Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Tools Malware


  • This topic is locked This topic is locked
102 replies to this topic

#1 upp

upp

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 March 2010 - 02:21 PM


Problem:Security Tools Malware
1. Unable to fix according to instructions posted by Grinler on September 25, 2009, despite several attempts
2. Run Vista on half the computer & Ubuntu 9.1 on the other half so after reading I got the bright idea of going into my computer from the Ubuntu side & "move to trash" the file identified as the Security Tools file.
3. After moving the security tools file to the trash I reopened Vista and:
-could see my desktop
-could open some programs (didn't try them all)
-no longer saw any "Warning" messages pop up
-saw only one short cut on my desktop for Security tools which I moved to trash
4. I opened Opera & tried to:
-back up my data--failed got error message: "The filename, directory name, or volume label synax is incorrect. (0x8007007B)"
-re-follow Grinler's instructions--failed when trying to save GMER log--no message the whole computer just froze--no ctrl+alt+del, no clicking on anything so I killed the power to re-access the internet & you on my Ubuntu side
5. Got instructions to follow Preparation Guide do steps 6 - 9, did that by accessing the necessary files from the Ubuntu side & here they are DDS logs attached--GMER failed to run

Sorry I goofed sending the log the first time & thanks for your speedy replies. Hope I got it right this time :-)

DDS (Ver_10-03-17.01) - NTFSx86

Run by admin at 11:22:45.62 on Thu 03/25/2010

Internet Explorer: 8.0.6001.18882

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.853 [GMT 2:00]



SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}



============== Running Processes ===============



C:\Windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\aestsrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\STacSV.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Xobni\XobniService.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\System32\WLTRAY.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\bcmwltry.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\admin\Desktop\dds.scr

C:\Windows\system32\conime.exe

C:\Windows\system32\wbem\wmiprvse.exe



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.google.com.ua/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [61963631] c:\programdata\61963631\61963631.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [NWEReboot]

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: avgrsstx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll



============= SERVICES / DRIVERS ===============



R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-26 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-26 29512]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-26 242696]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-2-7 73728]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]

R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-8-12 39424]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-27 179712]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-24 27632]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-3-3 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-3-3 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-3-3 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-3-3 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-3-3 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-3-3 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-3-3 115752]

S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-3-3 86824]

S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-3 15016]

S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-3 114600]

S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-3-3 108328]

S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-3-3 26024]

S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-3 104616]

S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-3-3 109736]

S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2009-2-25 69680]



=============== Created Last 30 ================



2010-03-25 09:10:32 20 ----a-w- c:\users\admin\defogger_reenable

2010-03-24 23:06:50 0 d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2010-03-24 23:06:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 23:06:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-24 23:06:26 0 d-----w- c:\programdata\Malwarebytes

2010-03-24 23:06:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-18 15:24:51 0 d-----w- c:\users\admin\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2010-03-15 07:26:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-09 18:52:38 0 d--h--w- C:\$AVG

2010-03-09 18:51:25 0 d-----w- c:\programdata\avg9

2010-02-26 12:01:37 31744 ----a-w- c:\windows\system32\msvidc32.dll

2010-02-26 12:01:37 22528 ----a-w- c:\windows\system32\msyuv.dll

2010-02-26 12:01:37 13312 ----a-w- c:\windows\system32\msrle32.dll

2010-02-26 12:01:37 1314816 ----a-w- c:\windows\system32\quartz.dll

2010-02-26 12:01:36 91136 ----a-w- c:\windows\system32\avifil32.dll

2010-02-26 12:01:36 82944 ----a-w- c:\windows\system32\mciavi32.dll

2010-02-26 12:01:36 65024 ----a-w- c:\windows\system32\avicap32.dll

2010-02-26 12:01:36 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2010-02-26 12:01:36 123904 ----a-w- c:\windows\system32\msvfw32.dll

2010-02-26 12:01:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll

2010-02-26 12:00:09 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-26 12:00:08 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-02-26 12:00:06 351232 ----a-w- c:\windows\system32\WSDApi.dll

2010-02-26 12:00:04 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-02-26 11:59:34 281600 ----a-w- c:\windows\system32\raschap.dll

2010-02-26 11:59:34 244224 ----a-w- c:\windows\system32\rastls.dll

2010-02-24 20:12:08 0 d-----w- c:\program files\iPod

2010-02-24 20:12:02 0 d-----w- c:\program files\iTunes



==================== Find3M ====================



2010-03-25 09:13:51 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-03-15 07:26:05 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-15 07:24:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-24 07:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2009-11-25 22:02:33 86016 ----a-w- c:\windows\inf\infpub.dat

2009-11-25 22:02:33 143360 ----a-w- c:\windows\inf\infstrng.dat

2009-11-25 22:02:33 143360 ----a-w- c:\windows\inf\infstor.dat

2009-03-31 21:18:52 174 --sha-w- c:\program files\desktop.ini

2009-03-31 21:10:24 665600 ----a-w- c:\windows\inf\drvindex.dat

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT



============= FINISH: 11:24:44.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 26 March 2010 - 05:50 AM

Hi there!
Sorry for any confusion, I'm new to these forums, hope I didn't cause any problems. This is a new topic that I was instructed to open with a log by boopme. I just kind of assumed boopme would continue to help me, if I'm wrong then I am giving you an update on what occured while I was trying to get the DDS & GMER logs to you--my computer totally froze I couldn't ctrl+alt+del, I couldn't click on anyting--in order to get back in touch with you I powered down & restarted the computer in Ubuntu 9.1. From Ubuntu I accessed my DDS log & posted them to this new topic. I then posted to the original topic asking what I should do about getting back into the Vista part of my computer boopme gave me this reply:

Ok let's try this Safe mode scan with SAS.. Do you also have normal mode?
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

I saved to desktop (in safe mode) the 2 files (ATF & Super AntiSpyware) but have done nothing else and have NOT accessed the computer in regular mode.

I then saw the post by Orange Blossom telling me I was a bad girl for having 2 help topics going--sorry, again I assumed I would continue to receive assistance from boopme. You guys have been great & speedy so believe me when I say this confusion occured because of unclarity on my part. My sincerest apologies if this makes anything more difficult & again my many thanks for helping me out!

At this time I will close the infected computer & access you through Ubuntu until further instructed. Thanks again!

#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 29 March 2010 - 09:02 PM

Hey upp,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 30 March 2010 - 08:43 AM

Hi there Ltangelic!
Thank you thank you thank you!!!!!

Waiting patiently for your help :-)
upp

#5 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 30 March 2010 - 10:01 AM

Hey upp,

I don't see much in your logs, we'll do some preliminary scanning as a start. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Windows Defender) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
ComboFix.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#6 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 30 March 2010 - 11:48 AM

Hello there!
Attaching and including the requested information below.
FYI--I had SUPER Anti-spyware on the computer, I tried to disable it per ComboFix instructions & was only able to open it if I clicked "run as adminstrator" I ended up uninstalling it as I don't think I had disabled it. In order to get into Opera to send you this message I also had to open Opera "run as administrator"--that's new for me so I thought I'd mention it. OK that was just an FYI in case it means something.

This error recurred when I tried to open the ComboFix.txt to cut & paste into the text of this document. When I double click on C:\ComboFix.txt I get the following error message: C:\ComboFix.txt Illegal operation attempted on a registry key that has been marked for deletion

Naturally I hit OK as that was my only option. Will now attempt to send as an attachment along with the OTS attachment

OK that seemed to work. I know that you asked I cut & paste the ComboFix into the text. Let me know if this is not a good subsitute & how I should proceede.

Thanks again! :-)

Attached Files



#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 31 March 2010 - 04:20 AM

Hey upp,

No worries about the ComboFix log. Either posting or uploading is fine. smile.gif Though, it seems that a malware is trying to wreak havoc on CF. We need to do deeper scans.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Windows Defender) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
DDS::
uRun: [61963631] c:\programdata\61963631\61963631.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Run GMER

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Next reply (please include in your post):

New OTS log (run quick scan with OTS)
ComboFix.txt
GMER.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 31 March 2010 - 05:25 AM

Hi there!

Can't complete step 1.
I clicked on the start menu then on run got the regular box that says:
Type the name of a program, folder, document or Internet resource, and Windows will open it for you.

I typed in: notepad.exe and hit ok

the only thing it does is open a blank notepad window...no codebox. For fun I tried the same as above with notepad already open & got the same result--a new blank notepad window & then tried to typein type notepad.exe, with & without a space between type & notepad (it gave me the following error message: Windows cannot find 'type'. make sure you typed the name correctly, and then try again.)

did I miss something, I checked & double checked your instructions but ????



#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 31 March 2010 - 06:27 AM

Hi,

You are supposed to get a blank notepad window, just copy the following text into the notepad window:

CODE
DDS::
uRun: [61963631] c:\programdata\61963631\61963631.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000


Save the notepad file as CFScript.txt.

Follow the instructions from there.

Edited by Ltangelic, 31 March 2010 - 06:28 AM.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 31 March 2010 - 01:22 PM

Sorry about that, stupid on my part.

Had some trouble with GMER again only this time it froze up the computer after telling me it had successfully saved the text so hopefully what you're looking for is here.



Here's the OTS log

CODE
OTS logfile created on: 3/31/2010 9:07:02 PM - Run 2
OTS by OldTimer - Version 3.1.27.1     Folder = C:\Users\admin\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 53.12 Gb Total Space | 7.77 Gb Free Space | 14.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 4.38 Gb Total Space | 3.60 Gb Free Space | 82.26% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ADMIN-PC
Current User Name: admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Quick Scan

[Processes - Safe List]
ots.exe -> C:\Users\admin\Desktop\OTS.exe -> [2010/03/30 19:23:48 | 000,637,440 | ---- | M] (OldTimer Tools)
avgrsx.exe -> C:\Program Files\AVG\AVG9\avgrsx.exe -> [2010/03/15 10:26:03 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> C:\Program Files\AVG\AVG9\avgnsx.exe -> [2010/03/15 10:26:02 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> C:\Program Files\AVG\AVG9\avgwdsvc.exe -> [2010/03/15 10:25:59 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcsrvx.exe -> C:\Program Files\AVG\AVG9\avgcsrvx.exe -> [2010/03/15 10:24:46 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgchsvx.exe -> C:\Program Files\AVG\AVG9\avgchsvx.exe -> [2010/03/15 10:24:44 | 001,086,744 | ---- | M] (AVG Technologies CZ, s.r.o.)
utorrent.exe -> C:\Program Files\uTorrent\uTorrent.exe -> [2010/01/27 22:35:04 | 000,289,584 | ---- | M] (BitTorrent, Inc.)
desktopweather.exe -> C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe -> [2009/10/08 13:13:52 | 000,818,288 | ---- | M] (The Weather Channel Interactive, Inc.)
xobniservice.exe -> C:\Program Files\Xobni\XobniService.exe -> [2009/08/12 01:31:14 | 000,039,424 | ---- | M] (Xobni Corporation)
logitechdesktopmessenger.exe -> C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe -> [2009/03/19 14:27:35 | 000,066,864 | ---- | M] (Logitech Inc.)
bcmsqlstartupsvc.exe -> C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -> [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\Windows\explorer.exe -> [2009/02/10 08:59:23 | 002,927,104 | ---- | M] (Microsoft Corporation)
quickcam.exe -> C:\Program Files\Logitech\QuickCam\Quickcam.exe -> [2008/12/20 08:50:34 | 002,656,528 | ---- | M] ()
cocimanager.exe -> C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe -> [2008/12/20 08:46:58 | 000,558,864 | ---- | M] ()
lvprcsrv.exe -> C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -> [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.)
sqlwriter.exe -> c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -> [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation)
sqlbrowser.exe -> c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -> [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation)
onenotem.exe -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE -> [2008/10/25 09:18:50 | 000,098,696 | ---- | M] (Microsoft Corporation)
nmindexstoresvr.exe -> C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe -> [2008/01/22 10:13:32 | 001,201,448 | ---- | M] (Nero AG)
nmbgmonitor.exe -> C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe -> [2008/01/22 10:13:20 | 000,152,872 | ---- | M] (Nero AG)
werfault.exe -> C:\Windows\System32\WerFault.exe -> [2008/01/19 10:33:35 | 000,217,088 | ---- | M] (Microsoft Corporation)
conime.exe -> C:\Windows\System32\conime.exe -> [2008/01/19 10:33:04 | 000,069,120 | ---- | M] (Microsoft Corporation)
aestsrv.exe -> C:\Windows\System32\AEstSrv.exe -> [2007/09/21 01:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation)
stacsv.exe -> C:\Windows\System32\stacsv.exe -> [2007/09/14 01:45:38 | 000,102,400 | ---- | M] (IDT, Inc.)
sttray.exe -> C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe -> [2007/09/14 01:44:48 | 000,405,504 | ---- | M] (IDT, Inc.)
apoint.exe -> C:\Program Files\DellTPad\Apoint.exe -> [2007/07/03 00:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.)
apntex.exe -> C:\Program Files\DellTPad\ApntEx.exe -> [2007/06/07 03:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.)
apmsgfwd.exe -> C:\Program Files\DellTPad\ApMsgFwd.exe -> [2007/05/23 01:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.)
iaantmon.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -> [2007/02/13 01:38:04 | 000,355,096 | ---- | M] (Intel Corporation)
iaanotif.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe -> [2007/02/13 01:37:58 | 000,174,872 | ---- | M] (Intel Corporation)
hidfind.exe -> C:\Program Files\DellTPad\hidfind.exe -> [2006/09/09 02:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.)
acrotray.exe -> C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe -> [2003/05/15 01:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.)

[Modules - Safe List]
ots.exe -> C:\Users\admin\Desktop\OTS.exe -> [2010/03/30 19:23:48 | 000,637,440 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll -> [2008/01/19 10:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] ->  -> File not found
(avg9wd) AVG Free WatchDog [Auto | Running] -> C:\Program Files\AVG\AVG9\avgwdsvc.exe -> [2010/03/15 10:25:59 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.)
(XobniService) XobniService [Auto | Running] -> C:\Program Files\Xobni\XobniService.exe -> [2009/08/12 01:31:14 | 000,039,424 | ---- | M] (Xobni Corporation)
(MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ) [On_Demand | Stopped] -> c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -> [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation)
(BcmSqlStartupSvc) Business Contact Manager SQL Server Startup Service [Auto | Running] -> C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -> [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation)
(LVPrcSrv) Process Monitor [Auto | Running] -> C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -> [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.)
(SQLWriter) SQL Server VSS Writer [Auto | Running] -> c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -> [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation)
(SQLBrowser) SQL Server Browser [Auto | Running] -> c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -> [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation)
(MSSQLServerADHelper) SQL Server Active Directory Helper [Disabled | Stopped] -> c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -> [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation)
(WinDefend) Windows Defender [Auto | Stopped] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/19 10:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation)
(AESTFilters) Andrea ST Filters Service [Auto | Running] -> C:\Windows\System32\AEstSrv.exe -> [2007/09/21 01:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation)
(STacSV) SigmaTel Audio Service [Auto | Running] -> C:\Windows\System32\stacsv.exe -> [2007/09/14 01:45:38 | 000,102,400 | ---- | M] (IDT, Inc.)
(IAANTMON) Intel(R) Matrix Storage Event Monitor [Auto | Running] -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -> [2007/02/13 01:38:04 | 000,355,096 | ---- | M] (Intel Corporation)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com.ua/ ->
HKEY_CURRENT_USER\: Main\\"StartPageCache" -> 1 ->
HKEY_CURRENT_USER\: URLSearchHooks\\"*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
HKEY_CURRENT_USER\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO] -> [2009/11/25 14:01:54 | 001,230,080 | ---- | M] ()
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > ([2010/03/31 15:14:57 | 000,000,027 | ---- | M] - 1 lines) -> C:\Windows\System32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> File not found
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> C:\Program Files\AVG\AVG9\avgssie.dll [AVG Safe Search] -> [2010/03/15 10:26:02 | 001,598,744 | ---- | M] (AVG Technologies CZ, s.r.o.)
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} [HKLM] -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [Groove GFS Browser Helper] -> [2009/02/12 16:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation)
{A3BC75A2-1F87-4686-AA43-5347D756017C} [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO] -> [2009/11/25 14:01:54 | 001,230,080 | ---- | M] ()
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} [HKLM] -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [HP Smart BHO Class] -> [2007/11/06 12:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar] -> [2009/11/25 14:01:54 | 001,230,080 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar] -> [2009/11/25 14:01:54 | 001,230,080 | ---- | M] ()
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Apoint" -> C:\Program Files\DellTPad\Apoint.exe [C:\Program Files\DellTPad\Apoint.exe] -> [2007/07/03 00:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.)
"AppleSyncNotifier" -> C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe] -> [2009/08/13 15:51:42 | 000,177,440 | ---- | M] (Apple Inc.)
"IAAnotif" -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe] -> [2007/02/13 01:37:58 | 000,174,872 | ---- | M] (Intel Corporation)
"LogitechQuickCamRibbon" -> C:\Program Files\Logitech\QuickCam\Quickcam.exe ["C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide] -> [2008/12/20 08:50:34 | 002,656,528 | ---- | M] ()
"NeroFilterCheck" -> C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe] -> [2007/03/01 14:57:24 | 000,153,136 | ---- | M] (Nero AG)
"SigmatelSysTrayApp" -> C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [%ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe] -> [2007/09/14 01:44:48 | 000,405,504 | ---- | M] (IDT, Inc.)
"Windows Defender" -> C:\Program Files\Windows Defender\MSASCui.exe [%ProgramFiles%\Windows Defender\MSASCui.exe -hide] -> [2008/01/19 10:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" -> C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe ["C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"] -> [2008/01/22 10:13:20 | 000,152,872 | ---- | M] (Nero AG)
"DW6" -> C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe ["C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"] -> [2009/10/08 13:13:52 | 000,818,288 | ---- | M] (The Weather Channel Interactive, Inc.)
"uTorrent" -> C:\Program Files\uTorrent\uTorrent.exe ["C:\Program Files\uTorrent\uTorrent.exe"] -> [2010/01/27 22:35:04 | 000,289,584 | ---- | M] (BitTorrent, Inc.)
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Append Link Target to Existing PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html] -> File not found
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000] -> [2009/05/04 09:40:04 | 018,333,536 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Button: Send to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Menu: S&end to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL [Button: Research] -> [2009/03/06 05:04:56 | 000,039,464 | ---- | M] (Microsoft Corporation)
{DDE87865-83C5-48c4-8357-2F5B1AA84522}:{DDE87865-83C5-48c4-8357-2F5B1AA84522} [HKLM] -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [Button: HP Smart Select] -> [2007/11/06 12:50:44 | 000,542,016 | ---- | M] (Hewlett-Packard Co.)
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{8100D56A-5661-482C-BEE8-AFECE305D968} [HKLM] -> http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab [Facebook Photo Uploader 5 Control] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] ->
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 192.168.1.1 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{0132828A-638A-4BC8-8848-1E1405BB0F32}\\DhcpNameServer -> 192.168.1.1   (Broadcom NetLink (TM) Fast Ethernet) ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
C:\Windows\System32\avgrsstx.dll -> C:\Windows\System32\avgrsstx.dll -> [2010/03/15 10:26:03 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.)
*MultiFile Done* -> ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\Windows\explorer.exe -> [2009/02/10 08:59:23 | 002,927,104 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> C:\Windows\System32\igfxdev.dll -> [2007/05/09 03:05:38 | 000,204,800 | ---- | M] (Intel Corporation)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. [] -> File not found
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [Groove GFS Stub Execution Hook] -> [2009/02/12 16:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  ->
C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> [2006/09/19 00:43:36 | 000,000,024 | ---- | M] ()
E:\autorun.wbcat [] -> E:\autorun.wbcat [ UDF ] -> [2010/03/25 11:39:43 | 000,000,000 | RH-- | M] ()
E:\autorun.inf [[autorun] | label=ADMIN-PC 3/25/2010 2:05 AM Disk 3 | icon=restore.ico,0 |  | [Content] | MusicFiles=0 | PictureFiles=0 | VideoFiles=0 | ] -> E:\autorun.inf [ UDF ] -> [2010/03/25 11:39:43 | 000,000,127 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.com [@ = ComFile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->


[Files/Folders - Created Within 14 Days]
temp -> C:\Users\admin\AppData\Local\temp -> [2010/03/31 15:23:28 | 000,000,000 | ---D | C]
$RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2010/03/31 15:15:00 | 000,000,000 | ---D | C]
temp -> C:\Windows\temp -> [2010/03/31 15:10:52 | 000,000,000 | ---D | C]
NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2010/03/31 14:55:32 | 000,031,232 | ---- | C] (NirSoft)
SWXCACLS.exe -> C:\Windows\SWXCACLS.exe -> [2010/03/31 14:55:03 | 000,212,480 | ---- | C] (SteelWerX)
Undo -> C:\Users\admin\Desktop\Undo -> [2010/03/31 14:46:43 | 000,000,000 | ---D | C]
gmer -> C:\Users\admin\Desktop\gmer -> [2010/03/31 14:46:22 | 000,000,000 | ---D | C]
maybe not needed -> C:\Users\admin\Desktop\maybe not needed -> [2010/03/31 14:45:11 | 000,000,000 | ---D | C]
SWREG.exe -> C:\Windows\SWREG.exe -> [2010/03/30 19:40:20 | 000,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\Windows\SWSC.exe -> [2010/03/30 19:40:20 | 000,136,704 | ---- | C] (SteelWerX)
ERDNT -> C:\Windows\ERDNT -> [2010/03/30 19:40:08 | 000,000,000 | ---D | C]
Qoobox -> C:\Qoobox -> [2010/03/30 19:28:40 | 000,000,000 | ---D | C]
OTS.exe -> C:\Users\admin\Desktop\OTS.exe -> [2010/03/30 19:23:46 | 000,637,440 | ---- | C] (OldTimer Tools)
Ahead -> C:\Users\admin\AppData\Local\Ahead -> [2010/03/30 17:38:04 | 000,000,000 | ---D | C]
Apple Computer -> C:\Users\admin\AppData\Local\Apple Computer -> [2010/03/30 17:36:17 | 000,000,000 | ---D | C]
SUPERAntiSpyware.com -> C:\ProgramData\SUPERAntiSpyware.com -> [2010/03/30 14:10:18 | 000,000,000 | ---D | C]
SUPERAntiSpyware.com -> C:\Users\admin\AppData\Roaming\SUPERAntiSpyware.com -> [2010/03/30 14:09:17 | 000,000,000 | ---D | C]
SUPERAntiSpyware -> C:\Program Files\SUPERAntiSpyware -> [2010/03/30 14:09:17 | 000,000,000 | ---D | C]
Malwarebytes -> C:\Users\admin\AppData\Roaming\Malwarebytes -> [2010/03/25 02:06:50 | 000,000,000 | ---D | C]
mbamswissarmy.sys -> C:\Windows\System32\drivers\mbamswissarmy.sys -> [2010/03/25 02:06:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\Windows\System32\drivers\mbam.sys -> [2010/03/25 02:06:26 | 000,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/03/25 02:06:26 | 000,000,000 | ---D | C]
Malwarebytes -> C:\ProgramData\Malwarebytes -> [2010/03/25 02:06:26 | 000,000,000 | ---D | C]
Canadian Immigration -> C:\Users\admin\Desktop\Canadian Immigration -> [2010/03/19 16:35:51 | 000,000,000 | ---D | C]
com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> C:\Users\admin\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> [2010/03/18 18:24:51 | 000,000,000 | ---D | C]
Config.Msi -> C:\Config.Msi -> [2010/03/18 15:53:23 | 000,000,000 | ---D | C]
Mobile 24 March -> C:\Users\admin\Desktop\Mobile 24 March -> [2010/03/17 22:20:43 | 000,000,000 | ---D | C]
1 C:\Users\admin\Desktop\*.tmp files -> C:\Users\admin\Desktop\*.tmp ->

[Files/Folders - Modified Within 14 Days]
ntuser.dat -> C:\Users\admin\ntuser.dat -> [2010/03/31 21:10:04 | 003,932,160 | -HS- | M] ()
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> [2010/03/31 21:04:55 | 000,003,792 | -H-- | M] ()
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> [2010/03/31 21:04:55 | 000,003,792 | -H-- | M] ()
SA.DAT -> C:\Windows\tasks\SA.DAT -> [2010/03/31 21:04:44 | 000,000,006 | -H-- | M] ()
bootstat.dat -> C:\Windows\bootstat.dat -> [2010/03/31 21:04:38 | 000,067,584 | --S- | M] ()
lvuvc.hs -> C:\Windows\System32\drivers\lvuvc.hs -> [2010/03/31 21:04:22 | 000,000,000 | ---- | M] ()
PerfStringBackup.INI -> C:\Windows\System32\PerfStringBackup.INI -> [2010/03/31 15:21:23 | 000,760,648 | ---- | M] ()
perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2010/03/31 15:21:23 | 000,645,296 | ---- | M] ()
perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2010/03/31 15:21:23 | 000,119,716 | ---- | M] ()
system.ini -> C:\Windows\system.ini -> [2010/03/31 15:15:03 | 000,000,215 | ---- | M] ()
hosts -> C:\Windows\System32\drivers\etc\hosts -> [2010/03/31 15:14:57 | 000,000,027 | ---- | M] ()
ntuser.dat{812c6e75-b98e-11de-bae4-d3ce090fcfcd}.TMContainer00000000000000000001.regtrans-ms -> C:\Users\admin\ntuser.dat{812c6e75-b98e-11de-bae4-d3ce090fcfcd}.TMContainer00000000000000000001.regtrans-ms -> [2010/03/31 15:11:25 | 000,524,288 | -HS- | M] ()
ntuser.dat{812c6e75-b98e-11de-bae4-d3ce090fcfcd}.TM.blf -> C:\Users\admin\ntuser.dat{812c6e75-b98e-11de-bae4-d3ce090fcfcd}.TM.blf -> [2010/03/31 15:11:25 | 000,065,536 | -HS- | M] ()
User_Feed_Synchronization-{FDA404D2-9C33-41F5-9DC1-AEC85E3AD3AE}.job -> C:\Windows\tasks\User_Feed_Synchronization-{FDA404D2-9C33-41F5-9DC1-AEC85E3AD3AE}.job -> [2010/03/31 14:49:51 | 000,000,422 | -H-- | M] ()
incavi.avm -> C:\Windows\System32\drivers\Avg\incavi.avm -> [2010/03/31 13:19:55 | 058,313,297 | ---- | M] ()
IconCache.db -> C:\Users\admin\AppData\Local\IconCache.db -> [2010/03/30 20:56:14 | 001,978,817 | -H-- | M] ()
OTS.exe -> C:\Users\admin\Desktop\OTS.exe -> [2010/03/30 19:23:48 | 000,637,440 | ---- | M] (OldTimer Tools)
ComboFix.exe -> C:\Users\admin\Desktop\ComboFix.exe -> [2010/03/30 19:20:43 | 003,906,159 | R--- | M] ()
Kostya Pic3.JPG -> C:\Users\admin\Desktop\Kostya Pic3.JPG -> [2010/03/30 18:53:55 | 000,707,190 | ---- | M] ()
Kostya Pic7.JPG -> C:\Users\admin\Desktop\Kostya Pic7.JPG -> [2010/03/30 18:53:37 | 000,714,523 | ---- | M] ()
Kostya Pic2.JPG -> C:\Users\admin\Desktop\Kostya Pic2.JPG -> [2010/03/30 18:53:36 | 000,690,716 | ---- | M] ()
Kostya Pic6.JPG -> C:\Users\admin\Desktop\Kostya Pic6.JPG -> [2010/03/30 18:53:29 | 000,714,523 | ---- | M] ()
Kostya Pic5.JPG -> C:\Users\admin\Desktop\Kostya Pic5.JPG -> [2010/03/30 18:53:29 | 000,707,544 | ---- | M] ()
Kostya Pic4.JPG -> C:\Users\admin\Desktop\Kostya Pic4.JPG -> [2010/03/30 18:53:20 | 000,707,544 | ---- | M] ()
SUPERAntiSpywareF.exe -> C:\Users\admin\Desktop\SUPERAntiSpywareF.exe -> [2010/03/26 13:17:54 | 000,901,332 | ---- | M] ()
SUPERAntiSpyware.com - Order Details.mht -> C:\Users\admin\Desktop\SUPERAntiSpyware.com - Order Details.mht -> [2010/03/26 13:14:47 | 000,110,075 | ---- | M] ()
SUPERAntiSpywarePro 26.exe -> C:\Users\admin\Desktop\SUPERAntiSpywarePro 26.exe -> [2010/03/26 13:03:48 | 007,757,856 | ---- | M] ()
defogger_reenable -> C:\Users\admin\defogger_reenable -> [2010/03/25 12:11:16 | 000,000,020 | ---- | M] ()
March 2010.xls -> C:\Users\admin\Desktop\March 2010.xls -> [2010/03/24 14:12:03 | 000,016,896 | ---- | M] ()
Acrobat6.ini -> C:\Users\Public\Documents\Acrobat6.ini -> [2010/03/19 15:43:30 | 000,000,892 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT -> [2010/03/18 15:58:31 | 000,107,984 | ---- | M] ()
FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2010/03/18 15:57:07 | 000,400,000 | ---- | M] ()
1 C:\Users\admin\Desktop\*.tmp files -> C:\Users\admin\Desktop\*.tmp ->

[Files - No Company Name]
IconCache.db -> C:\Users\admin\AppData\Local\IconCache.db -> [2010/03/30 20:56:14 | 001,978,817 | -H-- | C] ()
PEV.exe -> C:\Windows\PEV.exe -> [2010/03/30 19:40:20 | 000,261,632 | ---- | C] ()
sed.exe -> C:\Windows\sed.exe -> [2010/03/30 19:40:20 | 000,098,816 | ---- | C] ()
grep.exe -> C:\Windows\grep.exe -> [2010/03/30 19:40:20 | 000,080,412 | ---- | C] ()
MBR.exe -> C:\Windows\MBR.exe -> [2010/03/30 19:40:20 | 000,077,312 | ---- | C] ()
zip.exe -> C:\Windows\zip.exe -> [2010/03/30 19:40:20 | 000,068,096 | ---- | C] ()
ComboFix.exe -> C:\Users\admin\Desktop\ComboFix.exe -> [2010/03/30 19:20:16 | 003,906,159 | R--- | C] ()
Kostya Pic7.JPG -> C:\Users\admin\Desktop\Kostya Pic7.JPG -> [2010/03/30 18:52:02 | 000,714,523 | ---- | C] ()
Kostya Pic6.JPG -> C:\Users\admin\Desktop\Kostya Pic6.JPG -> [2010/03/30 18:51:53 | 000,714,523 | ---- | C] ()
Kostya Pic5.JPG -> C:\Users\admin\Desktop\Kostya Pic5.JPG -> [2010/03/30 18:51:44 | 000,707,544 | ---- | C] ()
Kostya Pic4.JPG -> C:\Users\admin\Desktop\Kostya Pic4.JPG -> [2010/03/30 18:51:28 | 000,707,544 | ---- | C] ()
Kostya Pic3.JPG -> C:\Users\admin\Desktop\Kostya Pic3.JPG -> [2010/03/30 18:51:16 | 000,707,190 | ---- | C] ()
Kostya Pic2.JPG -> C:\Users\admin\Desktop\Kostya Pic2.JPG -> [2010/03/30 18:50:16 | 000,690,716 | ---- | C] ()
SUPERAntiSpywareF.exe -> C:\Users\admin\Desktop\SUPERAntiSpywareF.exe -> [2010/03/26 13:17:54 | 000,901,332 | ---- | C] ()
SUPERAntiSpyware.com - Order Details.mht -> C:\Users\admin\Desktop\SUPERAntiSpyware.com - Order Details.mht -> [2010/03/26 13:14:47 | 000,110,075 | ---- | C] ()
SUPERAntiSpywarePro 26.exe -> C:\Users\admin\Desktop\SUPERAntiSpywarePro 26.exe -> [2010/03/26 13:03:10 | 007,757,856 | ---- | C] ()
defogger_reenable -> C:\Users\admin\defogger_reenable -> [2010/03/25 12:10:32 | 000,000,020 | ---- | C] ()
March 2010.xls -> C:\Users\admin\Desktop\March 2010.xls -> [2010/03/24 14:14:31 | 000,016,896 | ---- | C] ()
Acrobat6.ini -> C:\Users\Public\Documents\Acrobat6.ini -> [2010/03/19 15:43:30 | 000,000,892 | ---- | C] ()
Quicken.ini -> C:\Windows\Quicken.ini -> [2009/12/08 18:40:44 | 000,000,154 | ---- | C] ()
vidx16.dll -> C:\Windows\System32\vidx16.dll -> [2009/10/18 21:59:38 | 000,010,240 | ---- | C] ()
lvcoinst.ini -> C:\Windows\System32\lvcoinst.ini -> [2009/03/19 14:40:18 | 000,081,110 | ---- | C] ()
bcmwlrmt.dll -> C:\Windows\System32\bcmwlrmt.dll -> [2009/02/07 11:56:19 | 000,054,784 | ---- | C] ()
rixdicon.dll -> C:\Windows\System32\rixdicon.dll -> [2009/02/07 07:53:20 | 000,016,480 | ---- | C] ()
igmedkrn.dll -> C:\Windows\System32\igmedkrn.dll -> [2009/02/07 07:09:12 | 000,910,304 | ---- | C] ()
igfxTMM.dll -> C:\Windows\System32\igfxTMM.dll -> [2009/02/07 07:09:12 | 000,249,856 | ---- | C] ()
igfxCoIn_v1272.dll -> C:\Windows\System32\igfxCoIn_v1272.dll -> [2009/02/07 07:09:12 | 000,204,800 | ---- | C] ()
ODBC.INI -> C:\Windows\ODBC.INI -> [2009/02/06 01:42:40 | 000,000,376 | ---- | C] ()
LVPr2Mon.sys -> C:\Windows\System32\drivers\LVPr2Mon.sys -> [2008/12/16 22:58:54 | 000,025,624 | ---- | C] ()
iKeyLgFT.dll -> C:\Windows\System32\drivers\iKeyLgFT.dll -> [2008/12/16 22:50:56 | 000,013,584 | ---- | C] ()
GlobalUserInterface.CompositeFont -> C:\Windows\Fonts\GlobalUserInterface.CompositeFont -> [2006/11/02 15:37:35 | 000,030,808 | ---- | C] ()
GlobalSerif.CompositeFont -> C:\Windows\Fonts\GlobalSerif.CompositeFont -> [2006/11/02 15:37:35 | 000,029,779 | ---- | C] ()
GlobalSansSerif.CompositeFont -> C:\Windows\Fonts\GlobalSansSerif.CompositeFont -> [2006/11/02 15:37:35 | 000,026,489 | ---- | C] ()
GlobalMonospace.CompositeFont -> C:\Windows\Fonts\GlobalMonospace.CompositeFont -> [2006/11/02 15:37:35 | 000,026,040 | ---- | C] ()
sysprepMCE.dll -> C:\Windows\System32\sysprepMCE.dll -> [2006/11/02 15:35:32 | 000,005,632 | ---- | C] ()
pacerprf.ini -> C:\Windows\System32\pacerprf.ini -> [2006/11/02 10:40:29 | 000,013,750 | ---- | C] ()

[File - Lop Check]
com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> C:\Users\admin\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> [2010/03/18 18:24:51 | 000,000,000 | ---D | M]
DriverCure -> C:\Users\admin\AppData\Roaming\DriverCure -> [2009/05/20 00:13:52 | 000,000,000 | ---D | M]
Nokia -> C:\Users\admin\AppData\Roaming\Nokia -> [2009/09/21 18:39:22 | 000,000,000 | ---D | M]
Opera -> C:\Users\admin\AppData\Roaming\Opera -> [2009/10/05 23:27:01 | 000,000,000 | ---D | M]
PC Suite -> C:\Users\admin\AppData\Roaming\PC Suite -> [2009/09/21 18:27:38 | 000,000,000 | ---D | M]
SanDisk -> C:\Users\admin\AppData\Roaming\SanDisk -> [2009/06/24 11:40:11 | 000,000,000 | ---D | M]
Sony -> C:\Users\admin\AppData\Roaming\Sony -> [2009/11/25 23:43:21 | 000,000,000 | ---D | M]
uTorrent -> C:\Users\admin\AppData\Roaming\uTorrent -> [2010/03/31 15:11:18 | 000,000,000 | ---D | M]
SCHEDLGU.TXT -> C:\Windows\Tasks\SCHEDLGU.TXT -> [2010/03/31 15:11:32 | 000,032,636 | ---- | M] ()
User_Feed_Synchronization-{FDA404D2-9C33-41F5-9DC1-AEC85E3AD3AE}.job -> C:\Windows\Tasks\User_Feed_Synchronization-{FDA404D2-9C33-41F5-9DC1-AEC85E3AD3AE}.job -> [2010/03/31 14:49:51 | 000,000,422 | -H-- | M] ()

[File - Purity Scan]


[Files/Folders - Unicode - All]
C:\Users\admin\Desktop\????? Track 030.mp3 -> C:\Users\admin\Desktop\Костя Track 030.mp3 -> [2010/03/16 00:12:20 | 006,640,110 | ---- | C] ()
C:\Users\admin\Desktop\????? Track 030.mp3 -> C:\Users\admin\Desktop\Костя Track 030.mp3 -> [2010/03/16 12:21:48 | 006,640,110 | ---- | M] ()
C:\Users\admin\Desktop\?????-eng.docx -> C:\Users\admin\Desktop\Думка-eng.docx -> [2010/03/31 14:37:07 | 000,018,591 | ---- | C] ()
C:\Users\admin\Desktop\?????-eng.docx -> C:\Users\admin\Desktop\Думка-eng.docx -> [2010/03/31 14:37:08 | 000,018,591 | ---- | M] ()
C:\Users\admin\Desktop\?????-ukr.docx -> C:\Users\admin\Desktop\Думка-ukr.docx -> [2010/03/31 14:37:48 | 000,016,441 | ---- | C] ()
C:\Users\admin\Desktop\?????-ukr.docx -> C:\Users\admin\Desktop\Думка-ukr.docx -> [2010/03/31 14:38:38 | 000,016,441 | ---- | M] ()
< End of report >







Here's the ComboFix log:

ComboFix 10-03-29.04 - admin 03/31/2010 15:00:00.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.930 [GMT 3:00]
Running from: c:\users\admin\Desktop\ComboFix.exe
Command switches used :: c:\users\admin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 12:10 . 2010-03-31 12:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-31 12:10 . 2010-03-31 12:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-30 17:08 . 2010-03-31 12:16 -------- d-----w- c:\users\admin\AppData\Local\temp
2010-03-30 14:38 . 2010-03-30 14:38 -------- d-----w- c:\users\admin\AppData\Local\Ahead
2010-03-30 14:36 . 2010-03-30 14:36 -------- d-----w- c:\users\admin\AppData\Local\Apple Computer
2010-03-30 11:10 . 2010-03-30 11:10 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-30 11:09 . 2010-03-30 16:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-30 11:09 . 2010-03-30 11:09 -------- d-----w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.com
2010-03-24 23:06 . 2010-03-24 23:06 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2010-03-24 23:06 . 2009-12-30 12:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:06 . 2010-03-24 23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:06 . 2010-03-24 23:06 -------- d-----w- c:\programdata\Malwarebytes
2010-03-24 23:06 . 2009-12-30 12:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 15:24 . 2010-03-18 15:24 -------- d-----w- c:\users\admin\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-15 07:26 . 2010-03-15 07:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-09 18:52 . 2010-03-15 11:30 -------- d-----w- C:\$AVG
2010-03-09 18:51 . 2010-03-09 18:51 -------- d-----w- c:\programdata\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 12:11 . 2009-10-05 19:32 -------- d-----w- c:\users\admin\AppData\Roaming\uTorrent
2010-03-31 12:09 . 2009-02-27 10:59 -------- d-----w- c:\users\admin\AppData\Roaming\Skype
2010-03-31 10:14 . 2009-02-27 11:01 -------- d-----w- c:\users\admin\AppData\Roaming\skypePM
2010-03-30 11:14 . 2010-03-30 11:14 52224 ----a-w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-30 11:14 . 2010-03-30 11:14 117760 ----a-w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-30 11:08 . 2009-02-11 03:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-25 09:13 . 2009-03-19 11:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-19 13:34 . 2009-10-03 22:12 -------- d-----w- c:\users\admin\AppData\Roaming\vlc
2010-03-19 06:01 . 2009-10-03 22:12 -------- d-----w- c:\users\admin\AppData\Roaming\dvdcss
2010-03-18 12:58 . 2009-02-04 00:45 107984 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-18 11:22 . 2009-02-05 22:35 -------- d-----w- c:\users\admin\AppData\Roaming\U3
2010-03-15 09:40 . 2009-03-03 07:05 -------- d-----w- c:\program files\Safari
2010-03-15 09:34 . 2010-03-15 09:34 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-15 07:26 . 2010-03-15 07:26 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-15 07:26 . 2010-03-15 07:26 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-03-15 07:26 . 2010-03-15 07:26 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-15 07:26 . 2009-04-26 09:29 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 07:26 . 2009-04-26 09:29 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 07:24 . 2009-04-26 09:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 18:52 . 2009-04-26 09:29 -------- d-----w- c:\programdata\avg8
2010-03-09 18:51 . 2010-03-10 07:52 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-03-09 18:51 . 2010-03-10 07:52 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-03-09 18:51 . 2010-03-15 07:22 800536 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-03-09 18:51 . 2010-03-15 07:22 613656 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-03-09 18:51 . 2010-03-15 07:22 1658136 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-03-09 18:51 . 2010-03-15 07:22 1007896 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-09 18:51 . 2009-04-26 09:29 -------- d-----w- c:\program files\AVG
2010-02-28 00:01 . 2010-02-28 00:01 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-26 22:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-26 14:52 . 2009-10-06 23:21 -------- d-----w- c:\program files\Java
2010-02-26 12:07 . 2009-07-29 21:31 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 20:12 . 2010-02-24 20:12 -------- d-----w- c:\program files\iTunes
2010-02-24 20:12 . 2010-02-24 20:12 -------- d-----w- c:\program files\iPod
2010-02-24 20:12 . 2009-02-09 20:21 -------- d-----w- c:\program files\Common Files\Apple
2010-02-24 20:01 . 2010-02-24 20:01 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-24 07:16 . 2009-10-02 15:58 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 21:11 . 2009-06-12 05:23 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-02-13 20:00 . 2009-02-07 04:30 -------- d-----w- c:\programdata\HP Product Assistant
2010-01-02 06:38 . 2010-01-25 00:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-25 00:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-25 00:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-25 00:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 11:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-01-27 289584]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-09 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-09 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-09 133912]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-15 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-3-19 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys [2008-10-21 86824]
R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 15016]
R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 114600]
R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 108328]
R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 26024]
R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 104616]
R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 109736]
R3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\DRIVERS\tj2kunic.sys [2002-10-14 69680]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-05 722416]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-15 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-03-15 242696]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-15 308064]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2009-08-11 39424]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\User_Feed_Synchronization-{FDA404D2-9C33-41F5-9DC1-AEC85E3AD3AE}.job
- c:\windows\system32\msfeedssync.exe [2010-01-25 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.ua/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7448)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2010-03-31 15:23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 12:23
ComboFix2.txt 2010-03-30 17:08

Pre-Run: 8,437,886,976 bytes free
Post-Run: 8,417,337,344 bytes free

- - End Of File - - 54DE8F11177B11F4334392FB1C834339





Here's the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-31 17:03:57
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\aglcrpod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\admin\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [747788B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [747B98A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7477B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7476FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [74777A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7476EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [747AB17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [7477BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [7477074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [747706B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [747671B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [747FD848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [74797379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7476E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [7476697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [747669A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74772465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F20] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00802CF0] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C90] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.exe[7448] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CC0] C:\Windows\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Hope this is what you were looking for; didn't see anything mentioned about including in my reply as an attachment & this time I didn't keep getting refused opening documents

Ok Ciao!





#11 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 01 April 2010 - 05:22 AM

Hey upp,

Thank you for posting the logs. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Windows Defender) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run AVP by Kaspersky

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.
    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says AutoScan.
  • Under AutoScan make sure these are checked.
  • System Memory
  • Hidden Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Settings then click on the tab that says Additional then choose Deep Scan under Rootkit Scan[/b] then choose ok.
Then choose OK again then you are back to the main screen.
  • Then click on Start Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the Report button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


2) Optional Removals

From your log, you seem to have uTorrent installed.

uTorrent is not malware, but it is a peer-to-peer (P2P) software that allows you to share files with other computers. While it is not harmful in itself, it can bring about unnecessary security risks to your computer. It is highly recommended that you remove it and refrain from using such software in the future. Please look at the article(s) below:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Please go to Add or Remove Programs and remove the following (if present):

uTorrent

Then use Windows Explorer and remove the following (if present):

C:\Program Files\uTorrent

Reboot your computer.

Next reply (please include in your post):

Tell me how your computer is doing
AVP scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#12 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 01 April 2010 - 02:59 PM

Hi!
I followed your instructions but nothing turned up. When everything was done I went into Report & saw the following options in the drag down menus:
Autoscan Do Not Group Critical Events
Manual Disinfection Group by Resutls Important Events
All Events

When I clicked Critical Events & Important Events it only reported Tasks Started/Tasks Completed.

I saw no way to save the report & saw no way to list Detected Viruses/Malware.

As I mentioned in my earlier posts (maybe in the first forum before it got bumped to this forum) I run Windows Vista on half the computer & Ubuntu on the other half. After some playing around in the Windows C:\ I found the file of what I was pretty sure was Security Tools. While in Ubuntu I have access to the Windows C:\ (it looks like an external drive) & I simply dragged the file to the trash, then I went back into Windows & no longer got the warning pop up windows that up until that point had been preventing me from doing anything. Still unsure I had beat this thing I looked online & found bleeping computer. I started following the instructions posted. When I was unable to complete step 6 of the Automated Removal Instructions for Security Tool using Malwarebytes' Anti-Malware I found on http://www.bleepingcomputer.com/virus-remo...e-security-tool, I registered & posted a forum. Basically what little of the computer I have used has worked ok except GMER causes the computer to run slow (10 minutes between commands) & once it froze. I was unsure of how to determine if my HOST files needed to be re-down-loaded as suggested in the above mentioned generic instructions.

Seeing as I am somewhat computer illiterate, I didn't want to leave my life line in a partially cleaned/repaired state. I'm sorry if this has goofed up your diagnosis, again I wrote it all out someplace before & just figured since my post migrated to another forum, the person helping me would have access to my posts since the beginning & I didn't think to start from absolute scratch.

If I understand this correctly Kas AVP didn't find any bad programs. If that is the case I'd like to:
1) make sure my HOSTS (or other) files are spoiled, if they are fix them AND
2) find out what free anti-ware is most recommended. I don't know the difference between spyware, malware, hijacking, viruses, trojans (except they're not talking about Rome or comdoms) & so far have simply run AVG free 9.0. I have been told I need separate programs for all the different kinds of threats (OMG!!! I don't even know that they are all called & how many there are). It has been suggested to me that I get superanti-spyware for $10 with unlimited lifetime updates which is in my budget & keep AVG or FREEDRWEB & that should cover me but no one with authority can say if that's really enough.

Sorry again for any confusion. I'd hate to have put you on an even somewhat wild goose chase as I really am greatful for the services you all provide. Waiting for your further instructions/advice.
Thanks!

#13 upp

upp
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 01 April 2010 - 05:54 PM

Just tried opening up a DVD--that doesn't seem to be working....was working fine before

#14 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:04:00 AM

Posted 02 April 2010 - 09:12 AM

Hi upp,

QUOTE(upp @ Apr 2 2010, 03:59 AM) View Post
As I mentioned in my earlier posts (maybe in the first forum before it got bumped to this forum) I run Windows Vista on half the computer & Ubuntu on the other half. After some playing around in the Windows C:\ I found the file of what I was pretty sure was Security Tools. While in Ubuntu I have access to the Windows C:\ (it looks like an external drive) & I simply dragged the file to the trash, then I went back into Windows & no longer got the warning pop up windows that up until that point had been preventing me from doing anything. Still unsure I had beat this thing I looked online & found bleeping computer. I started following the instructions posted. When I was unable to complete step 6 of the Automated Removal Instructions for Security Tool using Malwarebytes' Anti-Malware I found on http://www.bleepingcomputer.com/virus-remo...e-security-tool, I registered & posted a forum. Basically what little of the computer I have used has worked ok except GMER causes the computer to run slow (10 minutes between commands) & once it froze. I was unsure of how to determine if my HOST files needed to be re-down-loaded as suggested in the above mentioned generic instructions.

Seeing as I am somewhat computer illiterate, I didn't want to leave my life line in a partially cleaned/repaired state. I'm sorry if this has goofed up your diagnosis, again I wrote it all out someplace before & just figured since my post migrated to another forum, the person helping me would have access to my posts since the beginning & I didn't think to start from absolute scratch.

If I understand this correctly Kas AVP didn't find any bad programs. If that is the case I'd like to:
1) make sure my HOSTS (or other) files are spoiled, if they are fix them AND
2) find out what free anti-ware is most recommended. I don't know the difference between spyware, malware, hijacking, viruses, trojans (except they're not talking about Rome or comdoms) & so far have simply run AVG free 9.0. I have been told I need separate programs for all the different kinds of threats (OMG!!! I don't even know that they are all called & how many there are). It has been suggested to me that I get superanti-spyware for $10 with unlimited lifetime updates which is in my budget & keep AVG or FREEDRWEB & that should cover me but no one with authority can say if that's really enough.

Sorry again for any confusion. I'd hate to have put you on an even somewhat wild goose chase as I really am greatful for the services you all provide. Waiting for your further instructions/advice.
Thanks!


1) I don't see any problem with your hosts file, but if you really want to reset it, we'll do it after the cleanup process is finished.
2) You already have an anti-virus and anti-spyware on your computer. Though it cannot guarantee that your computer will be 100% secure, it is a major step in protecting your computer. After we finish cleaning up whatever is left, I'll give you some more recommendations and advice about protection software. Don't worry. smile.gif

QUOTE(upp @ Apr 2 2010, 06:54 AM) View Post
Just tried opening up a DVD--that doesn't seem to be working....was working fine before


It is due to the fact that your CD emulation program is disabled. We'll re-enable it once we are done. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus and Windows Defender) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Optional Removal

From your log, you seem to have uTorrent installed.

uTorrent is not malware, but it is a peer-to-peer (p2p) file-sharing program that can bring about unnecessary security risks to your computer. Please look at the article(s) below:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

uTorrent

Then use Windows Explorer and remove the following (if present):

c:\program files\utorrent

Reboot your computer.

2) Run MBAM scan
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

3) Upload file for analysis

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
  3. Click on the Control Panel menu option.
  4. When the control panel opens you can either be in Classic View or Control Panel Home view:
  5. If you are in the Classic View do the following:
  6. Double-click on the Folder Options icon.
  7. Click on the View tab.
  8. Go to step 5.
    • If you are in the Control Panel Home view do the following:
      1. Click on the Appearance and Personalization link .
      2. Click on Show Hidden Files or Folders.
      3. Go to step 5.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now Windows Vista is configured to show all hidden files.
  • NEXT

    Please visit the online Jotti Virus Scanner <--link
    • Copy and paste the following filepath in the box:

      c:\windows\system32\ieUnatt.exe
    • Click on the button.
      The scanner will check the file with various AV companies.
    • Copy and paste the results box into a reply to this thread.

    Next reply (please include in your post):

    Tell me how your computer is doing
    MBAM scan log
    Virscan report


    Bleepingcomputer Malware Response Team

    Posted Image

    Posted Image

    Please do NOT PM anyone with HJT logs, read this and post your logs here.


    #15 upp

    upp
    • Topic Starter

    • Members
    • 60 posts
    • OFFLINE
    •  
    • Local time:11:00 PM

    Posted 02 April 2010 - 05:43 PM




    Jotti's malware scanFilename: ieUnatt.exe
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Sat 3 Apr 2010 00:36:59 (CET) Permalink



    Hi Ltangelic!
    Thanks for putting me even more (amazing that that is possible) at ease...you're the BOMB!!!!
    If you observe Easter....Happy Easter! If not have a great day!
    Computer seems ok although I use it very, very little, almost never as I am unable to make a back up--a component of my external hard drive died & I am waiting for a replacement part. It does seem to run slow & the earlier mentioned freezes when I ran GMER but that's about the only thing I notice.

    Thanks & here are the reports you requested.

    Here is the MBAM log:
    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3947

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18882

    4/3/2010 1:33:30 AM
    mbam-log-2010-04-03 (01-33-30).txt

    Scan type: Quick scan
    Objects scanned: 105417
    Time elapsed: 6 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Here (I think as nothing said Results box) is all I could copy from the jotti web site after the scan:
    Additional infoFile size: 133632 bytes
    Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
    MD5: 9e6b93014b76c47014eaa53e4c56ccda
    SHA1: d181a25f434d57d447f2e847413e16a63a9afa2b





    Scanners 2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-03 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-02 Found nothing
    2010-04-02 Found nothing 2010-04-01 Found nothing
    2010-04-01 Found nothing 2010-04-02 Found nothing

    Thanks again!
    Caio!




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users