Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse VB.VJE Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 JoeS28

JoeS28

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 19 March 2010 - 07:22 AM

Hi there. I've been a lurker on this forum for a little while and never thought I'd be needing the help. Yesterday my AVG picked up 18 infected files out of the blue. It says it removed them. I then rebooted in safe mode and ran AVG again from there and it picked up another 18 files with the same virus in what appears to be a system restore point. It say that it also cleaned those files. Both of these scans found the infected files on my D: drive partition. Normally I might consider this good enough but I am just about to install Quicken for the first time on this computer which will involve typing in and signing into all of my very important financial information and associated web accounts. I need to know that this system is now clean. I'm also concerned about any possible infection spreading to my portable hard drive and reinfecting the computer after it's been cleaned. The portable hard drive was only attached to the system for the first time after both of these infections were cleaned by AVG.

It seems from the AVG forums that these may be false positives, yet to be confirmed, but I want to make sure given the sensitive nature of the program to be installed shortly.

Below and attached are the requested log files. I sincerely appreciate the time and effort that goes into helping people on this site. Thanks!

Joe
---------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 22:07:18.65 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.997 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\n52te\n52teHid.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\n52te\n52teTra.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\lcdmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.emachines.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Jomantha] c:\program files\n52te\n52teHid.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab
DPF: {13F71666-05F2-11D2-B2F6-00A0C9A08B64} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cab
DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://gosystemrs.fasttax.com/OCX/RSLoginModule.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} - hxxps://gosystemrs.fasttax.com/OCX/RSTabbedList.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxps://gosystemrs.fasttax.com/OCX/iftwclix.cab
DPF: {7B640A40-EEC1-11D2-B526-00C04F8DEE99} - hxxps://gosystemrs.fasttax.com/OCX/WebAttachments.cab
DPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/webnotifier.cab
DPF: {86B092BC-7ABA-11D4-98E7-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/Downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {973EA5BE-9ED6-11D3-AB1D-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/DCParse.cab
DPF: {97A90946-2984-11D3-AAE7-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/frmsrc.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://gosystemrs.fasttax.com/OCX/vsflex7.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\h3sw6sj0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\h3sw6sj0.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-11 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-11 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-11 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 DbgMsg;Debug Message;c:\windows\system32\drivers\DbgMsg.sys [2009-3-12 18240]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-11-24 3712]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-9-7 9817]
R3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [2008-11-18 48896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-18 11520]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-9-7 137392]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [2009-3-12 20736]
S3 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090819.034\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090819.034\NAVENG.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090819.034\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090819.034\NAVEX15.sys [?]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]

=============== Created Last 30 ================

2010-03-19 03:03:57 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-18 21:19:53 0 d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2010-03-18 21:16:20 0 d-----w- c:\docume~1\owner\applic~1\Western Digital
2010-03-18 21:16:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-03-18 21:15:32 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-03-18 21:14:55 0 d-----w- c:\program files\Western Digital
2010-03-15 04:08:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 01:41:42 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-15 04:08:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 04:07:51 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2005-09-08 22:23:12 230641 ----a-w- c:\program files\INSTALL.LOG
2005-09-08 23:54:21 0 --sha-w- c:\windows\sminst\HPCD.sys
2008-09-06 18:35:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 22:09:30.63 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 21 March 2010 - 04:04 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 21 March 2010 - 04:11 PM

I'm here and awaiting your advise. Thanks for taking the time to reply.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 21 March 2010 - 04:33 PM

Plug in your portable hard drive and then run Combofix as below.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 21 March 2010 - 06:17 PM

Below is the combofix log. I also included a mbam log that was run after my initial post. Thanks!

ComboFix 10-03-21.01 - Owner 03/21/2010 17:30:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1117 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-2626191610-1205389388-834698159-500
c:\recycler\S-1-5-21-3182237036-1388889847-2430597741-500
c:\recycler\S-1-5-21-3574691555-3905486512-2342171452-500
c:\windows\system32\ATHPRXY(2).DLL
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-19 14:50 . 2010-03-19 14:50 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 14:50 . 2010-03-19 14:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-19 14:49 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 14:49 . 2010-03-19 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 14:49 . 2010-03-19 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 14:49 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 21:19 . 2010-03-18 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-03-18 21:17 . 2010-03-18 21:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western_Digital
2010-03-18 21:16 . 2010-03-18 21:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Western Digital
2010-03-18 21:16 . 2010-03-18 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-03-18 21:15 . 2010-03-18 21:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-03-18 21:15 . 2009-02-13 17:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-03-18 21:14 . 2010-03-18 21:14 -------- d-----w- c:\program files\Western Digital
2010-03-18 21:14 . 2010-03-18 21:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Western Digital
2010-03-18 00:51 . 2010-03-18 00:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-15 04:08 . 2010-03-15 04:08 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-15 04:08 . 2010-03-15 04:08 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-15 04:08 . 2010-03-15 04:08 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-15 04:08 . 2010-03-15 04:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 01:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 18:49 . 2009-12-24 01:21 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-03-18 21:14 . 2005-09-07 22:13 64784 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 04:08 . 2009-10-12 03:51 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 04:08 . 2009-10-12 03:51 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 04:07 . 2009-10-12 03:51 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-08 22:13 . 2008-08-31 23:46 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-08 22:13 . 2010-02-08 22:13 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-02-08 22:13 . 2010-02-08 22:13 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-02-08 22:13 . 2010-02-08 22:13 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-02-08 22:13 . 2010-02-08 22:13 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-02-08 22:13 . 2008-08-31 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2010-02-03 05:32 . 2005-09-08 01:02 -------- d-----w- c:\program files\World of Warcraft
2010-01-06 23:55 . 2010-01-06 23:55 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{A155B349-F976-45A9-B2B3-ABDE9765875B}\ARPPRODUCTICON.exe
2010-01-06 23:54 . 2010-01-06 23:54 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-12-31 16:50 . 2005-04-13 16:56 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2005-09-08 23:54 . 2005-09-08 23:54 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-06 67128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 94208]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Jomantha"="c:\program files\n52te\n52teHid.exe" [2008-06-13 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-6 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-11-24 671744]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 04:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\My Downloads\\Naxxramas_English-downloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2009 10:51 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/11/2009 10:51 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/14/2010 11:07 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 11:07 PM 308064]
R2 DbgMsg;Debug Message;c:\windows\system32\drivers\DbgMsg.sys [3/12/2009 8:01 PM 18240]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/24/2006 7:14 PM 3712]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 2:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [9/7/2005 5:37 PM 9817]
R3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [11/18/2008 5:54 PM 48896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/18/2010 4:15 PM 11520]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [9/7/2005 5:37 PM 137392]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [3/12/2009 8:04 PM 20736]
S3 PciCon;PciCon;\??\f:\pcicon.sys --> f:\PciCon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\h3sw6sj0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\h3sw6sj0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-03-21 18:08:55
ComboFix-quarantined-files.txt 2010-03-21 23:08

Pre-Run: 67,032,014,848 bytes free
Post-Run: 70,363,275,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - C6AB8462072C4A1FD7E79C64028FEF46


Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/19/2010 11:07:09 AM
mbam-log-2010-03-19 (11-07-09).txt

Scan type: Quick Scan
Objects scanned: 146206
Time elapsed: 17 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\setup.player (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\setup.player.2k2 (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 21 March 2010 - 06:49 PM

Looking good but can you rerun MBAM on Full Scan please.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#7 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 March 2010 - 05:17 PM

Here is the mbam scan. The online scan appears to have gotten stuck. It is at 23% after 10 hours. I'll rerun it tonight.

Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/22/2010 6:35:35 AM
mbam-log-2010-03-22 (06-35-35).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 309748
Time elapsed: 9 hour(s), 24 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 March 2010 - 07:23 AM

Well, ESET stalled out again at the same point overnight. Not sure how to proceed now.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 23 March 2010 - 12:10 PM

There isn't a huge problem on the PC so ESET stalling shouldn't concern you too much. We'll try another online scanner. Please use Internet Explorer here.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#10 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 March 2010 - 06:51 PM

BitDefender Log:

BitDefender QuickScan Beta 32-bit v0.9.9.10
-------------------------------------------

Scan date: Tue Mar 23 18:34:20 2010
Machine ID: FCD9EF8B



No infection found.
---------------------


Processes
---------
<unsigned> AcroTray - Adobe Acrobat Distiller help 4084 C:\Program Files\Adobe\Distillr\Acrotray.exe
<unsigned> Apple Mobile Device Service 1172 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<unsigned> hp coretech (COmponent REuse TECHnolog 220 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
<unsigned> Logitech Desktop Messenger 2168 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> Logitech SetPoint 3488 C:\Program Files\Logitech\SetPoint\SetPoint.exe
<unsigned> Multimedia Card Reader 3808 C:\Program Files\Digital Media Reader\shwiconem.exe
<unsigned> Multimedia Keyboard Driver 3760 C:\WINDOWS\zHotkey.exe
<unsigned> ntmulti.exe 1912 C:\Program Files\lotus\notes\ntmulti.exe
<unsigned> PowerDVD 3992 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
<unsigned> PrismXL Software Family 228 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
<unsigned> razerhid Application 3408 C:\Program Files\n52te\n52teHid.exe
<unsigned> razertra Application 3972 C:\Program Files\n52te\n52teTra.exe
<unsigned> WD Drive Manager 1104 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

<verified> AVG Internet Security 532 C:\Program Files\AVG\AVG9\avgchsvx.exe
<verified> AVG Internet Security 920 C:\Program Files\AVG\AVG9\avgcsrvx.exe
<verified> AVG Internet Security 3856 C:\Program Files\AVG\AVG9\avgcsrvx.exe
<verified> AVG Internet Security 2732 C:\Program Files\AVG\AVG9\avgemc.exe
<verified> AVG Internet Security 2084 C:\Program Files\AVG\AVG9\avgnsx.exe
<verified> AVG Internet Security 592 C:\Program Files\AVG\AVG9\avgrsx.exe
<verified> AVG Internet Security 1184 C:\Program Files\AVG\AVG9\avgwdsvc.exe
<verified> Firefox 552 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> iTunes 2972 C:\Program Files\iPod\bin\iPodService.exe
<verified> Java™ Platform SE 6 U17 1788 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java™ Platform SE 6 U17 3580 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> Logitech GamePanel Software 328 C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
<verified> Logitech GamePanel Software 3728 C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
<verified> Logitech SetPoint 2808 C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
<verified> Microsoft ActiveSync 3484 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
<verified> Microsoft ActiveSync 1996 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft® Windows® Operating System 3056 C:\Program Files\Windows Media Player\WMPNetwk.exe
<verified> Microsoft® Windows® Operating System 3356 C:\Program Files\Windows Media Player\WMPNSCFG.exe
<verified> Microsoft® Windows® Operating System 3832 C:\WINDOWS\eHome\ehmsas.exe
<verified> Microsoft® Windows® Operating System 1296 C:\WINDOWS\eHome\ehRecvr.exe
<verified> Microsoft® Windows® Operating System 1336 C:\WINDOWS\eHome\ehSched.exe
<verified> Microsoft® Windows® Operating System 3744 C:\WINDOWS\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System 2768 C:\WINDOWS\ehome\mcrdsvc.exe
<verified> Microsoft® Windows® Operating System 2556 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 2688 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 1356 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 456 C:\WINDOWS\system32\dllhost.exe
<verified> Microsoft® Windows® Operating System 1440 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 2564 C:\WINDOWS\system32\RUNDLL32.EXE
<verified> Microsoft® Windows® Operating System 1428 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 1196 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 868 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 380 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 168 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1740 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 2000 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1700 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1628 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 112 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 536 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 416 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 448 C:\WINDOWS\system32\taskmgr.exe
<verified> Microsoft® Windows® Operating System 1380 C:\WINDOWS\system32\winlogon.exe
<verified> NVIDIA Driver Helper Service, Version 1 1944 C:\WINDOWS\system32\nvsvc32.exe
<verified> Realtek Sound Manager 4068 C:\WINDOWS\SOUNDMAN.EXE


Network activity
----------------
Process firefox.exe (552) connected on port 80 (HTTP) - crl.verisign.com
Process firefox.exe (552) connected on port 80 (HTTP) - www.google
Process firefox.exe (552) connected on port 80 (HTTP) - crl.thawte.com
Process firefox.exe (552) connected on port 80 (HTTP) - crl.verisign.com
Process firefox.exe (552) connected on port 80 (HTTP) - crl.microsoft.com

Process svchost.exe (536) listens on ports: 2869 (SSDP event notification, UPNP)
Process svchost.exe (1700) listens on ports: 135 (RPC)
Process WMPNetwk.exe (3056) listens on ports: 10243


Autoruns and critical files
---------------------------
<unsigned> AcroTray - Adobe Acrobat Distiller help C:\Program Files\Adobe\Distillr\Acrotray.exe
<unsigned> Ahead Software Gmbh NeroCheck C:\WINDOWS\system32\NeroCheck.exe
<unsigned> Application Remind_XP C:\WINDOWS\Creator\Remind_XP.exe
<unsigned> ATI Desktop Component C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
<unsigned> hp coretech (COmponent REuse TECHnolog C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
<unsigned> Logitech Desktop Messenger C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> Multimedia Card Reader C:\Program Files\Digital Media Reader\shwiconem.exe
<unsigned> Multimedia Keyboard Driver C:\WINDOWS\zHotkey.exe
<unsigned> NavLogon.dll C:\WINDOWS\system32\NavLogon.dll
<unsigned> nwiz.exe C:\WINDOWS\system32\nwiz.exe
<unsigned> PowerDVD C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
<unsigned> QuickTime C:\Program Files\QuickTime\QTTask.exe
<unsigned> razerhid Application C:\Program Files\n52te\n52teHid.exe
<unsigned> Recguard Application C:\WINDOWS\SMINST\RECGUARD.EXE
<unsigned> ShowWnd.exe C:\WINDOWS\ShowWnd.exe

<verified> ATI External Event Utility for NT, W2K C:\WINDOWS\system32\ati2evxx.dll
<verified> AVG Internet Security C:\WINDOWS\system32\avgrsstx.dll
<verified> iTunes C:\Program Files\iTunes\iTunesHelper.exe
<verified> Java™ Platform SE 6 U17 C:\Program Files\Java\jre6\bin\jusched.exe
<verified> Logitech GamePanel Software C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
<verified> Logitech GamePanel Software C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
<verified> Logitech GamePanel Software C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
<verified> Logitech SetPoint C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
<verified> Logitech SetPoint C:\WINDOWS\KHALMNPR.EXE
<verified> Microsoft ActiveSync C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft® Windows® Operating System C:\Program Files\Windows Media Player\WMPNSCFG.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\ehome\ehtray.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
<verified> NVIDIA Media Center Library C:\WINDOWS\system32\nvmctray.dll
<verified> Realtek Sound Manager C:\WINDOWS\SOUNDMAN.EXE
<verified> TeaTimer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
<verified> Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
<unsigned> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> Adobe IE plugin c:\program files\adobe\acrobat\acroiefavclient.dll
<unsigned> FreeImage.dll C:\WINDOWS\Downloaded Program Files\FreeImage.dll
<unsigned> Fujifilm E-Systems Uploader Dynamic Lin C:\WINDOWS\Downloaded Program Files\FujifilmUploadClient.dll
<unsigned> IFTW OLE Control Module C:\WINDOWS\Downloaded Program Files\iftw.dll
<unsigned> InstallShield InstallFromTheWeb C:\WINDOWS\Downloaded Program Files\iftw.exe
<unsigned> ISiteLite Internet Commuications Layer C:\WINDOWS\Downloaded Program Files\IsiteLite.dll
<unsigned> Java™ Platform SE 6 U17 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> libcurl.dll C:\WINDOWS\Downloaded Program Files\libcurl.dll
<unsigned> MetaStream 3 Plugin C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
<unsigned> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.3.1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> Snapfish Activia C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
<unsigned> Snapfish Plugin for Firefox C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
<unsigned> VLC multimedia plugin C:\Program Files\Mozilla Firefox\plugins\npvlc.dll

<verified> AcroIEHelper Library c:\program files\adobe\activex\acroiehelper.dll
<verified> AVG Internet Security c:\program files\avg\avg9\avgssie.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles/h3sw6sj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles/h3sw6sj0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\ImageUploader5.ocx
<verified> FrmSrcCt ActiveX Control Module C:\WINDOWS\Downloaded Program Files\FrmSrcCt.ocx
<verified> getPlusPlus for Adobe 16244 C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles/h3sw6sj0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
<verified> getPlusPlus for Adobe 16244 C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
<verified> InstallShield ® C:\WINDOWS\Downloaded Program Files\setup.exe
<verified> Java Deployment Toolkit 6.0.170.4 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Java™ Platform SE 6 U17 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft® Windows Media Player Firefox C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Picasa C:\Program Files\Picasa2\npPicasa3.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified> RealPlayer™ G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified> RIA RS Products C:\WINDOWS\Downloaded Program Files\CLRMachineInfo.dll
<verified> sdhelper.dll c:\program files\spybot - search & destroy\sdhelper.dll
<verified> VSFlexGrid 7.0 Pro C:\WINDOWS\Downloaded Program Files\vsflex7.ocx
<verified> Windows Genuine Advantage C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
<verified> Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn\yt.dll


Missing files
-------------
File not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
referenced in: HKLM\System\ControlSet001\services\catchme\Parameters\"ImagePath"

File not found: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090819.034\NAVENG.sys
referenced in: HKLM\System\ControlSet001\services\NAVENG\Parameters\"ImagePath"

File not found: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090819.034\NAVEX15.sys
referenced in: HKLM\System\ControlSet001\services\NAVEX15\Parameters\"ImagePath"

File not found: C:\Program Files\NavNT\NAVAP.sys
referenced in: HKLM\System\ControlSet001\services\NAVAP\Parameters\"ImagePath"

File not found: F:\PciCon.sys
referenced in: HKLM\System\ControlSet001\services\PciCon\Parameters\"ImagePath"

File not found: K:\smartware.exe
referenced in: K:\autorun.inf

File not found: WRLogonNTF.dll
referenced in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier\"DllName"

File not found: system32\DRIVERS\wanatw4.sys
referenced in: HKLM\System\ControlSet001\services\wanatw\Parameters\"ImagePath"


Scan
----
<unsigned> MD5: 1ba6d822a6ba2402bc5df7f65955d3a8 c:\program files\adobe\acrobat\acroiefavclient.dll
<unsigned> MD5: fbd06a45db2d543efd932768029ec5f2 C:\Program Files\Adobe\Distillr\Acrotray.exe
<unsigned> MD5: 782549d437044527706069ae20a7dfb0 C:\Program Files\Adobe\Distillr\adistres.dll
<unsigned> MD5: 248f2c34a05daa0da62c83483afcc603 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
<unsigned> MD5: 69da2bb73ac426cdeebdacc68438ba3d C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<unsigned> MD5: 1cf03c69b49acb70c722df92755c0c8c C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
<unsigned> MD5: 891326cc2b4dbcddc43acd2eeffbaa69 C:\Program Files\Common Files\Logitech\khalshared\KHALAPI.DLL
<unsigned> MD5: ae00827537651c6e8bb57bf636b13c19 C:\Program Files\Common Files\Logitech\khalshared\KHALHPP.dll
<unsigned> MD5: ac5fda1a13b8d3536f68c9ef6a5b9f75 C:\Program Files\Common Files\Logitech\khalshared\KHALITCH.dll
<unsigned> MD5: 02ca4a8ca3481d46c257ccb897b17712 C:\Program Files\Common Files\Logitech\khalshared\KHALMW.dll
<unsigned> MD5: 33d7285f12d934268a34206dfc4ad1b3 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
<unsigned> MD5: 535203dea5820f3b5f3faace0d51252c C:\Program Files\CyberLink\PowerDVD\CLRCEngine2.dll
<unsigned> MD5: 8fb740d758b14b1bc950cc347c21e461 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
<unsigned> MD5: 3b9723245419456c846f140dc148bf9f C:\Program Files\Digital Media Reader\shwiconem.exe
<unsigned> MD5: b75b654ee1da99876461b24597ae3ff3 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
<unsigned> MD5: a940874b1904f1c48d09f9196f9bc178 C:\Program Files\HP\hpcoretech\hpvcr70.dll
<unsigned> MD5: 865250e2742e49c02b0c4307ab042478 C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 54be6b02e92a3c18385550009d0f56d4 C:\Program Files\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.dll
<unsigned> MD5: 2e2633c4f9c1bd4802de840d516da368 C:\Program Files\iPod\bin\iPodService.Resources\iPodService.dll
<unsigned> MD5: 2771f260285fbf5450d99aaaa9246056 C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> MD5: dee8f03d1eace0c8f914a2c76568ea32 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> MD5: 84afb4711d4109f29d881ea7cfc69f47 C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\backweb.dll
<unsigned> MD5: dac29ad3de12e0cac510de0fb1cbec3b C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\bwfiles.dll
<unsigned> MD5: bb8bc9bc13d87b2c855b2bd50fbd1dcf C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\bwsec.dll
<unsigned> MD5: f2d0ad019503c48d85c5f70771288b63 C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\clntutil.dll
<unsigned> MD5: 8c620f16e1d024049046f93b12e38855 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWfiles-8876480.dll
<unsigned> MD5: 5cc8d8872ae0fc1cf9837824f79d834b C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> MD5: e900f8109d23b25eaeb3b5228417ea28 C:\Program Files\Logitech\SetPoint\gamehook.dll
<unsigned> MD5: 6b2e2afb17e70e4f873a04754c5fc230 C:\Program Files\Logitech\SetPoint\IMHook.dll
<unsigned> MD5: 2f5ee079765d20f0d4e704133b6f88c4 C:\Program Files\Logitech\SetPoint\kgame.dll
<unsigned> MD5: 41621fd0258c630bcc5ef38205aa7334 C:\Program Files\Logitech\SetPoint\LCabHandler.dll
<unsigned> MD5: e75e9fb44c47e7aaae1ecac7738b5702 C:\Program Files\Logitech\SetPoint\lgscroll.dll
<unsigned> MD5: 0e9adf18fd10adb069ccd8122b6ff025 C:\Program Files\Logitech\SetPoint\Macros\MacroCore.dll
<unsigned> MD5: 4301b51caa535510f4b45a276dc306a1 C:\Program Files\Logitech\SetPoint\SetPoint.exe
<unsigned> MD5: 5558d022df0ff51d96cdaf78ab088d7c C:\Program Files\Logitech\SetPoint\SetPointCOM.DLL
<unsigned> MD5: a619d066795a9c024401cb14337250dd C:\Program Files\lotus\notes\ntmulti.exe
<unsigned> MD5: 462e2f4886a0b389d4fda12a15f8219a C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 52d4d6ec27a57313ab9f90e242c3cfa4 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 7362dd144de73c7ee80408c1ad9ebe91 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: 15618236b9be2037298a0a5c58a6ffae C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> MD5: 13aeb82f84a32b9d91f8d5fddfe993c6 C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> MD5: d9a954a5de1a449f3ca6d77003e94605 C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
<unsigned> MD5: 5b08796d6dc9091ca51676d22bbaf1fb C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
<unsigned> MD5: a87b04299a14747bbcbe8cb4147612c2 C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 6343f18b2d273321a684e0aff992ce2f C:\Program Files\n52te\n52teHid.exe
<unsigned> MD5: 22ecbe2dbe85809dec18482d798145b3 C:\Program Files\n52te\n52teTra.exe
<unsigned> MD5: 6f6c5ac05135904f39223ee2455d4959 C:\Program Files\n52te\razerlan.dll
<unsigned> MD5: c41fe114d9d7710eda1189d304d85088 C:\Program Files\QuickTime\QTTask.exe
<unsigned> MD5: 15618236b9be2037298a0a5c58a6ffae C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> MD5: 13aeb82f84a32b9d91f8d5fddfe993c6 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> MD5: bcdff548f7d31a2bcf1cf98da7eb5445 C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
<unsigned> MD5: 138ab06adbbf300aa804d7974a5aec82 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
<unsigned> MD5: 8530b35284aa20d9c614ccb3725cef37 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
<unsigned> MD5: 9e2c13a26926ebb05015b8b41b4298c5 C:\PROGRA~1\Logitech\DESKTO~1\8876480\811~1.50-\Program\EN\ClientRc.dll
<unsigned> MD5: 00087eb371e3323af1d0786a0d200543 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\shdocvw.dll
<unsigned> MD5: bacc877db547bd8f421891ebfb6282ed C:\WINDOWS\Creator\Remind_XP.exe
<unsigned> MD5: 176e71a9c75d975a5d29ed56d083c3cf C:\WINDOWS\Downloaded Program Files\FreeImage.dll
<unsigned> MD5: c9949628a5c385fa9d24263103407631 C:\WINDOWS\Downloaded Program Files\FujifilmUploadClient.dll
<unsigned> MD5: 990166eb19e94de6925c2f3793998300 C:\WINDOWS\Downloaded Program Files\iftw.dll
<unsigned> MD5: fb1d2ba05971c7ea33f5e0f14be7b67b C:\WINDOWS\Downloaded Program Files\iftw.exe
<unsigned> MD5: 5b00441eb71e11f1dea1ad675e028b3d C:\WINDOWS\Downloaded Program Files\IsiteLite.dll
<unsigned> MD5: 7a046c3974936d29a1f92e96fe953fe0 C:\WINDOWS\Downloaded Program Files\libcurl.dll
<unsigned> MD5: f5c79c45f1adf877dc3afdff3565ae7b C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
<unsigned> MD5: 9d711d318be62ac3245afd4a7d555fbf C:\WINDOWS\HKNTDLL.dll
<unsigned> MD5: b8e7353996d0757e2b8f47be702074be C:\WINDOWS\ShowWnd.exe
<unsigned> MD5: d3cc7a3813123e955b3a497c04b404e2 C:\WINDOWS\SMINST\RECGUARD.EXE
<unsigned> MD5: f100ee264165cac6a784a313d47a2819 C:\WINDOWS\system32\AdobePDF.dll
<unsigned> MD5: 5d69c704a11a037f05270ee98106e12f C:\WINDOWS\System32\Drivers\DbgMsg.sys
<unsigned> MD5: 96d87dead469d45dbdc4ac0ff7d2de8a C:\WINDOWS\system32\DRIVERS\eacfilt.sys
<unsigned> MD5: 2239c94971abe52789948b519d892fe0 C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
<unsigned> MD5: 17638894e150efee66d97bce8f037519 C:\WINDOWS\System32\Drivers\LBeepKE.sys
<unsigned> MD5: 7f2f1d2815a6449d346fcccbc569fbd6 C:\WINDOWS\system32\DRIVERS\mhndrv.sys
<unsigned> MD5: 86ca1a5c15a5a98d5533945fb1120b05 C:\WINDOWS\System32\Drivers\sunkfilt.sys
<unsigned> MD5: 1c768107ac5bd510686c8f0e4da30c48 C:\WINDOWS\System32\Drivers\usbicp.sys
<unsigned> MD5: aa83753448dd0ae54739bb846bdea138 C:\WINDOWS\system32\kemutb.dll
<unsigned> MD5: 7ed66ad55bc50f0b862a1b335a8b6367 C:\WINDOWS\system32\KemUtil.dll
<unsigned> MD5: 870b50f4c1cf39f3701136f0e2c741b6 C:\WINDOWS\system32\KemWnd.dll
<unsigned> MD5: 426da80a95e89ad85686641381fd6777 C:\WINDOWS\system32\KemXML.dll
<unsigned> MD5: b7521f69c0a9b29d356157229376fb21 C:\WINDOWS\System32\mhn.dll
<unsigned> MD5: c8d5ebecf889534fe52537f18cfeb1c0 C:\WINDOWS\system32\NavLogon.dll
<unsigned> MD5: 3e4c03cefad8de135263236b61a49c90 C:\WINDOWS\system32\NeroCheck.exe
<unsigned> MD5: 3860b249bf5af7b28d11f2731fcf6088 C:\WINDOWS\system32\nwiz.exe
<unsigned> MD5: 3e9a33113d663d8bd5ed38858e669652 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
<unsigned> MD5: 686b224b4987c22b153fbb545fee9657 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
<unsigned> MD5: d8584c7fb9a1ba8480f9000c1ca1b415 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
<unsigned> MD5: 91e1b0577d9662aa0a83c75418f6f6f8 C:\WINDOWS\zHotkey.exe


No file uploaded.

Scan finished - communication took 4 sec
Total traffic - 0.07 MB sent, 3.04 KB recvd
Scanned 1189 files and modules - 601 seconds


#11 JoeS28

JoeS28
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 March 2010 - 10:40 PM

I'm not sure what these scans and logs are telling you and if the two are related, but over the last week or so my system has been getting almost unusable due to an incredibly slow response to any mouse movement or commands. My CPU seems to be pegged out at near 100% almost always. Possibly related? or some other hardware issue?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 24 March 2010 - 02:06 PM

I'm now looking at a clean machine and leaning towards a hardware issue now.

There's definitely nothing malicious in the PC now.

I do recommend that you read this tutorial on the site which explains what you can do to speed up your PC but with the CPU topping out so often this is probably beyond the list there.

What I can tell you is that your computer is clean of malware smile.gif We need to clean up and I suggest you take the issue to another forum on Bleeping Computer and link to this topic. I will keep the topic open for 5 days in case you want to return and if I close the topic then feel free to PM me.


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Joes28, good luck with the problem and happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:03 AM

Posted 28 March 2010 - 06:29 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users