57 . 2007-11-15 18:14 -------- d-----w- c:\program files\Intuit
2009-12-31 15:57 . 2007-11-15 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-12-26 01:41 . 2009-12-26 01:41 -------- d-----w- c:\program files\USB Disk Win98 Driver
2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:12 . 2009-12-23 22:22 872960 ------w- c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 18:12 . 2009-12-23 22:22 43008 ------w- c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 18:12 . 2009-12-23 22:22 340480 ------w- c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 18:11 . 2009-12-23 22:22 346624 ------w- c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-11 22:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 22:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-11 22:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 16:32 . 2010-01-18 16:08 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-12-14 20:39 . 2007-12-14 20:39 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 16:32 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-12-10 139264]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-07-13 933888]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-01 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\Tim Foote\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-7-18 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-23 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-16 23:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=rddv1029.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tim Foote^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Tim Foote\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-01-16 23:50 2033432 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-03-09 17:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 13:17 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-03 22:24 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Apoint\\hidfind.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Common Files\\Logitech\\LComMgr\\LVComSX.exe"=
"c:\\Program Files\\Common Files\\Logitech\\LComMgr\\Communications_Helper.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe"=
"c:\\Program Files\\Wave Systems Corp\\Services Manager\\Secure Update\\AutoUpdate.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"86:TCP"= 86:TCP:BroadCam Web Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/16/2010 8:20 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/16/2010 8:20 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/16/2010 8:20 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/16/2010 8:20 PM 360584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 6:30 PM 14336]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/16/2010 8:20 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [1/16/2010 8:20 PM 2304192]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [7/10/2006 3:52 PM 70016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/16/2010 8:19 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/16/2010 8:20 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/16/2010 8:20 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/16/2010 8:20 PM 25736]
S0 siontgy;siontgy; [x]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/16/2010 8:20 PM 5832712]
S2 BroadCamService;BroadCam Service;"c:\program files\NCH Software\BroadCam\broadCam.exe" -service --> c:\program files\NCH Software\BroadCam\broadCam.exe [?]
S2 EyelineService;Eyeline Service;"c:\program files\NCH Software\Eyeline\eyeline.exe" -service --> c:\program files\NCH Software\Eyeline\eyeline.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:13 PM 135664]
S2 solewxte;solewxte Service;c:\windows\SYSTEM32\SOLEWXTE.EXE --> c:\windows\SYSTEM32\SOLEWXTE.EXE [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/16/2010 8:19 PM 30104]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\TIMFOO~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\TIMFOO~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 RDID1003;EDIROL UM-2;c:\windows\system32\drivers\Rdwm1003.sys [1/3/2010 4:29 PM 66530]
S3 RDID1029;Roland Digital Piano;c:\windows\system32\drivers\rdwm1029.sys [8/28/2003 60698]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:04]

2010-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-31 00:41]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:43]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ipspy.metropipe.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: vdfdesigner - hxxp://www.printswift.com/staples/(rtlyqt55ewvhk0qfz2ofxz45)/VDFDesigner.cab
FF - ProfilePath - c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Tim Foote\Application Data\Mozilla\Firefox\Profiles\9c132sth.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsdc.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3647.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3647.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1376)
c:\windows\system32\rddv1029.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-02-18 09:55:45
ComboFix-quarantined-files.txt 2010-02-18 13:25
ComboFix2.txt 2010-02-18 00:54
ComboFix3.txt 2009-05-05 21:18

Pre-Run: 17,337,491,456 bytes free
Post-Run: 17,286,139,904 bytes free

- - End Of File - - 591DE47CFC64FB2FEBB0EDC0B5F605F6
Upload was successful


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 18 February 2010 - 09:05 AM

Hello, thats looking a lot better smile.gif

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 18 February 2010 - 07:19 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3758
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/18/2010 8:49:10 PM
mbam-log-2010-02-18 (20-49-10).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 327713
Time elapsed: 1 hour(s), 36 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\xa.tmp.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cdwtu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:48 AM

Posted 19 February 2010 - 04:30 AM

Hello, thats looking good. Can you please let me know if there are any problems left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 footeswitch

footeswitch
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 19 February 2010 - 06:24 PM

C:\Documents and Settings\Tim Foote\Desktop\Desktop folders\Internet_TV_Setup.exe a variant of Win32/Adware.ADON application deleted - quarantined
C:\Documents and Settings\Tim Foote\Desktop\Setups\SetupFe5988.exe probably a variant of Win32/TrojanDownloader.Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\Tim Foote\My Documents\FrostWire\Saved\i want you to want me cheap tr (new album).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-02-18_09.44.03.zip a variant of Win32/Adware.Virtumonde.NDN application deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\_hundnbw_.ltu.zip a variant of Win32/Daonol.C trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\amesujaj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\anomisen.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\awimalup.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\awugurip.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehuvayad.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\emudobes.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\eralokuk.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\etanubup.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ikigawer.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ikuwoser.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\iyebemer.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ogivadul.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ozavagok.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp0_29869375957.bk.vir a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\usajedis.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\uyerapoy.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\uyihuyag.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus deleted - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000215.exe a variant of Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000216.exe probably a variant of Win32/TrojanDownloader.Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_129096224673.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_137483641556.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_211273875700.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_337670275625.bk.old Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_452702705434.bk.old Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_586012238528.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_596965408309.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_642878740356.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_670041505047.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_671423183601.bk.old Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_721473504443.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_72815328590.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_795833299725.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_868434755489.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmp0_891068601248.bk.old a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_100325588504.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_100758875701.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_104550215513.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_114554204267.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_118079794238.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_119598256248.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_120071517306.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_120567235090.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_122713596310.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_130890280559.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_139807531761.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_141655858990.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_146491527198.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_148783863498.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_149689465095.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_15466881869.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_15512376165.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_159736140336.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_16477571794.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_168981787980.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_175454577553.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_176906379330.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_185441888890.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_189007511908.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_193769184972.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_196060234572.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_198303244305.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_198689650691.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_200243874545.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_202672750945.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_20650315090.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_207327256949.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_208251369545.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_213812830068.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_214816881667.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_216635590812.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_220067237955.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_223544536977.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_23727861104.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_238612651645.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_246169186582.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_249575758041.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_25303832830.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_26899396646.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_276449170718.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_27781641304.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_279646785076.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_283826532860.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_284102685392.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_284639540001.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_285336284301.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_2915249763.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_293831225813.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_295693312470.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_300166188588.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_30159149049.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_301955592403.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_302040782751.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_309178160566.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_31166488638.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_312532726219.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_316183208166.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_321218813285.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_323401748327.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_327836357660.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_329974103112.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_33083132995.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_33168323343.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_335875500517.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_336449870409.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_337528621351.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_339446261157.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_344065869799.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_349439528038.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_356715632652.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_359484403828.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_363539741586.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_36501190175.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_367148111667.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_369630435109.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_37461969558.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_376106255748.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_378562306413.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_378846174711.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_380531268234.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_383426663675.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_389439694498.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_390974852846.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_39434370889.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_395670245885.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_40306601158.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_403898420605.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_407935240581.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_409963572895.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_410527418398.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_430311113760.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_43660266811.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_438161588267.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_443281483734.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_447909362356.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_452269340055.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_453783700510.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_454313448298.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_46276946593.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_46881645553.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_472355482425.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_47404224513.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_476199716357.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_47943472893.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_479742217875.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_482684389476.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_483352119246.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_492130420560.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_495238404011.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_495366706225.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_496519474012.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_505881519117.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_510103630844.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_511945446280.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_518447317448.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_530726309031.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_531093114363.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_534289665562.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_539970537138.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_551263493093.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_552974244799.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_561123857270.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_565816724020.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_567730877060.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_579422476905.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_581712526506.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_583798521784.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_585714327813.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_587346717174.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_58800274860.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_589074821468.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_58963798252.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_596472400295.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_599319823578.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_600341553886.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_608154172619.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_608730573577.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_612937429207.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_6145996136.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_620995568273.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_625587192060.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_6261861148.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_628794292802.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_633883549583.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_639185608546.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_639609678459.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_64448297372.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_645135729610.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_647118538332.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_647434765820.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_650503791266.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_663244672468.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_670386619129.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_673018491243.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_677289766870.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_68055132576.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_684236546014.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_685656729511.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_689246811937.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_692539402899.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_694064287939.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_695883897084.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_696095136528.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_699576104395.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_705391233729.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_706273811115.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_711492621387.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_715883177197.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_71786057917.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_719056804184.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_722655259918.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_731453129096.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_731641506001.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_73258282577.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_737147394456.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_738790308402.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_739391114230.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_741970507013.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_742787249418.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_742914483921.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_743239177387.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_74614112497.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_748607239043.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_749404626082.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_74973284338.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_750908713229.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_761002879968.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_762111606858.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_7661801658.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_774676376653.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_774941618742.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_775019262325.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_779414494860.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_7808175687.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_783643210250.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_790864580928.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_792960526172.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_79728620945.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_8057167954.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_806848247159.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_816755296150.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_822265753449.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_822468749164.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_827188675165.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_830531816232.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_835705348151.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_837209435297.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_837746153839.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_839379810137.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_847975270849.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_85058485914.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_854586787221.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_856218276582.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_85680425857.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_85860541116.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_858913281995.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_862546667733.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_865078730689.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_86568417748.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_866529281385.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_869498272842.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_874136211245.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_875979204558.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_892385763274.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_89420160694.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_894716142369.bk Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_89662201181.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\tmpxr_90287250954.bk a variant of Win32/Adware.Coolezweb application cleaned by deleting - quarantined
C:\WINDOWS\system32\zuzamuku.dll.tmp a variant of Win32/Adware.Virtumonde.NDM application cleaned by deleting - quarantined
F:\pcbackup\My Documents 2010-02-13 22;09;51.zip a variant of WMA/TrojanDownloader.GetCodec.gen trojan deleted





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users