Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus redirecting my searches


  • This topic is locked This topic is locked
12 replies to this topic

#1 fidgetyphil

fidgetyphil

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 27 March 2010 - 09:49 AM

When I search for something in google, when I press on the result I get redirected usually via search.php

I use Mcafee and that can't find anything, nor can malaware bytes nor AVG nor avira, nor spybot, lavasoft or anything else I can lay my hands on.
Also when I try and run gmer.exe it crashes my computer.


All help gratefully received

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 30 March 2010 - 07:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 fidgetyphil

fidgetyphil
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 31 March 2010 - 04:09 AM

Thanks for the reply.
These are the DDS log
And I have attached the attach zip file.
However i cannot run the GMER.exe without it crashing my computer.
I have run the defogger tool first, turned off all AV tools and tried it in safe mode, but it still crashes the comp in safe mode



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jules at 8:52:51.94 on 31/03/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.808 [GMT 1:00]

SP: MalwareRemovalBot *disabled* (Updated) {19CE7B2B-7E9D-43CC-A5D5-8DC8FCE6949B}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Backup Direct\Connected\Agent.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\Email Encryption Client\ppTray.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Backup Direct\Connected\AgentService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\lxctcoms.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Email Encryption Client\ppAuxSrv.exe
C:\Windows\system32\PrintCtrl.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Trend Micro\Email Encryption Client\ppSrv.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\conime.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jules\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.bbc.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Microsoft Internet Explorer provided by BTopenworld
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: ppBHOReader Class: {ac36ab03-0c7b-4363-a48e-342b7419337c} - c:\program files\trend micro\email encryption client\ppBHO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AgentUiRunKey] "c:\program files\backup direct\connected\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [Snappy Fax Printer Agent]
mRun: [Private Post Tray v4] "c:\program files\trend micro\email encryption client\ppTray.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [lxctmon.exe] "c:\program files\lexmark 5400 series\lxctmon.exe"
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\users\jules\appdata\local\temp\adobel~3.sh! c:\users\jules\appdata\local\temp\ADOBEL~1.SH!
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: adviserzone.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\pbttbc.bt
Trusted Zone: standardlife.com\online
Trusted Zone: standardlife.com\online4
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxp://exweb.exchange.uk.com/clientBinaries/VersionInfo.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CB830891-2E18-11D1-B8CF-00A0C9259304} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/FDFFILES.CAB
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\konovozo.dll,c:\windows\system32\jimikesu.dll,ll,c:\progra~1\google\google~3\GOEC62~1.DLL,avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jules\appdata\roaming\mozilla\firefox\profiles\zjpxd6pn.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-25 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-25 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-25 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-25 242696]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R2 AgentService;AgentService;c:\program files\backup direct\connected\AgentService.exe [2008-11-9 6608192]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-25 308064]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2008-11-9 45384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-11 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-11 144704]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 ppAuxSrv;ppAuxSrv;c:\program files\trend micro\email encryption client\ppAuxSrv.exe [2008-12-21 87400]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2009-6-10 73728]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-14 809296]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-11 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-11 35272]
R3 ppSrv;ppSrv;c:\program files\trend micro\email encryption client\ppSrv.exe [2008-12-21 79184]
S2 0281831269997453mcinstcleanup;McAfee Application Installer Cleanup (0281831269997453);c:\windows\temp\028183~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\028183~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-8-24 81920]
S2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2009-11-4 8544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-23 30192]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-11 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-11 606736]

=============== Created Last 30 ================

2010-03-27 13:06:10 0 d--h--w- C:\$AVG
2010-03-27 07:48:28 0 ----a-w- c:\users\jules\defogger_reenable
2010-03-25 18:09:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-25 12:22:14 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-03-25 12:21:44 0 d-----w- c:\program files\Panda Security
2010-03-25 07:22:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-25 07:22:29 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-25 07:22:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-25 07:22:22 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-25 07:20:23 0 d-----w- c:\program files\AVG
2010-03-25 07:20:10 0 d-----w- c:\programdata\avg9
2010-03-12 08:42:51 0 d-----w- c:\programdata\Sun
2010-03-09 15:11:00 46114680 ----a-w- c:\users\jules\berry dec.tif
2010-03-01 14:05:35 0 d-----w- c:\program files\common files\DivX Shared

==================== Find3M ====================

2010-03-31 07:48:33 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-18 13:08:04 692 ----a-w- c:\users\jules\appdata\roaming\wklnhst.dat
2010-02-27 10:11:37 102248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-04 10:09:55 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-04 10:09:55 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-04 10:09:36 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-01 13:47:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2010-01-31 10:22:31 364544 ------w- c:\windows\Setup1.exe
2010-01-31 10:22:25 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-12-23 20:44:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-08 16:03:29 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-19 12:46:52 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-15 16:52:19 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2009-02-09 19:43:54 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009020920090210\index.dat
2008-12-23 20:31:50 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:53:40.25 ===============


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 31 March 2010 - 11:21 AM

Let's kill some processes that are stopping the tools and then run a powerful tool to try and stop the redirections

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 fidgetyphil

fidgetyphil
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 31 March 2010 - 02:23 PM

Top level this. hitting it with a big stick. I seem to have my google back. Frankly its a mystery to me but I'm impressed.
Right

Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jules on 31/03/2010 at 18:15:16.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Backup Direct\Connected\Agent.exe
C:\Users\Jules\Downloads\rkill.pif


Rkill completed on 31/03/2010 at 18:15:21.


comfix log:

ComboFix 10-03-29.04 - Jules 31/03/2010 18:24:45.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.552 [GMT 1:00]
Running from: c:\users\Jules\Downloads\Comfix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1054.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1212.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1274.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc13F9.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1444.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc14CA.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1726.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1797.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc187E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1A8.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1B2B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1BBF.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1C2F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1CA7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1DC5.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1E82.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1F2C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1FE1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2169.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc21E1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2475.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc24FE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2695.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc26C7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2AD3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B0A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2BD6.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2C35.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2CE0.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2E65.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc305A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc311B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc31B3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc31EF.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3378.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3468.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc37AD.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3917.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc39EB.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3AF9.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3BE9.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3C1A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3C5D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3D9B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4338.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4350.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4368.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc44CA.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47AC.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47AF.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47B7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc47D9.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc485F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc48C2.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc49C3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc49DD.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A7A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4BCE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5083.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5156.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5161.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc516C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5290.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc550.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc554C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5758.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc587A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc596B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc59F3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A4A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A70.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B28.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B45.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5B57.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5C3D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CC3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CC7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5D28.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5E77.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6044.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6116.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc611D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6184.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc635A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc63AF.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6479.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc65AA.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc65C4.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc65DC.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6686.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc66C3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc685D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6D5B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6EB5.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6F6E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc718E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc72E7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7358.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc75A8.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc774B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7797.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc786B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7C84.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7DB1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7DF1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7E5F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7E98.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7FE7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8072.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8131.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8133.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc81CE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8209.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc821A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc82A1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc82BD.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc831E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc83AB.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc87A6.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc889.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc892.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8AB0.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8C5E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D7F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8DBE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8E5C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9066.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc90B8.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9134.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9246.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc92CB.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc936.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9492.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc94E2.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc953C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc967B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc96EE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9708.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9784.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc97F0.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9840.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc985E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc98AA.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc98DE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A24.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A5.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9A5D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9C5E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9D80.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc9DE9.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA12C.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA257.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA30E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA604.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA7CC.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA9D1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAEF.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAAF2.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccABA2.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAD87.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAF19.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccAFF8.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB1BC.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB723.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB725.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB93F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB965.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB973.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBAD5.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBC2E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBE15.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC013.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC1E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC656.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC767.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC8DC.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC9FE.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCCF4.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCE56.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCF52.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCFE5.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD050.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD12E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD1E1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD26F.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD3D0.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD400.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD7A3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD864.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDAF4.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDBF2.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDD15.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDD1D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDD9E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE477.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE499.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE4AB.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE566.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE5A8.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE678.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE944.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE9A1.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEB80.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEC69.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEEF7.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF0B3.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF144.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF1AD.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF507.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF524.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF617.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF70B.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF803.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF82A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF86D.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFA2A.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFC37.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFD4E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFE8E.tmp
c:\users\Jules\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFFF8.tmp
c:\users\Jules\Documents\TaskMan.exe
D:\resycled

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ndisrd


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 17:36 . 2010-03-31 17:39 -------- d-----w- c:\users\Jules\AppData\Local\temp
2010-03-31 17:36 . 2010-03-31 17:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-31 17:36 . 2010-03-31 17:36 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-03-25 18:09 . 2010-03-27 12:51 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-25 18:09 . 2010-03-25 18:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-25 12:21 . 2010-03-31 14:56 -------- d-----w- c:\program files\Panda Security
2010-03-25 07:20 . 2010-03-25 07:20 -------- d-----w- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 17:41 . 2009-01-06 17:00 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-31 17:41 . 2009-01-06 17:00 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-31 17:40 . 2010-02-04 10:10 -------- d-----w- c:\program files\Lx_cats
2010-03-31 17:13 . 2009-01-08 18:36 -------- d-----w- c:\users\Jules\AppData\Roaming\BitTorrent
2010-03-31 08:17 . 2009-03-11 09:52 -------- d-----w- c:\program files\McAfee
2010-03-28 16:37 . 2009-01-17 09:43 1356 ----a-w- c:\users\Jules\AppData\Local\d3d9caps.dat
2010-03-28 01:02 . 2009-12-23 10:35 1109 ----a-w- c:\users\Jules\AppData\Roaming\Genie-Soft\GBMPro8\Jobs\jULES NEW COMP\00000001\maindata.sys
2010-03-27 12:51 . 2009-01-14 17:11 -------- d-----w- c:\programdata\Lavasoft
2010-03-26 08:24 . 2010-03-26 08:24 1741521 ----a-w- c:\programdata\SPL5C6.tmp
2010-03-19 14:19 . 2009-01-09 18:24 -------- d-----w- c:\users\Jules\AppData\Roaming\Snappy Fax
2010-03-19 13:59 . 2009-01-09 18:24 -------- d-----w- c:\program files\Snappy Fax Version 4
2010-03-18 13:08 . 2009-01-30 10:58 692 ----a-w- c:\users\Jules\AppData\Roaming\wklnhst.dat
2010-03-12 08:42 . 2008-12-23 13:00 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 08:41 . 2008-12-23 13:00 -------- d-----w- c:\program files\Java
2010-03-01 14:07 . 2009-01-06 20:45 -------- d-----w- c:\program files\divx
2010-03-01 14:06 . 2008-12-23 13:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-03-01 14:06 . 2010-03-01 14:05 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-27 10:11 . 2010-02-27 10:11 102248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-27 10:10 . 2009-11-26 18:23 8224 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-25 23:12 . 2009-01-15 10:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 23:07 . 2009-11-15 17:14 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 18:20 . 2010-02-17 18:20 738776 ----a-w- c:\programdata\SPL4EB9.tmp
2010-02-17 07:43 . 2009-01-08 18:35 -------- d-----w- c:\users\Jules\AppData\Roaming\DNA
2010-02-15 18:24 . 2009-01-14 14:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-15 10:26 . 2009-01-08 18:35 -------- d-----w- c:\program files\DNA
2010-02-15 09:37 . 2009-01-08 08:47 -------- d-----w- c:\programdata\Microsoft Help
2010-02-10 08:26 . 2010-02-10 08:26 9864508 ----a-w- c:\programdata\SPLA734.tmp
2010-02-08 14:09 . 2010-02-04 10:11 -------- d-----w- c:\users\Jules\AppData\Roaming\5400 Series
2010-02-07 09:25 . 2009-01-06 16:39 102248 ----a-w- c:\users\Jules\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-04 16:59 . 2009-03-05 15:53 -------- d-----w- c:\users\Jules\AppData\Roaming\Genie-Soft
2010-02-04 14:46 . 2010-02-04 14:46 40685572 ----a-w- c:\programdata\SPL832B.tmp
2010-02-04 10:14 . 2010-02-04 10:02 -------- d-----w- c:\program files\Lexmark 5400 Series
2010-02-04 10:04 . 2010-02-04 10:04 -------- d-----w- c:\programdata\5400 Series
2010-02-04 10:04 . 2010-02-04 10:04 -------- d-----w- c:\program files\Lexmark Toolbar
2010-02-01 19:40 . 2009-07-10 11:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-01 19:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-01 15:31 . 2009-11-26 17:51 -------- d-----w- c:\users\Jules\AppData\Roaming\Teleca
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\programdata\HTC
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\programdata\Teleca
2010-02-01 15:29 . 2009-11-26 17:46 -------- d-----w- c:\program files\HTC
2010-02-01 14:51 . 2010-02-01 14:51 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-01 14:30 . 2009-11-26 18:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Teleca
2010-02-01 13:47 . 2010-02-01 13:47 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2010-01-31 10:23 . 2009-01-06 20:45 -------- d-----w- c:\program files\mhead32
2010-01-31 10:23 . 2010-01-31 10:23 -------- d-----w- c:\program files\Common Files\MachineheadSoftware
2010-01-31 10:22 . 2010-01-31 10:22 364544 ------w- c:\windows\Setup1.exe
2010-01-31 10:22 . 2010-01-31 10:22 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-30 23:52 . 2008-12-23 13:05 -------- d-----w- c:\program files\Google
2010-01-29 02:01 . 2010-01-29 08:04 1109 ----a-w- c:\users\Jules\AppData\Roaming\Genie-Soft\GBMPro8\Jobs\New Backup Job(2)\00000000\maindata.sys
2010-01-07 16:07 . 2009-01-15 10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-01-15 10:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-22 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 15:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 15:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 15:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-16 18:32 . 2009-01-15 10:31 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-12-10 15:01 . 2009-10-19 16:24 83312 ----a-w- c:\program files\mozilla firefox\components\ppReaderLaunch.dll
2008-12-23 20:31 . 2008-12-23 20:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"AgentUiRunKey"="c:\program files\Backup Direct\Connected\Agent.exe" [2008-11-09 244536]
"Private Post Tray v4"="c:\program files\Trend Micro\Email Encryption Client\ppTray.exe" [2009-12-10 226664]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2009-08-24 331776]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-23 13:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jules^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Jules\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 02:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2009-08-24 20:09 28672 ----a-w- c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 02:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-08 07:56 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-02-15 14:29 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-09-14 16:56 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
2008-08-28 19:33 1516032 ----a-w- c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CompanionLink]
2009-12-29 12:46 13737984 ----a-w- c:\program files\CompanionLink\CompanionLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-07-19 14:51 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-10-04 13:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-11-22 10:11 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
2007-07-11 05:23 214512 ----a-w- c:\program files\genie-soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-12-16 18:32 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 14:45 40960 ----a-w- c:\program files\scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2006-11-22 10:12 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 16:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]
2009-05-27 15:46 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 14:25 57393 ----a-w- c:\program files\scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDisp]
2009-04-07 08:29 871936 ----a-w- c:\windows\System32\PrintDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snappy Fax Printer virtual printer agent]
2007-07-19 04:01 94208 ----a-w- c:\program files\Snappy Fax Version 4\sfpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 11:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-23 13:06 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-08-25 16:27 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAB]
2009-12-02 08:17 18432 ----a-w- c:\users\Jules\AppData\Roaming\Macromedia\Common\039fe09219.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 09:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe

R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2009-08-24 81920]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2009-11-04 8544]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 srenum;srenum;c:\windows\system32\DRIVERS\srenum.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2009-06-09 24576]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-16 30192]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-09 24576]
S2 AgentService;AgentService;c:\program files\Backup Direct\Connected\AgentService.exe [2008-11-09 6608192]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2008-11-09 45384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 ppAuxSrv;ppAuxSrv;c:\program files\Trend Micro\Email Encryption Client\ppAuxSrv.exe [2009-12-10 87400]
S2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2008-10-11 73728]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
S3 ppSrv;ppSrv;c:\program files\Trend Micro\Email Encryption Client\ppSrv.exe [2009-12-10 79184]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\GBM - jULES NEW COMP-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-03-05 05:20]

2010-03-28 c:\windows\Tasks\GBM - New Backup Job(2)-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-03-05 05:20]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 23:52]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 23:52]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: adviserzone.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\pbttbc.bt
Trusted Zone: standardlife.com\online
Trusted Zone: standardlife.com\online4
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxp://exweb.exchange.uk.com/clientBinaries/VersionInfo.CAB
DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
DPF: {CB830891-2E18-11D1-B8CF-00A0C9259304} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/FDFFILES.CAB
FF - ProfilePath - c:\users\Jules\AppData\Roaming\Mozilla\Firefox\Profiles\zjpxd6pn.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Snappy Fax Printer Agent - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5924)
c:\program files\Trend Micro\Email Encryption Client\PPTrayHk.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trend Micro\Email Encryption Client\ppOEHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2010-03-31 18:46:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 17:46

Pre-Run: 64,292,192,256 bytes free
Post-Run: 64,131,915,776 bytes free

- - End Of File - - EE1444C50FFD38577A4DC9171C636A00


I assume it all means something.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 31 March 2010 - 04:41 PM

It all means something. smile.gif

There is already a mass exodus of trojans and a rootkit. There is still some to clear so we will be running Combofix again with a script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\DRIVERS\srenum.sys
c:\programdata\SPL5C6.tmp
c:\programdata\SPL4EB9.tmp
c:\programdata\SPLA734.tmp
c:\programdata\SPL832B.tmp

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Driver::
srenum


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then we can run ESET's online scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#7 fidgetyphil

fidgetyphil
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 01 April 2010 - 04:45 AM

Good god, it appears london in the middle ages had less pox than my computer.

comfix log:

ComboFix 10-03-29.04 - Jules 01/04/2010 7:30.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.1044 [GMT 1:00]
Running from: c:\users\Jules\Downloads\Comfix.exe
Command switches used :: c:\users\Jules\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\SPL4EB9.tmp"
"c:\programdata\SPL5C6.tmp"
"c:\programdata\SPL832B.tmp"
"c:\programdata\SPLA734.tmp"
"c:\windows\system32\DRIVERS\srenum.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\SPL4EB9.tmp
c:\programdata\SPL5C6.tmp
c:\programdata\SPL832B.tmp
c:\programdata\SPLA734.tmp

----- BITS: Possible infected sites -----

hxxp://downloads.privatepost.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_srenum


((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-04-01 06:39 . 2010-04-01 06:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-01 06:39 . 2010-04-01 06:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-01 06:39 . 2010-04-01 06:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-04-01 01:24 . 2010-02-24 09:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-31 17:36 . 2010-04-01 06:44 -------- d-----w- c:\users\Jules\AppData\Local\temp
2010-03-25 18:09 . 2010-03-27 12:51 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-25 18:09 . 2010-03-25 18:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-25 12:21 . 2010-03-31 14:56 -------- d-----w- c:\program files\Panda Security
2010-03-25 07:20 . 2010-03-25 07:20 -------- d-----w- c:\program files\AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 06:46 . 2009-01-06 17:00 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-01 06:46 . 2009-01-06 17:00 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-04-01 06:44 . 2010-02-04 10:10 -------- d-----w- c:\program files\Lx_cats
2010-04-01 06:29 . 2009-01-08 18:36 -------- d-----w- c:\users\Jules\AppData\Roaming\BitTorrent
2010-03-31 08:17 . 2009-03-11 09:52 -------- d-----w- c:\program files\McAfee
2010-03-28 16:37 . 2009-01-17 09:43 1356 ----a-w- c:\users\Jules\AppData\Local\d3d9caps.dat
2010-03-28 01:02 . 2009-12-23 10:35 1109 ----a-w- c:\users\Jules\AppData\Roaming\Genie-Soft\GBMPro8\Jobs\jULES NEW COMP\00000001\maindata.sys
2010-03-27 12:51 . 2009-01-14 17:11 -------- d-----w- c:\programdata\Lavasoft
2010-03-19 14:19 . 2009-01-09 18:24 -------- d-----w- c:\users\Jules\AppData\Roaming\Snappy Fax
2010-03-19 13:59 . 2009-01-09 18:24 -------- d-----w- c:\program files\Snappy Fax Version 4
2010-03-18 13:08 . 2009-01-30 10:58 692 ----a-w- c:\users\Jules\AppData\Roaming\wklnhst.dat
2010-03-12 08:42 . 2008-12-23 13:00 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 08:41 . 2008-12-23 13:00 -------- d-----w- c:\program files\Java
2010-03-01 14:07 . 2009-01-06 20:45 -------- d-----w- c:\program files\divx
2010-03-01 14:06 . 2008-12-23 13:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-03-01 14:06 . 2010-03-01 14:05 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-27 10:11 . 2010-02-27 10:11 102248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-27 10:10 . 2009-11-26 18:23 8224 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-25 23:12 . 2009-01-15 10:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 23:07 . 2009-11-15 17:14 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-17 07:43 . 2009-01-08 18:35 -------- d-----w- c:\users\Jules\AppData\Roaming\DNA
2010-02-15 18:24 . 2009-01-14 14:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-15 10:26 . 2009-01-08 18:35 -------- d-----w- c:\program files\DNA
2010-02-15 09:37 . 2009-01-08 08:47 -------- d-----w- c:\programdata\Microsoft Help
2010-02-08 14:09 . 2010-02-04 10:11 -------- d-----w- c:\users\Jules\AppData\Roaming\5400 Series
2010-02-07 09:25 . 2009-01-06 16:39 102248 ----a-w- c:\users\Jules\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-04 16:59 . 2009-03-05 15:53 -------- d-----w- c:\users\Jules\AppData\Roaming\Genie-Soft
2010-02-04 10:14 . 2010-02-04 10:02 -------- d-----w- c:\program files\Lexmark 5400 Series
2010-02-04 10:04 . 2010-02-04 10:04 -------- d-----w- c:\programdata\5400 Series
2010-02-04 10:04 . 2010-02-04 10:04 -------- d-----w- c:\program files\Lexmark Toolbar
2010-02-01 19:40 . 2009-07-10 11:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-01 19:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-01 15:31 . 2009-11-26 17:51 -------- d-----w- c:\users\Jules\AppData\Roaming\Teleca
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\programdata\HTC
2010-02-01 15:29 . 2010-02-01 15:29 -------- d-----w- c:\programdata\Teleca
2010-02-01 15:29 . 2009-11-26 17:46 -------- d-----w- c:\program files\HTC
2010-02-01 14:51 . 2010-02-01 14:51 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-01 14:30 . 2009-11-26 18:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Teleca
2010-02-01 13:47 . 2010-02-01 13:47 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_androidusb_01005.Wdf
2010-01-31 10:23 . 2009-01-06 20:45 -------- d-----w- c:\program files\mhead32
2010-01-31 10:23 . 2010-01-31 10:23 -------- d-----w- c:\program files\Common Files\MachineheadSoftware
2010-01-31 10:22 . 2010-01-31 10:22 364544 ------w- c:\windows\Setup1.exe
2010-01-31 10:22 . 2010-01-31 10:22 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-29 02:01 . 2010-01-29 08:04 1109 ----a-w- c:\users\Jules\AppData\Roaming\Genie-Soft\GBMPro8\Jobs\New Backup Job(2)\00000000\maindata.sys
2010-01-07 16:07 . 2009-01-15 10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-01-15 10:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-22 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 15:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 15:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 15:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-16 18:32 . 2009-01-15 10:31 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-12-10 15:01 . 2009-10-19 16:24 83312 ----a-w- c:\program files\mozilla firefox\components\ppReaderLaunch.dll
2008-12-23 20:31 . 2008-12-23 20:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"AgentUiRunKey"="c:\program files\Backup Direct\Connected\Agent.exe" [2008-11-09 244536]
"Private Post Tray v4"="c:\program files\Trend Micro\Email Encryption Client\ppTray.exe" [2009-12-10 226664]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2009-08-24 331776]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-23 13:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jules^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Jules\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 02:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2009-08-24 20:09 28672 ----a-w- c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 02:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-08 07:56 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-02-15 14:29 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-09-14 16:56 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
2008-08-28 19:33 1516032 ----a-w- c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CompanionLink]
2009-12-29 12:46 13737984 ----a-w- c:\program files\CompanionLink\CompanionLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-07-19 14:51 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-10-04 13:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-11-22 10:11 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro8Agent]
2007-07-11 05:23 214512 ----a-w- c:\program files\genie-soft\GBMPro8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-12-16 18:32 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 14:45 40960 ----a-w- c:\program files\scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2006-11-22 10:12 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 16:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]
2009-05-27 15:46 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 14:25 57393 ----a-w- c:\program files\scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDisp]
2009-04-07 08:29 871936 ----a-w- c:\windows\System32\PrintDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snappy Fax Printer virtual printer agent]
2007-07-19 04:01 94208 ----a-w- c:\program files\Snappy Fax Version 4\sfpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 11:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-12-23 13:06 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-08-25 16:27 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAB]
2009-12-02 08:17 18432 ----a-w- c:\users\Jules\AppData\Roaming\Macromedia\Common\039fe09219.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 09:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe

R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2009-08-24 81920]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2009-11-04 8544]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2009-06-09 24576]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-16 30192]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-09 24576]
S2 AgentService;AgentService;c:\program files\Backup Direct\Connected\AgentService.exe [2008-11-09 6608192]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker.sys [2008-11-09 45384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 ppAuxSrv;ppAuxSrv;c:\program files\Trend Micro\Email Encryption Client\ppAuxSrv.exe [2009-12-10 87400]
S2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2008-10-11 73728]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
S3 ppSrv;ppSrv;c:\program files\Trend Micro\Email Encryption Client\ppSrv.exe [2009-12-10 79184]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\GBM - jULES NEW COMP-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-03-05 05:20]

2010-03-28 c:\windows\Tasks\GBM - New Backup Job(2)-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-03-05 05:20]

2010-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 23:52]

2010-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 23:52]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: adviserzone.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\pbttbc.bt
Trusted Zone: standardlife.com\online
Trusted Zone: standardlife.com\online4
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxp://exweb.exchange.uk.com/clientBinaries/VersionInfo.CAB
DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
DPF: {CB830891-2E18-11D1-B8CF-00A0C9259304} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/FDFFILES.CAB
FF - ProfilePath - c:\users\Jules\AppData\Roaming\Mozilla\Firefox\Profiles\zjpxd6pn.default\
FF - prefs.js: browser.startup.homepage - www.bbc.co.uk
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 07:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1244)
c:\program files\Trend Micro\Email Encryption Client\PPTrayHk.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trend Micro\Email Encryption Client\ppOEHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-01 07:51:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 06:51
ComboFix2.txt 2010-03-31 17:46

Pre-Run: 62,354,792,448 bytes free
Post-Run: 62,313,988,096 bytes free

- - End Of File - - 7707B9BAD79EEB0C58B015D29F732BDD


Eset scan log:

C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan cleaned - quarantined
C:\Users\Jules\AppData\Local\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx probably a variant of Win32/Agent trojan unable to clean
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3dfc368c-246e6641 probably a variant of Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\5218118e-33c6520b probably a variant of Java/TrojanDownloader.Agent.AB trojan cleaned by deleting - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\42aa7c82-3df98097 multiple threats deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\15f1e217-47f32232 probably a variant of Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\26a8a41b-4e2a7f1e multiple threats deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\7597bb66-5ccc57a9 probably a variant of Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\64561daf-1414cbe3 probably a variant of Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\6b800f31-3313b425 multiple threats deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\38104072-2f22ea3e probably a variant of Java/TrojanDownloader.Agent.AB trojan cleaned by deleting - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\607f417d-1df4ea51 multiple threats deleted - quarantined
C:\Users\Jules\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\14c25947-5c6dd548 multiple threats deleted - quarantined
C:\VundoFix Backups\fikmoq.ini.bad Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined




#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 01 April 2010 - 09:04 AM

I don't know, London was pretty pox-ridden.

A lot of the results are misleading. ESET's scan shows quite a few entries but some are in Combofix or VundoFix quarantine and therefore were safe. Java cache can be cleaned out and harbours only "dead" malware. The second entry shows that you also have a malicious email in your inbox at the time of the scan. These can be deleted quite easily and the old rules apply, If you don't recognise the sender, delete it. Emails where this applies AND have an attachment are usually the culprits.

Combofix has cleaned up nicely for us. thumbup2.gif

Your PC looks clean and ready to go. Do you have any questions or are you still experiencing any problems with the machine?
Posted Image
m0le is a proud member of UNITE

#9 fidgetyphil

fidgetyphil
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 01 April 2010 - 12:23 PM

No, seems to be running as smooth as you like.
Thanks for your help, much appreciated.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 01 April 2010 - 03:32 PM

No problem. Just the final instructions to go - please read and action these as they are important.


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it fidgetyphil, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 fidgetyphil

fidgetyphil
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 02 April 2010 - 08:10 AM

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.

Something else I've learned.
Brilliant and thanks for your help.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 02 April 2010 - 04:10 PM

Cheers thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:40 PM

Posted 06 April 2010 - 06:52 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users