Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Removal of TR/Rootkit.Gen Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 MuddyPaws77

MuddyPaws77

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 27 March 2010 - 01:32 PM

Hi all, would any one mind having a look at the log from my recent Avira scan. It has thrown up a Rootkit, that it cannot get rid of. Any help would be very gratefully received!! Many thanks in advance. thumbup2.gif

Stewart



Avira AntiVir Personal
Report file date: 27 March 2010 09:42

Scanning for 1919742 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-29A661D26E

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:59:46
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:03:07
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 19:13:34
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 20:00:54
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 20:00:54
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 20:00:54
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 20:00:54
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 20:00:55
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 20:00:55
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 20:00:56
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 20:00:56
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 20:00:56
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:26:13
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:26:18
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 19:26:46
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 19:26:41
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 19:26:38
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 19:26:50
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 19:26:57
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 22:10:29
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 22:10:25
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:10:26
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 22:10:40
VBASE024.VDF : 7.10.5.218 2048 Bytes 3/25/2010 22:10:40
VBASE025.VDF : 7.10.5.219 2048 Bytes 3/25/2010 22:10:40
VBASE026.VDF : 7.10.5.220 2048 Bytes 3/25/2010 22:10:41
VBASE027.VDF : 7.10.5.221 2048 Bytes 3/25/2010 22:10:41
VBASE028.VDF : 7.10.5.222 2048 Bytes 3/25/2010 22:10:42
VBASE029.VDF : 7.10.5.223 2048 Bytes 3/25/2010 22:10:42
VBASE030.VDF : 7.10.5.224 2048 Bytes 3/25/2010 22:10:43
VBASE031.VDF : 7.10.5.228 23552 Bytes 3/26/2010 13:17:05
Engineversion : 8.2.1.196
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/22/2010 20:50:50
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/19/2010 19:29:55
AESCN.DLL : 8.1.5.0 127347 Bytes 2/27/2010 11:17:32
AESBX.DLL : 8.1.2.1 254323 Bytes 3/19/2010 19:29:58
AERDL.DLL : 8.1.4.3 541043 Bytes 3/19/2010 19:29:34
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 19:29:03
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/19/2010 19:28:44
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/19/2010 19:28:39
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/19/2010 19:27:35
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 19:27:27
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.12.3 188789 Bytes 3/19/2010 19:27:14
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 20:17:24
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 27 March 2010 09:42

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\errorcontrol
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\wvyp1bs0ve2
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\ybf3ke8oo
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzlpixh\xgr7asd7
[INFO] The registry entry is invisible.
'26704' objects were checked, '7' hidden objects were found.

The scan of running processes will be started
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'a2guard.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'WilogApp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'OSA.EXE' - '1' Module(s) have been scanned
Scan process 'BBC iPlayer Desktop.exe' - '1' Module(s) have been scanned
Scan process 'AutoUpdateSrv.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'SEPCSuite.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TOSCDSPD.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'THotkey.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'SupServ.exe' - '1' Module(s) have been scanned
Scan process 'DllStartupService.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'cdrom_mon.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'acs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
64 processes with 64 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '67' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Stewart\Start Menu\Programs\Startup\syspck32.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\pzlpixh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[WARNING] The file could not be opened!

Beginning disinfection:
C:\WINDOWS\system32\drivers\pzlpixh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4c1a4808.qua'!


End of the scan: 27 March 2010 18:02
Used time: 8:16:47 Hour(s)

The scan has been done completely.

12954 Scanned directories
348466 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
4 Files cannot be scanned
348461 Files not concerned
7278 Archives were scanned
4 Warnings
3 Notes
26704 Objects were scanned with rootkit scan
7 Hidden objects were found



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 27 March 2010 - 04:56 PM

Good evening. smile.gif

Will you follow steps 6, 7 and 8 here and post back the results into this thread.

So long, and thanks for all the fish.

 

 


#3 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 28 March 2010 - 10:21 AM

Hi, thanks for your response. I have followed the steps requested, but I'm getting a blue screen of death when trying to run the scan on GMER. Have tried doing this a number of times, with the same result. My DDS results are below. Thanks again for your time.

Stewart




DDS (Ver_10-03-17.01) - NTFSx86
Run by Stewart at 10:41:52.28 on 28/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1251 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\TDSupportApp\cdrom_mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3\3Connect\WilogApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Documents and Settings\Stewart\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Stewart\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=D43DYJdBKd_Fc0WF3.0tnQ
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Wpiwego] rundll32.exe "c:\windows\overamuj.dll",Startup
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe" /d=60
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\documents and settings\stewart\start menu\programs\startup\syspck32.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
TCP: {484A6A84-B6B4-4309-BD8C-C6E8D1ADE38C} = 217.171.132.1 217.171.135.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll scecli wbdm32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stewart\applic~1\mozilla\firefox\profiles\ytnpt0jo.default\
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=D43DYJdBKd_Fc0WF3.0tnQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\stewart\application data\mozilla\firefox\profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\stewart\application data\mozilla\firefox\profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\stewart\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {D144380B-4F09-4251-816B-45EED453F758} - c:\documents and settings\stewart\local settings\application data\{D144380B-4F09-4251-816B-45EED453F758}
FF - HiddenExtension: XULRunner: {FDA84AB0-A067-4B8B-A308-9D53878CFB3F} - c:\documents and settings\stewart\local settings\application data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R? gupdate;Google Update Service (gupdate)
S? a2AntiMalware;a-squared Anti-Malware Service
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? Autorun CDROM Monitor;Autorun CDROM Monitor
S? avgio;avgio
S? avgntflt;avgntflt
S? KodakDigitalDisplayService;KodakDigitalDisplayService
S? OMSI download service;Sony Ericsson OMSI download service
S? seehcri;Sony Ericsson seehcri Device Driver

=============== Created Last 30 ================

2010-03-28 09:35:49 0 ----a-w- c:\documents and settings\stewart\defogger_reenable
2010-03-27 09:58:35 0 d-----w- c:\program files\a-squared Anti-Malware
2010-03-26 13:20:05 804864 ----a-w- c:\windows\system32\drivers\pzlpixh.sys
2010-03-26 13:03:17 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-26 13:03:17 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-26 13:03:06 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-26 13:03:06 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-26 13:02:45 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-26 13:02:45 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-26 13:01:41 120 ----a-w- c:\windows\Dvevipo.dat
2010-03-26 13:01:41 0 ----a-w- c:\windows\Xbipeyogo.bin
2010-03-26 13:01:21 4 ----a-w- c:\docume~1\stewart\applic~1\avdrn.dat
2010-03-19 08:52:28 0 d-----w- c:\program files\common files\xing shared
2010-03-18 21:00:37 333312 --sha-w- C:\Thumbs.db
2010-03-10 08:03:13 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 21:50:12 214592 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-03-09 19:56:20 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-09 19:56:18 139152 ----a-w- c:\docume~1\stewart\applic~1\PnkBstrK.sys
2010-03-09 19:56:01 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-09 19:55:50 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-09 19:55:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

==================== Find3M ====================

2010-02-17 20:53:23 39540 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-01-31 13:54:36 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpe2B.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 19:22:56 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-11 15:41:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091120090912\index.dat

============= FINISH: 10:59:28.06 ===============

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 28 March 2010 - 01:45 PM

Good evening. smile.gif

We'll try something different then. Download RootRepeal from one of the locations below and save it to your Desktop:
    Location 1
    Location 2
    Location 3

  • You will need to unzip it before you run it.

    To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
    In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Double click RootRepeal.exe to fire up the tool and OK any Windows confirmations if necessary.
  • Ensure that the Report Tab is selected at the bottom.
  • Click the Scan button, check all the boxes in the window that appears and then click OK.
  • Check the box next to your main hard drive - usually C: and click OK
  • Put the kettle on and perhaps open a packet of biscuits - the scan will take some time.
  • Once the scan has completed a Notepad window will open with the results in.
  • These results will also be saved to the root of your main drive as \RootRepeal report date time.txt
Let me have a copy of the contents in your next reply.

So long, and thanks for all the fish.

 

 


#5 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 28 March 2010 - 05:01 PM

Good evening, here are my results from the RootRepeal scan. Thanks again for your help.

Stewart



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/28 21:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5315000 Size: 98304 File Visible: No

Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D9000 Size: 8192 File Visible: No

Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xB5408000 Size: 2560 File Visible: No

Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1CAD000 Size: 49152 File Visible: No

Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\modemlog_huawei mobile connect - 3g modem

#2.txt
Status: Size mismatch (API: 9146, Raw: 8940)

Path: c:\documents and settings\stewart\application

data\birdstep technology\easyconnect\logfile.txt
Status: Size mismatch (API: 3026674, Raw: 2971058)

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\sscorlib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\sscorlib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\ssfx.UI.Forms.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\ssfx.UI.Forms.manifes

t
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\ssfx.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\ssfx.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\Zebtab.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stewart\Local

Settings\Apps\2.0

\HBJ2CBP2.DPJ\WOOZCKTR.24B\manifests\Zebtab.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7aaa50b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7aaa515

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7aaa51a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7aaa524

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7aaa51f

==EOF==

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 28 March 2010 - 05:09 PM

Is your anti-virus still detecting the same file?

So long, and thanks for all the fish.

 

 


#7 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 29 March 2010 - 04:58 AM

Yes, Avira picks it up right at the end of the deep scan.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 29 March 2010 - 02:05 PM

Good evening. smile.gif

We'll see if we can winkle it out then. Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#9 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 29 March 2010 - 05:19 PM

Hi there,
I have run ComboFix - my results are below, along with a new HJT log.

Symptoms wise, the computer has just been very slow in the past week or so, & over the past few days has crashed a few times. The most notable thing being that when Windows opens, a pop up advises that Windows Explorer has encountered a problem & needs to close - from here the icons on the desktop disappear briefly, & then re-appear as if nothing has happened. Not sure if this is relevant? wacko.gif It didn't do this on rebooting after running ComboFix...so there's a positive straight away! thumbup2.gif

ComboFix 10-03-28.03 - Stewart 29/03/2010 21:47:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1336 [GMT 1:00]
Running from: c:\documents and settings\Stewart\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hpe2B.dll
c:\documents and settings\Stewart\Application Data\avdrn.dat
c:\documents and settings\Stewart\Local Settings\Application Data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}
c:\documents and settings\Stewart\Local Settings\Application Data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}\chrome.manifest
c:\documents and settings\Stewart\Local Settings\Application Data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}\chrome\content\_cfg.js
c:\documents and settings\Stewart\Local Settings\Application Data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}\chrome\content\overlay.xul
c:\documents and settings\Stewart\Local Settings\Application Data\{FDA84AB0-A067-4B8B-A308-9D53878CFB3F}\install.rdf
c:\documents and settings\Stewart\Start Menu\Programs\Startup\syspck32.exe
c:\recycler\S-1-5-21-358978944-2483415163-1199380449-1003
c:\recycler\S-1-5-21-602162358-2000478354-839522115-1003
C:\Thumbs.db
c:\windows\overamuj.dll
c:\windows\system32\_003053_.tmp.dll
c:\windows\system32\_003054_.tmp.dll
c:\windows\system32\_003055_.tmp.dll
c:\windows\system32\_003056_.tmp.dll
c:\windows\system32\_003057_.tmp.dll
c:\windows\system32\_003058_.tmp.dll
c:\windows\system32\_003059_.tmp.dll
c:\windows\system32\_003060_.tmp.dll
c:\windows\system32\_003063_.tmp.dll
c:\windows\system32\_003064_.tmp.dll
c:\windows\system32\_003065_.tmp.dll
c:\windows\system32\_003066_.tmp.dll
c:\windows\system32\_003067_.tmp.dll
c:\windows\system32\_003068_.tmp.dll
c:\windows\system32\_003069_.tmp.dll
c:\windows\system32\_003070_.tmp.dll
c:\windows\system32\_003071_.tmp.dll
c:\windows\system32\_003072_.tmp.dll
c:\windows\system32\_003073_.tmp.dll
c:\windows\system32\_003074_.tmp.dll
c:\windows\system32\_003075_.tmp.dll
c:\windows\system32\_003076_.tmp.dll
c:\windows\system32\_003077_.tmp.dll
c:\windows\system32\_003078_.tmp.dll
c:\windows\system32\_003079_.tmp.dll
c:\windows\system32\_003080_.tmp.dll
c:\windows\system32\_003081_.tmp.dll
c:\windows\system32\_003082_.tmp.dll
c:\windows\system32\_003083_.tmp.dll
c:\windows\system32\_003085_.tmp.dll
c:\windows\system32\_003086_.tmp.dll
c:\windows\system32\_003087_.tmp.dll
c:\windows\system32\_003088_.tmp.dll
c:\windows\system32\_003089_.tmp.dll
c:\windows\system32\_003090_.tmp.dll
c:\windows\system32\_003091_.tmp.dll
c:\windows\system32\_003092_.tmp.dll
c:\windows\system32\_003093_.tmp.dll
c:\windows\system32\_003094_.tmp.dll
c:\windows\system32\_003095_.tmp.dll
c:\windows\system32\_003096_.tmp.dll
c:\windows\system32\_003097_.tmp.dll
c:\windows\system32\_003098_.tmp.dll
c:\windows\system32\_003099_.tmp.dll
c:\windows\system32\_003100_.tmp.dll
c:\windows\system32\_003101_.tmp.dll
c:\windows\system32\_003102_.tmp.dll
c:\windows\system32\_003103_.tmp.dll
c:\windows\system32\_003104_.tmp.dll
c:\windows\system32\_003105_.tmp.dll
c:\windows\system32\_003106_.tmp.dll
c:\windows\system32\_003107_.tmp.dll
c:\windows\system32\_003108_.tmp.dll
c:\windows\system32\_003109_.tmp.dll
c:\windows\system32\_003110_.tmp.dll
c:\windows\system32\_003111_.tmp.dll
c:\windows\system32\_003113_.tmp.dll
c:\windows\system32\_003114_.tmp.dll
c:\windows\system32\_003115_.tmp.dll
c:\windows\system32\_003116_.tmp.dll
c:\windows\system32\_003117_.tmp.dll
c:\windows\system32\_003118_.tmp.dll
c:\windows\system32\_003119_.tmp.dll
c:\windows\system32\_003121_.tmp.dll
c:\windows\system32\_003122_.tmp.dll
c:\windows\system32\_003123_.tmp.dll
c:\windows\system32\_003124_.tmp.dll
c:\windows\system32\_003125_.tmp.dll
c:\windows\system32\_003127_.tmp.dll
c:\windows\system32\_003129_.tmp.dll
c:\windows\system32\_003130_.tmp.dll
c:\windows\system32\_003131_.tmp.dll
c:\windows\system32\_003132_.tmp.dll
c:\windows\system32\_003133_.tmp.dll
c:\windows\system32\_003134_.tmp.dll
c:\windows\system32\_003135_.tmp.dll
c:\windows\system32\_003136_.tmp.dll
c:\windows\system32\_003137_.tmp.dll
c:\windows\system32\_003138_.tmp.dll
c:\windows\system32\_003139_.tmp.dll
c:\windows\system32\_003141_.tmp.dll
c:\windows\system32\_003142_.tmp.dll
c:\windows\system32\_003143_.tmp.dll
c:\windows\system32\_003144_.tmp.dll
c:\windows\system32\_003146_.tmp.dll
c:\windows\system32\_003147_.tmp.dll
c:\windows\system32\_003148_.tmp.dll
c:\windows\system32\_003149_.tmp.dll
c:\windows\system32\_003150_.tmp.dll
c:\windows\system32\_003151_.tmp.dll
c:\windows\system32\_003152_.tmp.dll
c:\windows\system32\_003153_.tmp.dll
c:\windows\system32\_003155_.tmp.dll
c:\windows\system32\_003156_.tmp.dll
c:\windows\system32\_003157_.tmp.dll
c:\windows\system32\_003158_.tmp.dll
c:\windows\system32\_003159_.tmp.dll
c:\windows\system32\_003162_.tmp.dll
c:\windows\system32\_003163_.tmp.dll
c:\windows\system32\_003164_.tmp.dll
c:\windows\system32\_003165_.tmp.dll
c:\windows\system32\_003166_.tmp.dll
c:\windows\system32\_003167_.tmp.dll
c:\windows\system32\_003168_.tmp.dll
c:\windows\system32\_003170_.tmp.dll
c:\windows\system32\_003171_.tmp.dll
c:\windows\system32\_003172_.tmp.dll
c:\windows\system32\_003173_.tmp.dll
c:\windows\system32\_003174_.tmp.dll
c:\windows\system32\_003175_.tmp.dll
c:\windows\system32\_003176_.tmp.dll
c:\windows\system32\_003177_.tmp.dll
c:\windows\system32\_003179_.tmp.dll
c:\windows\system32\_003180_.tmp.dll
c:\windows\system32\_003181_.tmp.dll
c:\windows\system32\_003182_.tmp.dll
c:\windows\system32\_003185_.tmp.dll
c:\windows\system32\_003186_.tmp.dll
c:\windows\system32\_003190_.tmp.dll
c:\windows\system32\_003191_.tmp.dll
c:\windows\system32\_003193_.tmp.dll
c:\windows\system32\_003196_.tmp.dll
c:\windows\system32\_003198_.tmp.dll
c:\windows\system32\_003199_.tmp.dll
c:\windows\system32\_003200_.tmp.dll
c:\windows\system32\_003201_.tmp.dll
c:\windows\system32\_003204_.tmp.dll
c:\windows\system32\_003205_.tmp.dll
c:\windows\system32\_003206_.tmp.dll
c:\windows\system32\_003207_.tmp.dll
c:\windows\system32\_003208_.tmp.dll
c:\windows\system32\_003213_.tmp.dll
c:\windows\system32\_003215_.tmp.dll
c:\windows\system32\_003216_.tmp.dll
c:\windows\system32\drivers\pzlpixh.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\wbdm32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_pzlpixh
-------\Service_pzlpixh


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-27 09:58 . 2010-03-29 20:32 -------- d-----w- c:\program files\a-squared Anti-Malware
2010-03-26 13:03 . 2008-04-13 19:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-26 13:03 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-26 13:03 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-26 13:03 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-26 13:02 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-26 13:02 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-26 13:01 . 2010-03-29 08:24 0 ----a-w- c:\windows\Xbipeyogo.bin
2010-03-26 13:01 . 2010-03-27 12:58 120 ----a-w- c:\windows\Dvevipo.dat
2010-03-26 13:01 . 2010-03-26 13:01 -------- d-----w- c:\documents and settings\Stewart\Local Settings\Application Data\{D144380B-4F09-4251-816B-45EED453F758}
2010-03-19 08:52 . 2010-03-19 08:52 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-10 08:03 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 21:50 . 2010-03-09 21:50 -------- d-----w- c:\documents and settings\Stewart\Local Settings\Application Data\PunkBuster
2010-03-09 19:56 . 2010-03-12 21:19 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-09 19:56 . 2010-03-12 21:18 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-09 19:55 . 2010-03-09 19:55 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-09 19:55 . 2010-03-09 19:55 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 14:14 . 2009-04-02 20:10 -------- d-----w- c:\documents and settings\Stewart\Application Data\Spotify
2010-03-26 13:01 . 2010-03-26 13:01 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\jasltw.dat
2010-03-25 21:21 . 2006-10-20 11:15 -------- d-----w- c:\documents and settings\Stewart\Application Data\Sports Interactive
2010-03-19 10:17 . 2009-08-20 18:29 -------- d-----w- c:\program files\Oberon Media
2010-03-19 10:17 . 2007-12-24 13:06 -------- d-----w- c:\program files\FinePixViewer
2010-03-19 10:17 . 2010-01-24 22:09 -------- d-----w- c:\program files\Ask.com
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-19 08:54 . 2010-03-19 08:54 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-19 08:54 . 2010-03-19 08:54 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-19 08:54 . 2010-03-19 08:54 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-19 08:54 . 2008-01-12 15:45 -------- d-----w- c:\program files\Common Files\Real
2010-03-19 08:52 . 2008-01-12 15:45 -------- d-----w- c:\program files\Real
2010-03-18 21:18 . 2006-10-20 09:33 -------- d-----w- c:\program files\Sports Interactive
2010-03-15 09:57 . 2006-05-05 20:50 45592 ----a-w- c:\documents and settings\Lynne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 09:33 . 2007-01-14 22:14 -------- d-----w- c:\documents and settings\Lynne\Application Data\Apple Computer
2010-03-09 19:56 . 2010-03-09 19:56 139152 ----a-w- c:\documents and settings\Stewart\Application Data\PnkBstrK.sys
2010-03-09 19:56 . 2010-03-09 19:56 139152 ----a-w- c:\documents and settings\Stewart\Application Data\PnkBstrK.sys
2010-03-09 19:55 . 2006-06-20 19:03 -------- d-----w- c:\program files\EA SPORTS
2010-02-25 14:09 . 2009-07-07 22:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-25 14:09 . 2009-07-07 22:06 38784 ----a-w- c:\documents and settings\Stewart\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-17 20:53 . 2010-02-17 20:53 39540 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-16 22:32 . 2007-12-22 12:43 -------- d-----w- c:\program files\Google
2010-02-16 20:47 . 2010-02-16 20:47 -------- d-----w- c:\documents and settings\Stewart\Application Data\AskToolbar
2010-02-12 21:34 . 2010-02-12 21:13 -------- d-----w- c:\documents and settings\Stewart\Application Data\Winamp
2010-02-12 21:14 . 2010-02-12 21:13 -------- d-----w- c:\program files\Winamp
2010-02-12 21:14 . 2010-02-12 21:14 -------- d-----w- c:\program files\Winamp Detect
2010-02-12 10:03 . 2010-02-25 11:05 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-01 23:29 . 2010-02-01 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-01-31 13:53 . 2006-09-11 21:17 -------- d-----w- c:\program files\Sony Ericsson
2010-01-31 13:53 . 2005-09-05 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 13:51 . 2010-01-31 13:51 -------- d-----w- c:\program files\Avanquest update
2010-01-30 17:57 . 2010-01-17 20:26 -------- d-----w- c:\program files\ZTE Mobile Connection
2010-01-21 18:54 . 2010-02-08 19:09 52224 ----a-w- c:\documents and settings\Stewart\Application Data\Mozilla\Firefox\Profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\FFExternalAlert.dll
2010-01-21 18:54 . 2010-02-08 19:09 101376 ----a-w- c:\documents and settings\Stewart\Application Data\Mozilla\Firefox\Profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\RadioWMPCore.dll
2010-01-17 13:10 . 2010-01-17 13:10 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-01-17 13:10 . 2010-01-17 13:10 135168 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\netbrdg\brdg_r.exe
2010-01-17 13:09 . 2010-01-17 13:09 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_d0586d\EasyShrx.Dll
2010-01-17 12:57 . 2010-01-17 12:57 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_c5cc5a\EasyShrx.Dll
2010-01-17 12:57 . 2010-01-17 12:57 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.20.1.dll
2010-01-17 12:57 . 2010-01-17 12:57 1179648 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_c59ada\EasyShrx.Dll
2010-01-17 12:57 . 2010-01-17 13:09 2684304 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_d0586d\Setup.exe
2010-01-17 12:57 . 2010-01-17 12:57 2684304 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_c5cc5a\Setup.exe
2010-01-17 12:56 . 2010-01-17 12:56 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.6.20.1.dll
2010-01-16 00:02 . 2009-09-11 16:16 334400 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-05 10:00 . 2005-09-02 08:13 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-09-02 08:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-09-02 08:13 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 20:02 . 2010-01-03 19:56 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-03 19:22 . 2008-07-04 21:07 81984 ----a-w- c:\windows\system32\bdod.bin
2009-12-31 16:50 . 2009-05-06 19:24 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-30 10:40 1182088 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-03 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"TPSMain"="TPSMain.exe" [2005-01-21 266240]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-11 118784]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-19 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Lynne\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\Stewart\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-13 95232]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-2-8 282624]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-6-6 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\EA SPORTS\\FIFA Online\\NFE.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/01/2010 20:56 108289]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\TDSupportApp\cdrom_mon.exe [03/01/2008 19:42 81920]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [06/03/2008 14:49 81920]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [31/01/2010 14:53 90112]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31/01/2010 14:54 27632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2010 23:32 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:57]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 22:32]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 22:32]

2010-03-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1979236515-3861790814-577167002-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-03-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1979236515-3861790814-577167002-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2006-05-05 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-02 00:12]

2006-05-05 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-02 00:12]

2010-03-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-09-30 10:40]

2010-03-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-05 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=D43DYJdBKd_Fc0WF3.0tnQ
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Stewart\Application Data\Mozilla\Firefox\Profiles\ytnpt0jo.default\
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=D43DYJdBKd_Fc0WF3.0tnQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\Stewart\Application Data\Mozilla\Firefox\Profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Stewart\Application Data\Mozilla\Firefox\Profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Stewart\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {D144380B-4F09-4251-816B-45EED453F758} - c:\documents and settings\Stewart\Local Settings\Application Data\{D144380B-4F09-4251-816B-45EED453F758}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Wpiwego - c:\windows\overamuj.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 22:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1979236515-3861790814-577167002-1007\Software\SecuROM\License information*]
"datasecu"=hex:36,c5,2d,d2,fe,43,81,66,e3,97,26,b0,6d,d0,40,4e,06,ce,f8,21,51,
18,ec,07,91,00,e4,ca,09,d5,b3,0e,7d,81,35,75,48,66,d1,2b,00,44,b4,62,a6,00,\
"rkeysecu"=hex:0b,03,d4,6a,fa,ff,c2,31,32,f6,43,bd,a2,a9,60,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\ACS.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-29 22:40:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 21:39

Pre-Run: 2,915,770,368 bytes free
Post-Run: 3,695,484,928 bytes free

- - End Of File - - 19D1AF36785873BC32D6479E807866A4









DDS (Ver_10-03-17.01) - NTFSx86
Run by Stewart at 23:07:16.40 on 29/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1242 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\TDSupportApp\cdrom_mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\3\3Connect\WilogApp.exe
C:\Documents and Settings\Stewart\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=D43DYJdBKd_Fc0WF3.0tnQ
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\stewart\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
TCP: {484A6A84-B6B4-4309-BD8C-C6E8D1ADE38C} = 217.171.132.1 217.171.135.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stewart\applic~1\mozilla\firefox\profiles\ytnpt0jo.default\
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=D43DYJdBKd_Fc0WF3.0tnQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\stewart\application data\mozilla\firefox\profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\stewart\application data\mozilla\firefox\profiles\ytnpt0jo.default\extensions\{6cb32b93-d641-4904-a765-b2b4d95e3d24}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\stewart\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {D144380B-4F09-4251-816B-45EED453F758} - c:\documents and settings\stewart\local settings\application data\{D144380B-4F09-4251-816B-45EED453F758}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-3 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-3 185089]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\tdsupportapp\cdrom_mon.exe [2008-1-3 81920]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-3 56816]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\kodak\digital display\orbkodaklauncher\DllStartupService.exe [2008-3-6 81920]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-1-31 90112]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-1-31 27632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
UnknownUnknown pzlpixh;pzlpixh; [x]

=============== Created Last 30 ================

2010-03-29 20:42:44 0 d-----w- C:\ComboFix
2010-03-29 20:36:39 0 d-sha-r- C:\cmdcons
2010-03-29 20:32:44 98816 ----a-w- c:\windows\sed.exe
2010-03-29 20:32:44 77312 ----a-w- c:\windows\MBR.exe
2010-03-29 20:32:44 261632 ----a-w- c:\windows\PEV.exe
2010-03-29 20:32:44 161792 ----a-w- c:\windows\SWREG.exe
2010-03-28 09:35:49 0 ----a-w- c:\documents and settings\stewart\defogger_reenable
2010-03-27 09:58:35 0 d-----w- c:\program files\a-squared Anti-Malware
2010-03-26 13:03:17 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-26 13:03:17 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-26 13:03:06 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-26 13:03:06 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-26 13:02:45 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-26 13:02:45 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-26 13:01:41 120 ----a-w- c:\windows\Dvevipo.dat
2010-03-26 13:01:41 0 ----a-w- c:\windows\Xbipeyogo.bin
2010-03-19 08:52:28 0 d-----w- c:\program files\common files\xing shared
2010-03-10 08:03:13 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 21:50:12 214592 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-03-09 19:56:20 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-09 19:56:18 139152 ----a-w- c:\docume~1\stewart\applic~1\PnkBstrK.sys
2010-03-09 19:56:01 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-09 19:55:50 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-09 19:55:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

==================== Find3M ====================

2010-02-17 20:53:23 39540 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 19:22:56 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-11 15:41:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091120090912\index.dat

============= FINISH: 23:07:48.42 ===============




Attached Files



#10 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 29 March 2010 - 07:09 PM

Hi there,
Have just run Avira full scan again, & it seems like they have multiplied... blink.gif I now have 5 detections - though the 7 hidden items I had before have now gone. I have posted the log file below.

Thanks,
Stewart




Avira AntiVir Personal
Report file date: 29 March 2010 23:24

Scanning for 1931788 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-29A661D26E

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:59:46
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:03:07
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 19:13:34
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 20:00:54
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 20:00:54
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 20:00:54
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 20:00:54
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 20:00:55
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 20:00:55
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 20:00:56
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 20:00:56
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 20:00:56
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:26:13
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:26:18
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 19:26:46
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 19:26:41
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 19:26:38
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 19:26:50
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 19:26:57
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 22:10:29
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 22:10:25
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:10:26
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 22:10:40
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 15:11:26
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 15:11:27
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 15:11:28
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 15:11:28
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 15:11:29
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 15:11:30
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 15:11:31
VBASE031.VDF : 7.10.5.241 2048 Bytes 3/26/2010 15:11:32
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/22/2010 20:50:50
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 15:11:51
AESCN.DLL : 8.1.5.0 127347 Bytes 2/27/2010 11:17:32
AESBX.DLL : 8.1.2.1 254323 Bytes 3/19/2010 19:29:58
AERDL.DLL : 8.1.4.3 541043 Bytes 3/19/2010 19:29:34
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 19:29:03
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/19/2010 19:28:44
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 15:11:45
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/19/2010 19:27:35
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 19:27:27
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.12.3 188789 Bytes 3/19/2010 19:27:14
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 20:17:24
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 29 March 2010 23:24

Starting search for hidden objects.
'64908' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'WilogApp.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'OSA.EXE' - '1' Module(s) have been scanned
Scan process 'BBC iPlayer Desktop.exe' - '1' Module(s) have been scanned
Scan process 'AutoUpdateSrv.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'SEPCSuite.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'TOSCDSPD.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'THotkey.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'SupServ.exe' - '1' Module(s) have been scanned
Scan process 'DllStartupService.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'cdrom_mon.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'acs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
58 processes with 58 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '64' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\Documents and Settings\Stewart\Start Menu\Programs\Startup\syspck32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pzlpixh.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pzlpixh_.sys.zip
[0] Archive type: ZIP
--> pzlpixh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274430.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274431.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\C\Documents and Settings\Stewart\Start Menu\Programs\Startup\syspck32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4c244123.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pzlpixh.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4c1d4124.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pzlpixh_.sys.zip
[NOTE] The file was moved to '4c2b411a.qua'!
C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274430.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4be340da.qua'!
C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274431.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '48114293.qua'!


End of the scan: 30 March 2010 01:07
Used time: 1:41:27 Hour(s)

The scan has been done completely.

12659 Scanned directories
346728 Files were scanned
5 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
5 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
346721 Files not concerned
7320 Archives were scanned
2 Warnings
7 Notes
64908 Objects were scanned with rootkit scan
0 Hidden objects were found



#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 30 March 2010 - 02:34 PM

Good evening. smile.gif

What may seem like bad news is in fact good - if you look carefully.

C:\Qoobox\Quarantine\C\Documents and Settings\Stewart\Start Menu\Programs\Startup\syspck32.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pzlpixh.sys.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pzlpixh_.sys.zip

C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274430.exe
C:\System Volume Information\_restore{C6C72350-ACB0-4062-8055-9B8A990CF9C1}\RP292\A0274431.sys


The first three detections are malicious files that ComboFix has removed from your system. "\Qoobox\Quarantine" is where these files are stored in case they are false positive detections or samples are required for any reason. If you look closely you can see that they all have extra file extensions added, either .vir or .zip, which renders them harmless unless you were to remove this added extension and then run three files - unlikely I would hope!
The last two are files held within System Restore restore points and pose no direct threat to your PC unless you were to use one of the infected points to restore your PC to an earlier time. We will deal with this issue once you have completed the scan below.

I think that sUBs' tool has removed all of the nasties that were present, but I would like one last scan just to be certain, so would you do the following:

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.


So long, and thanks for all the fish.

 

 


#12 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 March 2010 - 08:01 PM

Hello again,
The ESAT results are thus..

C:\Documents and Settings\Stewart\My Documents\Downloads\SetupCasino.exe__en.exe a variant of Win32/PTCasino application
C:\Qoobox\Quarantine\C\WINDOWS\wbdm32.dll.vir a variant of Win32/Cimag.CB trojan


The "SetupCasino.exe" is just a William Hill casino console, so I have managed to delete this without any bother. I don't use it anyway, so no probs there.
I'm assuming the quarantined item it has picked up isn't worth bothering about (as per your previous post).


Thanks,
Stewart


Edit:
I have run Avira Deep Scan again after removing the casino console, & I'm delighted to report that no viruses or hidden items have been detected! thumbup.gif
Log below:



Avira AntiVir Personal
Report file date: 31 March 2010 17:31

Scanning for 1939111 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-29A661D26E

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:59:46
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:03:07
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 19:13:34
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 20:00:54
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 20:00:54
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 20:00:54
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 20:00:54
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 20:00:55
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 20:00:55
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 20:00:56
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 20:00:56
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 20:00:56
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:26:13
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:26:18
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 19:26:46
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 19:26:41
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 19:26:38
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 19:26:50
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 19:26:57
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 22:10:29
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 22:10:25
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:10:26
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 22:10:40
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 15:11:26
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 15:11:27
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 15:11:28
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 15:11:28
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 15:11:29
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 15:11:30
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 15:11:31
VBASE031.VDF : 7.10.5.250 112128 Bytes 3/30/2010 11:12:22
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/22/2010 20:50:50
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 15:11:51
AESCN.DLL : 8.1.5.0 127347 Bytes 2/27/2010 11:17:32
AESBX.DLL : 8.1.2.1 254323 Bytes 3/19/2010 19:29:58
AERDL.DLL : 8.1.4.3 541043 Bytes 3/19/2010 19:29:34
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 19:29:03
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/19/2010 19:28:44
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 15:11:45
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/19/2010 19:27:35
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 19:27:27
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.12.3 188789 Bytes 3/19/2010 19:27:14
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 20:17:24
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 31 March 2010 17:31

Starting search for hidden objects.
'65621' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'WilogApp.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'OSA.EXE' - '1' Module(s) have been scanned
Scan process 'BBC iPlayer Desktop.exe' - '1' Module(s) have been scanned
Scan process 'AutoUpdateSrv.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SEPCSuite.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'TOSCDSPD.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'THotkey.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'SupServ.exe' - '1' Module(s) have been scanned
Scan process 'DllStartupService.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'cdrom_mon.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'acs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
56 processes with 56 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '64' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: 31 March 2010 19:22
Used time: 1:51:46 Hour(s)

The scan has been done completely.

12686 Scanned directories
348341 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
348339 Files not concerned
7404 Archives were scanned
2 Warnings
2 Notes
65621 Objects were scanned with rootkit scan
0 Hidden objects were found



Please can you confirm that you are satisfied that every is at it should be now. Thank you soo much for your help - it is very much appreciated. Thank you, thank you, thank you! clapping.gif

As a final note, would you mind recommending any other software I should be running alongside my Avira. Should I look to run an independent firewall, or does Windows Firewall do a sufficient job, in your opinion?

Thanks again..great job my friend!

Stewart

Edited by MuddyPaws77, 31 March 2010 - 01:32 PM.


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 31 March 2010 - 02:13 PM

Good evening. smile.gif

The casino file detection is probably a false-positive as I wouldn't expect a legitimate file to have such nasties enclosed. It probably matches some criteria that ESET applies to these sorts of files rather than posing any actual risk, but if you don't use it you won't miss it.

The system looks OK malware-wise, but it is seriously short of hard drive space - 1.99 GiB free according to DDS. The following will tidy things up a little:

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a few free firewalls available, of which the following are some examples
Comodo Firewall Pro, available here. This download has both a firewall and anti-virus in the same package, so be sure that you uncheck the AV option if you choose to install this one.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

While you are free to try each in turn, you should only have one installed at a time. Two, or more, together can acuse conflictions which may leave your PC at greater risk as well as eating into your processor time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***
  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#14 MuddyPaws77

MuddyPaws77
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 05 April 2010 - 05:33 AM

HI there,
Everything seems to be fine now, so have uninstalled ComboFix as you suggested. thumbup.gif

I really cannot thank you enough!

Thanks again,
Stewart

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:46 PM

Posted 05 April 2010 - 01:11 PM

Always like a happy ending. AS this issue appears to ave been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users