Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a trojan/hijack


  • This topic is locked This topic is locked
32 replies to this topic

#1 JamieOne

JamieOne

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 15 March 2010 - 02:27 PM

Hello friends.

I have been having a little trouble with my browsers. I typically run firefox on the infecteced computer but as of lately it freezes, and crashes often. I am able to use it for a small period of time but then it breaks on me. The only way I am able to close it down is by ending the process in the task manager. Installed IE and it works a little better but also eventually crashes. Chrome does not let me do anything.

I have ran updated versions of both Spybot S&D and Adaware.

I will post here my hijackthis log. Please let me know if I should post anything else.

Thank you in advance for any help or guidance.

Jamie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:49 PM, on 3/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\RAAGTAPP.EXE
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070309
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070309
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PTBM Startup.LNK = C:\PTBM2005\ptbm.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: QuickBooks Remote Access.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom1_2009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175541787734
O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom2_2008.cab
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom2_2005.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync...MASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Remote Access Agent (atnthost) - WebEx Communications, Inc. - C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10143 bytes


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:24 PM

Posted 17 March 2010 - 01:07 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 JamieOne

JamieOne
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 17 March 2010 - 03:36 PM

Thank you for your help.

Let me know if you need anything else.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:28 PM, on 3/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\RAAGTAPP.EXE
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070309
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070309
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PTBM Startup.LNK = C:\PTBM2005\ptbm.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: QuickBooks Remote Access.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} (QBMASSyncCom1_2009.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom1_2009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175541787734
O16 - DPF: {788539E8-002D-4E59-9089-40B694A99C9A} (QBMASSyncCom2_2008.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom2_2008.cab
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync...ncCom2_2005.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync...MASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Remote Access Agent (atnthost) - WebEx Communications, Inc. - C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9791 bytes


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:24 PM

Posted 17 March 2010 - 11:24 PM

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



  • Step # 3: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click No.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.

    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log

    Use multiple posts if you can't fit everything into one post.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #5 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 19 March 2010 - 03:22 PM

    Again, thank you very much.

    Still let me know if I need to provide more information.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Allied Training at 15:13:51.12 on Thu 03/18/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1412 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
    C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Downlo~1\MyWebEx\319\RAAGTAPP.EXE
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Allied Training\Desktop\dds.pif

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070309
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\ptbmst~1.lnk - c:\ptbm2005\ptbm.exe
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\windows\downlo~1\mywebex\319\raagtx.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175541787734
    DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
    DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Notify: avgrsstarter - avgrsstx.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\allied~1\applic~1\mozilla\firefox\profiles\4p1g6p5c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-3 335240]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-3 27784]
    R2 atnthost;WebEx Remote Access Agent;c:\windows\downlo~1\mywebex\319\atnthost.exe [2008-5-13 16792]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-9 1247600]
    S1 64y90w;64y90w;c:\windows\system32\drivers\64y90w.sys [2010-2-2 75264]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

    =============== Created Last 30 ================

    2010-03-15 14:13:37 5088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-03-10 10:58:11 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-06 17:16:51 0 d-----w- c:\program files\Trend Micro

    ==================== Find3M ====================

    2010-02-03 18:20:18 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
    2010-02-02 16:54:47 75264 ----a-w- c:\windows\system32\drivers\64y90w.sys
    2010-02-02 16:54:45 26624 ----a-w- C:\U.exe
    2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
    2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2008-08-02 17:56:03 336 ----a-w- c:\program files\temp995.bat

    ============= FINISH: 15:14:27.45 ===============

    Attached Files



    #6 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:04:24 PM

    Posted 19 March 2010 - 07:44 PM

    From now on, just post any logs I ask for normally, do not attach them. Only attach them if I ask you to do so.

    Thanks. smile.gif


    Step # 1: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    *Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #7 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 20 March 2010 - 11:20 AM

    Hello,

    One of the problems that I have been having is that I can no longer open my AVG UI to shut it off. I noticed that I need to turn some things off to run the combofix. When my computer searches for the AVG it does not find it. But my computers protection stays on. Do you have any input on how to fix this.

    Thank you.

    #8 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:04:24 PM

    Posted 20 March 2010 - 12:33 PM

    QUOTE
    Hello,

    One of the problems that I have been having is that I can no longer open my AVG UI to shut it off. I noticed that I need to turn some things off to run the combofix. When my computer searches for the AVG it does not find it. But my computers protection stays on. Do you have any input on how to fix this.

    Thank you.


    Since you can't open up your AVG UI and your computer can't even find it (I noticed that I didn't see a AVG entry in your Add/Remove Programs list in the Attach.txt log) that your AVG install may have been corrupted. Let's replace AVG with another (free) Anti-Virus.

    Let's do this. First, you'll download a setup file for the new AV. Then, I'll have you download and run a program that'll completely remove AVG from your computer. Then I'll have you install the new AV, then you'll disable it, then run ComboFix.

    ======================

    First step is to download the setup file for the new Anti-Virus:

    1)Antivir PersonalEdition Classic
    2)avast! 4 Home Edition

    Download only one!

    Once you've downloaded what one you want and saved the file to your Desktop, next download the following file and save it to your Desktop:

    AVGRemover


    Before your run avgremover.exe, disconnect your computer from the Internet. Once you've done that, run avgremover.exe and follow the instructions. It'll will have/ask you to reboot your computer when its done, please let it do so. Once your computer boots back up, install the new Anti-Virus you downloaded and once its installed, reconnect your computer back to the Internet and update your new AV.


    The final step before running ComboFix is to disable your new Anti-Virus.

    If you installed Avast, use the following instructions:

    Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

    * Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
    * Right click on this icon again and select Program Settings.
    * On the left, click on Troubleshooting.
    * Uncheck (untick) this box - Disable avast! self-defense module.
    * Click OK to apply the settings.

    If you installed Avira Antivir, use the following instructions:

    Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
    • right click it-> untick the option AntiVir Guard enable.
    • You should now see a closed, white umbrella on a red background (looks to this: )


    Once you've disabled your new Anti-Virus, run ComboFix.exe using the instructions I posted for it in my last post. Post the ComboFix Log in your next post/reply.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #9 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 22 March 2010 - 01:45 PM

    Hello,

    Just a few things. The version of avast that I have; when I right click on the icon I do not get the options mentioned above. I do however get a listing called sheild control, in which I can disable protection. This is what I did.

    Upon starting the scan, again a pop up comes up saying AVG is still active. I ran the AVG remover prior. Might it not have worked? Nothing popped up to indicate any problem.

    I went through with the scan as there is really no options at that point and it is still scanning today 2 days later. It has completed through stage_10 but seems to have frozen there. If that helps.

    That is where I am at today.

    #10 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:04:24 PM

    Posted 22 March 2010 - 07:23 PM

    QUOTE
    Upon starting the scan, again a pop up comes up saying AVG is still active. I ran the AVG remover prior. Might it not have worked? Nothing popped up to indicate any problem.


    Its possible that AVG remover didn't remove everything AVG related. We may need to remove the rest of AVG manually. But first let's try the steps below to see if we can get ComboFix to work.


    Ok, let's try this and see if we can get ComboFix to run to completion.

    First, if ComboFix is still running its scan, close ComboFix to stop it.

    Next, delete ComboFix.exe from your computer and download the latest version from one of the links below:

    Link 1
    Link 2

    Make sure you save ComboFix.exe to your Desktop.

    Finally, I want you to shutdown your computer and start in up in Safe Mode (You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.) Once in Safe Mode, try running ComboFix. If it runs successfully to the end, post the ComboFix Log (C:\ComboFix.txt) in your next post/reply.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #11 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 23 March 2010 - 04:09 PM

    Here's the combofix log. smile.gif

    ComboFix 10-03-23.01 - Allied Training 03/23/2010 16:06:10.3.1 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1697 [GMT -4:00]
    Running from: c:\documents and settings\Allied Training\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\LOG19C.tmp
    C:\LOG2BA.tmp
    C:\LOG30E.tmp
    C:\LOG34.tmp
    C:\LOG355.tmp
    C:\LOG3C0.tmp
    C:\LOG72.tmp
    C:\LOGBF.tmp
    C:\LOGC3.tmp
    C:\U.exe
    c:\windows\Downloaded Program Files\MyWebEx
    c:\windows\Downloaded Program Files\MyWebEx\319\aasetup.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atagtctl.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\atarm.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atas32.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ATAS9516.DLL
    c:\windows\Downloaded Program Files\MyWebEx\319\atas9532.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atasanot.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\atasctrl.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ataudio.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atauthor.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\atcarmcl.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atdl2006.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\Ateditor.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atfsdos.vxd
    c:\windows\Downloaded Program Files\MyWebEx\319\atinet.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atjpeg60.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atkbctl.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atmemmgr.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atnetext.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atnthost.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\atpack.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atpcap16.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atpcap95.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atpcapnt.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ATPDRVNT.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atplaykb.vxd
    c:\windows\Downloaded Program Files\MyWebEx\319\atpng12.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atprint.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atprint.gpd
    c:\windows\Downloaded Program Files\MyWebEx\319\atprtses.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ATRA9516.DLL
    c:\windows\Downloaded Program Files\MyWebEx\319\atrares.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\Atrcp.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atrecply.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atres.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atrpui.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atscr.scr
    c:\windows\Downloaded Program Files\MyWebEx\319\atstmget.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\attp.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\atWbxUI5.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\Install.ini
    c:\windows\Downloaded Program Files\MyWebEx\319\mwpc.ini
    c:\windows\Downloaded Program Files\MyWebEx\319\raagt.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\raagtapp.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\raagtx.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\racfg.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\rafilesp.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ramtmgr.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\ratrace.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\raupdate.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\raurl.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\stdnames.gpd
    c:\windows\Downloaded Program Files\MyWebEx\319\trace.txt
    c:\windows\Downloaded Program Files\MyWebEx\319\UILibRes.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\unidrv.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\unidrv.hlp
    c:\windows\Downloaded Program Files\MyWebEx\319\unidrvui.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\unires.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\wbxcrypt.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\WbxDLDrv.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\WbxDLInst.exe
    c:\windows\Downloaded Program Files\MyWebEx\319\WbxDLMgr.dll
    c:\windows\Downloaded Program Files\MyWebEx\319\webex_ball_32.ico
    c:\windows\Downloaded Program Files\MyWebEx\319\xstatus.log
    c:\windows\system32\bszip.dll
    c:\windows\system32\drivers\64y90w.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_64y90w
    -------\Service_64y90w


    ((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
    .

    2010-03-20 18:20 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-03-20 18:20 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-03-20 18:20 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-03-20 18:20 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-03-20 18:20 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-03-20 18:20 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-03-20 18:20 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-03-20 18:20 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-03-20 18:20 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-03-20 18:20 . 2010-03-20 18:20 -------- d-----w- c:\program files\Alwil Software
    2010-03-20 18:20 . 2010-03-20 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-03-19 14:12 . 2010-03-19 14:12 -------- d-----w- c:\program files\iPod
    2010-03-19 14:12 . 2010-03-19 14:13 -------- d-----w- c:\program files\iTunes
    2010-03-19 10:52 . 2010-03-19 10:52 0 ----a-w- c:\windows\system32\drivers\.sys
    2010-03-10 22:11 . 2010-03-10 22:11 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
    2010-03-10 10:58 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-06 17:16 . 2010-03-06 17:16 -------- d-----w- c:\program files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-23 13:59 . 2008-12-30 15:42 4066 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
    2010-03-19 14:12 . 2007-08-16 19:02 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-19 14:11 . 2008-01-23 18:24 -------- d-----w- c:\program files\QuickTime
    2010-03-19 14:09 . 2010-03-19 14:09 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-03-17 16:50 . 2007-03-13 20:04 -------- d-----w- c:\documents and settings\Allied Training\Application Data\U3
    2010-03-16 14:14 . 2007-06-26 21:10 -------- d-----w- c:\program files\FileZilla
    2010-03-15 14:13 . 2010-03-15 14:13 5088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-03-10 22:15 . 2007-04-02 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-02 21:42 . 2007-03-09 14:14 -------- d-----w- c:\program files\Google
    2010-02-25 21:11 . 2008-07-03 17:58 -------- d-----w- c:\program files\AVG
    2010-02-25 21:10 . 2010-02-03 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-02-25 21:10 . 2010-02-12 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-02-19 02:00 . 2010-02-19 02:00 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
    2010-02-12 13:33 . 2010-02-12 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-02-12 13:19 . 2010-02-12 13:19 -------- d-----w- c:\documents and settings\Allied Training\Application Data\AVG8
    2010-02-12 13:17 . 2010-02-08 20:09 -------- d-----w- c:\program files\iPod(2)
    2010-02-12 13:17 . 2010-02-08 20:09 -------- d-----w- c:\program files\iTunes(2)
    2010-02-08 20:02 . 2007-05-18 17:01 -------- d-----w- c:\documents and settings\Allied Training\Application Data\Apple Computer
    2010-02-03 18:51 . 2007-05-22 20:46 -------- d-----w- c:\program files\Cakewalk
    2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-28 22:39 . 2009-12-28 22:39 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
    2009-12-28 22:39 . 2009-12-28 22:39 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
    2009-12-28 22:39 . 2009-12-28 22:39 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
    2009-12-28 22:39 . 2009-12-28 22:39 1092872 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
    2008-08-02 17:56 . 2008-08-02 17:55 336 ----a-w- c:\program files\temp995.bat
    2008-09-08 16:58 . 2008-09-08 16:58 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-09-08 16:58 . 2008-09-08 16:58 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
    @="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
    [HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
    2008-07-23 19:23 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-04 7630848]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-04 86016]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-30 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

    c:\documents and settings\Allied Training\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    PTBM Startup.LNK - c:\ptbm2005\ptbm.exe [2007-3-13 2850816]
    VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2008-7-23 474808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-3-21 61440]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 2:20 PM 162640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 2:20 PM 19024]
    S2 atnthost;WebEx Remote Access Agent;"c:\windows\Downlo~1\MyWebEx\319\atnthost.exe" --> c:\windows\Downlo~1\MyWebEx\319\atnthost.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-03-23 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
    DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
    DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
    DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
    DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
    DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
    FF - ProfilePath - c:\documents and settings\Allied Training\Application Data\Mozilla\Firefox\Profiles\4p1g6p5c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-nwiz - nwiz.exe
    Notify-avgrsstarter - avgrsstx.dll
    SafeBoot-64y90w
    MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
    AddRemove-CD - DVD Publishing Service - c:\documents and settings\Allied Training\My Documents\Downloads\Kunaki_CD-DVD_Publishing_Service(4).exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-23 16:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xaml.1"

    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xbap.1"

    [HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xps.1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3556)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\VirtualExpander\VEShellExt.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\stsystra.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-23 16:20:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-23 20:20

    Pre-Run: 116,441,849,856 bytes free
    Post-Run: 114,751,426,560 bytes free

    - - End Of File - - 2B61F05141D5A5F4B7D7D32952A4D0C3


    #12 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:04:24 PM

    Posted 23 March 2010 - 11:33 PM

    Do you recognize the following file?:

    c:\program files\temp995.bat



    Step # 1: Run CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      CODE
      KILLALL::

      SecCenter::

      AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

      Folder::

      c:\program files\AVG
      c:\documents and settings\All Users\Application Data\avg9
      c:\documents and settings\All Users\Application Data\avg8
      c:\documents and settings\Allied Training\Application Data\AVG8



    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







      Note: This CFScript is for use on jamieone's computer only! Do not use it on your computer.


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    In your next post/reply, I need to see the following:

    1. The ComboFix Log that appears after Step 1 has been completed.
    2. A fresh DDS Log taken after Step 1 has been completed.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #13 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 24 March 2010 - 04:00 PM

    I do NOT recognize the file c:\program files\temp995.bat

    Here are those 2 logs you requested. Again, thanks for your patience.

    FYI computer already seems to be running better.

    ComboFix 10-03-23.01 - Allied Training 03/24/2010 16:41:45.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1493 [GMT -4:00]
    Running from: c:\documents and settings\Allied Training\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Allied Training\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\avg8
    c:\documents and settings\All Users\Application Data\avg8\Cfg\erd.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\malrep.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\setup.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\updateall.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\updatecomps.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
    c:\documents and settings\All Users\Application Data\avg8\cfgall\changecfgreg.cfg
    c:\documents and settings\All Users\Application Data\avg8\cfgall\updateall.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avguilog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\cfgexlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\cfglog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\corelog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\ldrlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\lnglog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\nslog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\privlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\publog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\rslog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\scanlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\schedlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\srmlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\updlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\vaultlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\wdlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\wdsvclog.cfg
    c:\documents and settings\All Users\Application Data\avg9
    c:\documents and settings\All Users\Application Data\avg9\Cfg\setup.cfg
    c:\documents and settings\All Users\Application Data\avg9\Cfg\updatecomps.cfg
    c:\documents and settings\All Users\Application Data\avg9\Chjw\cm-0-p.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\cm-1-p.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\cm-2-i.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\cm-2-p.dat
    c:\documents and settings\All Users\Application Data\avg9\Log\avgchjw.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgchjw.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgchjwsrv.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgchjwsrv.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.1
    c:\documents and settings\All Users\Application Data\avg9\Log\avgcore.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgfrw.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgfrw.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avglng.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avglng.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgrs.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgscan.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgscan.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.1
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.2
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsched.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsrm.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsrm.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmac.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgsrmac.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgui.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgui.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgupd.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgupd.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.1
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.2
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.3
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.4
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.5
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.6
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwd.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwdsvc.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgwdsvc.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\fixcfg.log
    c:\documents and settings\All Users\Application Data\avg9\Log\fixcfg.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\history.xml
    c:\documents and settings\All Users\Application Data\avg9\Log\vault.log
    c:\documents and settings\All Users\Application Data\avg9\Log\vault.log.lock
    c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000007.log
    c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000008.log
    c:\documents and settings\All Users\Application Data\avg9\scanlogs\I_00000009.log
    c:\documents and settings\All Users\Application Data\avg9\scanlogs\srm.idx
    c:\documents and settings\All Users\Application Data\avg9\Temp\17e7926b-bde2-43d1-967b-9c7c861458f9-520-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\18e226a0-d10e-492a-9001-b3b9c5f36353-4fc-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\1c1559f0-34c3-44f8-9767-1fecd2ab2f66-514-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\1cb5b9b4-5e7b-4829-9e28-7c98b208463b-520-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\20ec60af-2e19-4036-914e-1a5d09576877-d00-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\268a35e1-4595-4e46-b520-e9e36a22ff88-524-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\2ebaabcc-7d5c-401c-badc-b2edf7de8a12-500-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\52242f38-8f66-4ed3-ad82-c4eca02dfaea-544-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\63d06097-ecf1-42dc-9641-27753cc1d711-520-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\74c9d191-fa32-44ad-a6f1-5a716551e31d-508-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\785f9270-e508-4800-a5bf-436a4d4f36ee-4f8-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\87f34017-0eaa-4f72-b15b-9bcf06d83224-508-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\889f27d9-d1f1-4ba0-89e1-0f9aa998e563-514-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\aa1a768c-3dff-459e-a5ae-6b1cc34c2280-1f0-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\b0dfab2a-36ea-435b-8bf3-c759a71e4712-520-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\b88f2486-b228-461e-b28f-1a4607e803eb-4e8-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\c67cd8b8-f1ae-4dba-aa04-e2333251d02d-500-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\db7c9f95-4471-4050-8aff-a35ee807a644-518-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\dcc9d856-47e5-4e9c-a5fb-542a74e78cd2-504-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\e9d9e2ec-55b4-4585-8f32-fabd0f7a8822-51c-oopp.tmp
    c:\documents and settings\All Users\Application Data\avg9\Temp\file9514.tmp
    c:\documents and settings\All Users\Application Data\avg9\update\backup\incavi.avm
    c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.dat
    c:\documents and settings\All Users\Application Data\avg9\update\download\avg9infoavi.ctf
    c:\documents and settings\All Users\Application Data\avg9\update\download\avg9infowin.ctf
    c:\documents and settings\All Users\Application Data\avg9\update\download\f9setup733b727kg.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\f9ui733b730ri.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2667u2665ml.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2669u2667mj.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2671u2669km.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2675u2670ct.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2677u2675mk.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2681u2676zt.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2682u2681im.bin
    c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi2683u2682ts.bin
    c:\documents and settings\Allied Training\Application Data\AVG8
    c:\program files\AVG
    c:\program files\AVG\AVG8\Firefox\chrome.manifest
    c:\program files\AVG\AVG8\Firefox\Components\avgssff.dll
    c:\program files\AVG\AVG8\mail.cfg
    c:\program files\AVG\AVG8\update.cfg
    c:\program files\AVG\AVG9(2)\avg.snu
    c:\program files\AVG\AVG9(2)\avg9us.lng
    c:\program files\AVG\AVG9(2)\avgbat.bav
    c:\program files\AVG\AVG9(2)\avgcclix(2).dll
    c:\program files\AVG\AVG9(2)\avgcertx(2).dll
    c:\program files\AVG\AVG9(2)\avgchclx(2).dll
    c:\program files\AVG\AVG9(2)\avgchjwx(2).dll
    c:\program files\AVG\AVG9(2)\avgchsvx(2).exe
    c:\program files\AVG\AVG9(2)\avgclitx(2).dll
    c:\program files\AVG\AVG9(2)\avgcorex(2).dll
    c:\program files\AVG\AVG9(2)\avgcrlpx(2).dll
    c:\program files\AVG\AVG9(2)\avgcsrvx(2).exe
    c:\program files\AVG\AVG9(2)\avgf9us.chm
    c:\program files\AVG\AVG9(2)\avgfree_us.mht
    c:\program files\AVG\AVG9(2)\avglogx(2).dll
    c:\program files\AVG\AVG9(2)\avgmwdef_us.mht
    c:\program files\AVG\AVG9(2)\avgrsx(2).exe
    c:\program files\AVG\AVG9(2)\avgsbfree_us.mht
    c:\program files\AVG\AVG9(2)\contacts_us.html
    c:\program files\AVG\AVG9(2)\dfncfg.dat
    c:\program files\AVG\AVG9(2)\license_us.htm
    c:\program files\AVG\AVG9(2)\setup.dat
    c:\program files\AVG\AVG9(2)\setupus.lns
    c:\program files\AVG\AVG9(2)\updatecomps.bak

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
    .

    2010-03-20 18:20 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-03-20 18:20 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-03-20 18:20 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-03-20 18:20 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-03-20 18:20 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-03-20 18:20 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-03-20 18:20 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-03-20 18:20 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-03-20 18:20 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-03-20 18:20 . 2010-03-20 18:20 -------- d-----w- c:\program files\Alwil Software
    2010-03-20 18:20 . 2010-03-20 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-03-19 14:12 . 2010-03-19 14:12 -------- d-----w- c:\program files\iPod
    2010-03-19 14:12 . 2010-03-19 14:13 -------- d-----w- c:\program files\iTunes
    2010-03-19 10:52 . 2010-03-19 10:52 0 ----a-w- c:\windows\system32\drivers\.sys
    2010-03-10 22:11 . 2010-03-10 22:11 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
    2010-03-10 10:58 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-06 17:16 . 2010-03-06 17:16 -------- d-----w- c:\program files\Trend Micro

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-23 21:26 . 2008-12-30 15:42 4066 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
    2010-03-19 14:12 . 2007-08-16 19:02 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-19 14:11 . 2008-01-23 18:24 -------- d-----w- c:\program files\QuickTime
    2010-03-19 14:09 . 2010-03-19 14:09 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-03-17 16:50 . 2007-03-13 20:04 -------- d-----w- c:\documents and settings\Allied Training\Application Data\U3
    2010-03-16 14:14 . 2007-06-26 21:10 -------- d-----w- c:\program files\FileZilla
    2010-03-15 14:13 . 2010-03-15 14:13 5088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-03-10 22:15 . 2007-04-02 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-02 21:42 . 2007-03-09 14:14 -------- d-----w- c:\program files\Google
    2010-02-19 02:00 . 2010-02-19 02:00 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
    2010-02-12 13:33 . 2010-02-12 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-02-12 13:17 . 2010-02-08 20:09 -------- d-----w- c:\program files\iPod(2)
    2010-02-12 13:17 . 2010-02-08 20:09 -------- d-----w- c:\program files\iTunes(2)
    2010-02-08 20:02 . 2007-05-18 17:01 -------- d-----w- c:\documents and settings\Allied Training\Application Data\Apple Computer
    2010-02-03 18:51 . 2007-05-22 20:46 -------- d-----w- c:\program files\Cakewalk
    2009-12-31 16:50 . 2004-08-11 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-28 22:39 . 2009-12-28 22:39 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
    2009-12-28 22:39 . 2009-12-28 22:39 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
    2009-12-28 22:39 . 2009-12-28 22:39 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
    2009-12-28 22:39 . 2009-12-28 22:39 1092872 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
    2008-08-02 17:56 . 2008-08-02 17:55 336 ----a-w- c:\program files\temp995.bat
    2008-09-08 16:58 . 2008-09-08 16:58 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-09-08 16:58 . 2008-09-08 16:58 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-03-23_20.16.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-03-24 20:49 . 2010-03-24 20:49 16384 c:\windows\temp\Perflib_Perfdata_74.dat
    + 2010-03-24 20:49 . 2010-03-24 20:49 16384 c:\windows\temp\Perflib_Perfdata_218.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
    @="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
    [HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
    2008-07-23 19:23 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-04 7630848]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-04 86016]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-30 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

    c:\documents and settings\Allied Training\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    PTBM Startup.LNK - c:\ptbm2005\ptbm.exe [2007-3-13 2850816]
    VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2008-7-23 474808]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-3-21 61440]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/20/2010 2:20 PM 162640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2010 2:20 PM 19024]
    S2 atnthost;WebEx Remote Access Agent;"c:\windows\Downlo~1\MyWebEx\319\atnthost.exe" --> c:\windows\Downlo~1\MyWebEx\319\atnthost.exe [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-03-24 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
    DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
    DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
    DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
    DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
    DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
    FF - ProfilePath - c:\documents and settings\Allied Training\Application Data\Mozilla\Firefox\Profiles\4p1g6p5c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-24 16:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xaml.1"

    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xbap.1"

    [HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xps.1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2156)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\VirtualExpander\VEShellExt.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\stsystra.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-24 16:53:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-24 20:53
    ComboFix2.txt 2010-03-23 20:20

    Pre-Run: 114,654,838,784 bytes free
    Post-Run: 114,643,996,672 bytes free

    - - End Of File - - 12ADB056FA59B3727013E4D629057EE9

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Allied Training at 16:54:58.42 on Wed 03/24/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1450 [GMT -4:00]

    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Allied Training\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\ptbmst~1.lnk - c:\ptbm2005\ptbm.exe
    StartupFolder: c:\docume~1\allied~1\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\windows\downlo~1\mywebex\319\raagtx.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175541787734
    DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
    DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\allied~1\applic~1\mozilla\firefox\profiles\4p1g6p5c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-20 162640]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-20 19024]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-9 1247600]
    S2 atnthost;WebEx Remote Access Agent;"c:\windows\downlo~1\mywebex\319\atnthost.exe" --> c:\windows\downlo~1\mywebex\319\atnthost.exe [?]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-20 40384]

    =============== Created Last 30 ================

    2010-03-20 18:20:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-03-20 15:08:28 0 d-sha-r- C:\cmdcons
    2010-03-20 15:06:57 98816 ----a-w- c:\windows\sed.exe
    2010-03-20 15:06:57 77312 ----a-w- c:\windows\MBR.exe
    2010-03-20 15:06:57 261632 ----a-w- c:\windows\PEV.exe
    2010-03-20 15:06:57 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-19 14:12:51 0 d-----w- c:\program files\iPod
    2010-03-19 14:12:46 0 d-----w- c:\program files\iTunes
    2010-03-19 10:52:58 0 ----a-w- c:\windows\system32\drivers\.sys
    2010-03-15 14:13:37 5088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-03-10 10:58:11 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-06 17:16:51 0 d-----w- c:\program files\Trend Micro

    ==================== Find3M ====================

    2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2008-08-02 17:56:03 336 ----a-w- c:\program files\temp995.bat

    ============= FINISH: 16:55:08.57 ===============









    #14 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:04:24 PM

    Posted 24 March 2010 - 09:53 PM

    QUOTE
    FYI computer already seems to be running better.


    That's good news. thumbup2.gif

    QUOTE
    I do NOT recognize the file c:\program files\temp995.bat


    Since you don't recognize it, I'll have you upload the file to be scanned to see if its bad or not.


    Step # 1 Upload Files

    Go to Jotti
    Copy the following line into the white textbox:
    c:\program files\temp995.bat
    Click Submit.
    Please post the results of this scan to this thread.

    If Jotti is busy, Go to VirusTotal and scan the file(s) there.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #15 JamieOne

    JamieOne
    • Topic Starter

    • Members
    • 16 posts
    • OFFLINE
    •  
    • Local time:07:24 PM

    Posted 25 March 2010 - 03:24 PM

    19 of the scanners found nothing.

    1 scanner Clam AV timed out.

    Did you need anything else? There wasn't really anything to copy and paste.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users