Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan horse BackDoor - HTJ log and more


  • This topic is locked This topic is locked
26 replies to this topic

#1 1sabelle

1sabelle

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 14 April 2010 - 02:12 PM

Hi and thanks for any help you can give me...


First of all, I scan regularly my computer and beside the occasional tracking cookies it never find anything... 2 weeks ago my computer kept restarting by itself and after some research I figure out it might have been over heating, I used a dust remover can to clean fans and cpu and now it seem to be fine, not restarting (might still be related to my problem)

A couple days a go a Threat alert pop up from AVG... so last night I updated all my stuff and used Ccleaner before going into safe mode. scan with AVG 9.0, SuperAntiSpyware and malawarebytes... all seemed normal!! This morning a trojan virus pop up again when nothing was open at all... so I'm a little confused and scared, that is why I need your help!! thank you again for taking time to help me

pop up came up again and again and again and it happen when I leave the computer and comeback... from idle mode (once it's in screen saver mode or such thing)
C:\System Volume Information\_restore{055B3954-32B8-4FA4-81E8-48BE2DC7DDFC}\RP436\A0120024.exe is the file this time
now it's A0120026.exe 27... 28...

'trojan horse BackDoor.Generic_c.DLH'
detected on open.

2 years ago my motherboard fried and I reinstall everything on a new HD and kept the old HD as a backup drive, it's now F: I'm scanning that drive too so it might not be relevant but who knows, as much as I tell you is better I think. So might it be something on hidden the F: drive ?

I also go on some live streaming site like justin TV or myp2p to watch live events... I use firefox with Noscript so it seem to block most of the bad stuff on the internet, might still be dangerous to stream? I'm really cautious in everything I do so I'd like to know if that could be the case I'll stop going.

things that happen too... error loading Google installer every 30 minutes or so, firewall is turn off when I first start the computer, only for like 20 seconds and then back on, screen blinks kinda of white for half a second (like a print screen or picture taken), computer use to restart by itself,

oh I also used Teamviewer, crossloop and wikogo to help some friends with their computer problems... I do that too smile.gif


That is probably all that I can think of... sorry for my bad English I'm trying hard


oh and is HTJ scanning both C: and F: ? seems like only c: drive, could that be a problem? I don't want to tweek anything till you tell me to or change any options!!


I've rescan this morning again but this time not in safe mode, and malawarebytes found 4 things... here is the log


***
***

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3987

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/14/2010 2:39:10 PM
mbam-log-2010-04-14 (14-39-10).txt

Scan type: Full scan (A:\|C:\|F:\|)
Objects scanned: 272884
Time elapsed: 2 hour(s), 25 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{055B3954-32B8-4FA4-81E8-48BE2DC7DDFC}\RP437\A0120161.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{055B3954-32B8-4FA4-81E8-48BE2DC7DDFC}\RP437\A0120162.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{055B3954-32B8-4FA4-81E8-48BE2DC7DDFC}\RP437\A0120163.exe (Trojan.Crypt) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{055B3954-32B8-4FA4-81E8-48BE2DC7DDFC}\RP437\A0120164.exe (Trojan.Crypt) -> Quarantined and deleted successfully.


*****
*****

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:25 PM, on 4/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AutoTask\AutoTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRAM FILES\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\leOWNER\Desktop\Software\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AutoTask] "C:\Program Files\AutoTask\AutoTask.exe" /STARTUP
O4 - HKLM\..\Run: [BackupSoft] "\BackupSoft.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Eurolinx - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\EurolinxPokerMPP\MPPoker.exe (file missing) (HKCU)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://vexcast.com/download/vexcast.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9561 bytes

thanks for any advice or help

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 17 April 2010 - 11:41 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the required logs when you reply and we will begin from there. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 17 April 2010 - 04:39 PM

here is the DDS and attach file...

I tried running the gmer.exe file, but during the scan my computer completely froze the first time and I had to restart, I tried again with nothing open and a blue screen came up so I had to reboot again... I'll try it again later if there is no reply but for now I figure I might just post what I got

thank you


edit : here is the blue screen message ('Ill search on google for that)

PFN_LIST_CORRUPT

***STOP : 0x0000004E ( 0x00000007, 0x0004431c, 0x00000001, 0x00000000)

edit 2 : it restarted again while I was away... the 4th time I had a blue screen again

PAGE_FAULT_IN_NON_PAGED_AREA

***STOP : 0x00000050 ( 0xe40A1000, 0x00000000, 0xB56c1c3E, 0x00000001)

***Fxtcapow.sys - addess B56C1C3E base at B56C1000, DateStamp 4b274f8d


________
DDS



DDS (Ver_10-03-17.01) - NTFSx86
Run by leOWNER at 15:08:30.25 on Sat 04/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2312 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AutoTask\AutoTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRAM FILES\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\leOWNER\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\leowner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [GEST] =
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AutoTask] "c:\program files\autotask\AutoTask.exe" /STARTUP
mRun: [BackupSoft] "\BackupSoft.exe" /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leowner\applic~1\mozilla\firefox\profiles\neawp4qo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.forum.pourquoichercher.com/forumdisplay.php?f=3|http://www.reuters.com/article/technologyNews/idUSTRE55O18D20090625|http://www.forum.pourquoichercher.com/search.php?do=getnew
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\leowner\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-5 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-10 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-10 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-10 242696]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-2-2 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-8-4 80392]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-2-3 65536]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-2-2 17792]
S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2010-2-18 4224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-04-13 18:56:42 0 d-----w- c:\program files\TrendMicro
2010-04-12 23:11:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-12 23:11:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-12 23:10:20 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-12 23:06:55 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2010-04-12 23:06:53 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2010-04-12 23:06:53 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-04-12 23:05:58 0 d-----w- c:\program files\Microsoft IntelliPoint
2010-04-10 00:46:25 0 d-----w- c:\program files\iTunes
2010-04-10 00:46:25 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:40:01 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-17 18:40:13 16608 ----a-w- c:\windows\gdrv.sys
2010-04-01 06:27:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 18:05:29 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 18:05:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 18:05:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 15:09:02.56 ===============

Attached Files


Edited by 1sabelle, 17 April 2010 - 08:29 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 17 April 2010 - 11:17 PM

Hi 1sabelle,

P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case µTorrent/StreamTorrent 1.0).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



+++++++++++++++++++++++++++++++


1. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). I need to see the file to find the cause of the crash.
Use Windows Advanced Search to find the file, to do that:
  • Click the Start button then click Search and the Search window will open.
  • Click All Files or Folders.
  • Type mini*.dmp at the box where it say's "All or part of the file name".
  • Look through your hard drive.
  • Under the More options Tab, put a check at the Following:
Search system folders
Search hidden files and folders
Search subfolders
  • Then click search to search.
  • Zip the file and attach it to your reply. To attach the file:
        * When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
        * Highlight the zip-file and click Open then press the green UPLOAD button.




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 18 April 2010 - 04:46 PM

thanks for the warning, I almost never use it and it's mostly to watch hockey games ... i dont use utorrent I should delete it, was looking for survivor seasons but it was too slow... I get my music from youtube now days. I also use open office thanks...

any other 'suspicious' or not needed software I should get ride of or replace?? I'm ready to clean everything if it's better that way or needed!! thanks


#1 it didn't find any minixxx.dmp files at all I tried *.dmp instead of mini* the 2nd time and it found some in the avg folder but nothing that seem relevant to reboot log

maybe I disable that option when I tweak windows a couple of months ago?

#2 here is the log.txt file from combofix...

ComboFix 10-04-17.07 - leOWNER 04/18/2010 17:31:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2333 [GMT -4:00]
Running from: c:\documents and settings\leOWNER\Desktop\New Folder\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-13 18:56 . 2010-04-13 18:56 -------- d-----w- c:\program files\TrendMicro
2010-04-12 23:10 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-12 23:06 . 2009-05-09 01:14 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2010-04-12 23:06 . 2009-05-09 01:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-04-12 23:06 . 2009-05-09 01:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2010-04-12 23:05 . 2010-04-12 23:06 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\program files\iTunes
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:40 . 2010-04-10 00:40 -------- d-----w- c:\program files\Bonjour
2010-04-10 00:37 . 2010-04-10 00:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-08 17:13 . 2010-04-08 17:13 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 01:57 . 2010-04-08 01:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 17:45 . 2010-04-18 21:23 -------- d-----w- c:\documents and settings\leOWNER\Application Data\vlc
2010-04-03 15:40 . 2010-04-03 15:40 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-03 15:40 . 2010-04-03 15:40 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-03 15:40 . 2010-04-03 15:40 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-03 15:40 . 2010-04-03 15:40 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-03 15:40 . 2010-04-03 15:40 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-03 15:40 . 2010-04-03 15:40 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-03 15:40 . 2010-04-03 15:40 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-03 15:40 . 2010-04-03 15:40 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-03 15:40 . 2010-04-03 15:40 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-03 15:40 . 2010-04-03 15:40 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-03 15:40 . 2010-04-03 15:40 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-03 15:39 . 2010-04-03 15:39 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-03 15:39 . 2010-04-03 15:39 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-23 16:55 . 2010-03-23 16:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 20:56 . 2008-08-04 07:41 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-18 20:56 . 2008-08-04 18:42 -------- d-----w- c:\program files\PokerStars
2010-04-18 18:25 . 2009-12-16 22:18 0 ----a-w- c:\documents and settings\leOWNER\Local Settings\Application Data\prvlcl.dat
2010-04-18 17:48 . 2008-08-04 04:26 16608 ----a-w- c:\windows\gdrv.sys
2010-04-15 19:02 . 2010-01-15 22:24 117760 ----a-w- c:\documents and settings\leOWNER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-15 07:00 . 2008-10-22 20:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 20:08 . 2009-02-11 00:41 -------- d-----w- c:\program files\PartyGaming
2010-04-12 23:48 . 2008-08-04 07:39 17480 ----a-w- c:\documents and settings\leOWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-11 22:25 . 2008-08-04 20:34 -------- d-----w- c:\documents and settings\leOWNER\Application Data\Skype
2010-04-11 18:47 . 2008-08-04 21:02 -------- d-----w- c:\documents and settings\leOWNER\Application Data\skypePM
2010-04-10 00:46 . 2009-09-05 04:14 -------- d-----w- c:\program files\iPod
2010-04-10 00:46 . 2008-11-18 10:05 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 00:42 . 2008-11-18 10:05 -------- d-----w- c:\program files\QuickTime
2010-04-08 06:05 . 2008-08-04 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-07 07:41 . 2009-12-17 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 07:40 . 2010-01-15 22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-07 07:40 . 2010-01-17 07:58 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 21:31 . 2009-12-16 21:32 -------- d-----w- c:\program files\IObit
2010-04-06 21:18 . 2008-11-27 16:00 -------- d-----w- c:\program files\CCleaner
2010-04-06 18:30 . 2008-11-20 17:17 1 ----a-w- c:\documents and settings\leOWNER\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-01 06:28 . 2008-09-02 20:56 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 06:27 . 2008-12-06 16:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46 . 2009-12-17 22:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-17 22:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 17:13 . 2008-08-04 18:54 -------- d-----w- c:\program files\PostgreSQL
2010-03-22 18:43 . 2008-12-08 01:33 -------- d-----w- c:\documents and settings\leOWNER\Application Data\dvdcss
2010-03-21 00:07 . 2010-03-08 00:23 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-03-21 00:06 . 2010-03-08 00:23 -------- d-----w- c:\program files\DVDVideoSoft
2010-03-15 18:05 . 2009-03-11 02:40 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 18:05 . 2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 18:05 . 2009-03-11 02:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 18:05 . 2009-03-11 02:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:50 . 2008-10-29 19:57 -------- d-----w- c:\documents and settings\leOWNER\Application Data\U3
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\documents and settings\leOWNER\Application Data\StreamTorrent
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-02-19 17:52 . 2010-02-19 17:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 23:23 . 2010-02-18 23:23 -------- d-----w- c:\program files\AutoTask
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 01:13 . 2010-02-03 01:13 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-02-03 01:13 . 2010-02-03 01:13 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-29 05:02 . 2008-04-14 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-27 06:09 . 2010-01-27 06:09 61440 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-sse.dll
2010-01-27 06:09 . 2010-01-27 06:09 503808 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcp71.dll
2010-01-27 06:09 . 2010-01-27 06:09 499712 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\jmc.dll
2010-01-27 06:09 . 2010-01-27 06:09 348160 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcr71.dll
2010-01-27 06:09 . 2010-01-27 06:09 12800 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-d3d.dll
2010-01-24 08:46 . 2009-12-10 08:56 133744 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

------- Sigcheck -------

[-] 2010-01-29 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-02 21:46 133104 ----atw- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 04:35 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 04:35 622592 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHped06]
2004-12-16 21:29 339968 ----a-w- c:\progra~1\HP\{BA2D9~1\PExpress\HPHPED06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 04:35 49152 ----a-w- c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
2010-03-26 20:48 2708312 ----a-w- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TurboHddUsb]
2010-02-03 01:13 3327488 ----a-w- c:\program files\TurboHddUsb\TurboHddUsb.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\B2BPOKER\\NoiQpoker\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 4:49 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/10/2009 10:40 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/10/2009 10:40 PM 242696]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2/2/2010 9:13 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 2:05 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 2:05 PM 308064]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [8/4/2008 12:51 AM 80392]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2/3/2009 4:23 AM 65536]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2/2/2010 9:13 PM 17792]
S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2/18/2010 7:25 PM 4224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004Core.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004UA.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]

2010-04-12 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-04-06 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\leOWNER\Application Data\Mozilla\Firefox\Profiles\neawp4qo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.forum.pourquoichercher.com/forumdisplay.php?f=3|http://www.reuters.com/article/technologyNews/idUSTRE55O18D20090625|http://www.forum.pourquoichercher.com/search.php?do=getnew
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-BackupSoft - \BackupSoft.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 17:36:44
ComboFix-quarantined-files.txt 2010-04-18 21:36

Pre-Run: 19,448,958,976 bytes free
Post-Run: 20,179,906,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 458B4971529C6DC303A7A48A0D94C3A6



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 19 April 2010 - 06:06 AM

Hi 1sabelle,

QUOTE
any other 'suspicious' or not needed software I should get ride of or replace?? I'm ready to clean everything if it's better that way or needed!! thanks

Your logs show that you have (a) online poker programme(s) installed on your computer.
I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this.


++++++++++++++++++++++


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\gdrv.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

File::
c:\documents and settings\leOWNER\Local Settings\Application Data\prvlcl.dat

DDS::
mURLSearchHooks: H - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.






~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 April 2010 - 12:12 PM

thank you for the great help btw, I attach the combofix.txt file that it produced and here is the grdv.sys scan ...

oh and I mentioned in my original post that I use to have a computer and the motherboard died, so I build a new computer with a new hard drive, but still hooked up the old hard drive on the computer and it's now F: ... I want to be sure nothing can transmit from that drive since all data is still there and/or if it's being scan/taking care of when I did all those scans?? wanted to be sure that you knew

also, should I try at one point, to scan back for rootkit (gmer.exe) since it never worked 6 out of 6 times? froze restarted...
____

VirSCAN.org Scanned Report :
Scanned time : 2010/04/19 12:41:27 (EDT)
Scanner results: Scanners did not find malware!
File Name : gdrv.sys
File Size : 16608 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 5c230948dd6652228f88ca7ae6cb276c
SHA1 : 65daf56454ed89f9c5401fd327282df2b23cf7eb
Online report : http://virscan.org/report/8c852752195e8275...b13bef1a9f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100419211202 2010-04-19 5.01 -
AhnLab V3 2010.04.19.00 2010.04.19 2010-04-19 1.09 -
AntiVir 8.2.1.220 7.10.6.121 2010-04-19 0.25 -
Antiy 2.0.18 20100419.4208535 2010-04-19 0.12 -
Arcavir 2009 201004191228 2010-04-19 0.04 -
Authentium 5.1.1 201004161205 2010-04-16 1.72 -
AVAST! 4.7.4 100419-0 2010-04-19 0.00 -
AVG 8.5.720 271.1.1/2820 2010-04-19 0.25 -
BitDefender 7.81008.5682132 7.31287 2010-04-19 3.69 -
ClamAV 0.95.3 10757 2010-04-19 0.02 -
Comodo 3.13.579 4645 2010-04-19 0.92 -
CP Secure 1.3.0.5 2010.04.19 2010-04-19 0.04 -
Dr.Web 5.0.2.3300 2010.04.19 2010-04-19 6.75 -
F-Prot 4.4.4.56 20100419 2010-04-19 1.72 -
F-Secure 7.02.73807 2010.04.19.09 2010-04-19 8.75 -
Fortinet 4.0.14 11.702 2010-04-15 0.25 -
GData 19.11034/19.895 20100419 2010-04-19 6.95 -
ViRobot 20100417 2010.04.17 2010-04-17 0.43 -
Ikarus T3.1.01.80 2010.04.19.75662 2010-04-19 5.74 -
JiangMin 13.0.900 2010.04.19 2010-04-19 1.21 -
Kaspersky 5.5.10 2010.04.19 2010-04-19 0.08 -
KingSoft 2009.2.5.15 2010.4.19.21 2010-04-19 0.68 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5605 2010.04.19 2010-04-19 7.08 -
Norman 6.04.11 6.04.00 2010-04-16 4.01 -
Panda 9.05.01 2010.04.18 2010-04-18 1.97 -
Trend Micro 9.120-1004 7.112.11 2010-04-19 0.03 -
Quick Heal 10.00 2010.04.19 2010-04-19 1.50 -
Rising 20.0 22.44.00.04 2010-04-19 1.15 -
Sophos 3.06.0 4.52 2010-04-19 3.48 -
Sunbelt 3.9.2418.2 6194 2010-04-18 5.81 -
Symantec 1.3.0.24 20100418.002 2010-04-18 0.26 -
nProtect 20100419.01 8028667 2010-04-19 10.72 -
The Hacker 6.5.2.0 v00264 2010-04-19 0.40 -
VBA32 3.12.12.4 20100418.2214 2010-04-18 2.98 -
VirusBuster 4.5.11.10 10.124.17/2029311 2010-04-18 2.39 -



combofix.txt is attach

Edited by 1sabelle, 19 April 2010 - 12:15 PM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 20 April 2010 - 07:41 AM

Hi,

QUOTE
oh and I mentioned in my original post that I use to have a computer and the motherboard died, so I build a new computer with a new hard drive, but still hooked up the old hard drive on the computer and it's now F: ... I want to be sure nothing can transmit from that drive since all data is still there and/or if it's being scan/taking care of when I did all those scans?? wanted to be sure that you knew

OK thanks for letting me know. We will scan that drive later.

There's no attachment on your last post, can you please post the lates Combofix.txt instead of attaching it.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 20 April 2010 - 11:38 AM

oops I'm really sorry about that attachment

ComboFix 10-04-17.07 - leOWNER 04/19/2010 12:54:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2423 [GMT -4:00]
Running from: c:\documents and settings\leOWNER\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\leOWNER\Desktop\New Folder\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\leOWNER\Local Settings\Application Data\prvlcl.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\leOWNER\Local Settings\Application Data\prvlcl.dat

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-19 16:46 . 2010-04-19 16:46 -------- d-----w- c:\program files\ERUNT
2010-04-19 00:59 . 2010-04-19 00:59 -------- d-----w- c:\documents and settings\leOWNER\Local Settings\Application Data\In The Money
2010-04-18 22:07 . 2010-04-18 22:07 -------- d-----w- c:\documents and settings\leOWNER\Application Data\AVG9
2010-04-13 18:56 . 2010-04-13 18:56 -------- d-----w- c:\program files\TrendMicro
2010-04-12 23:10 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-12 23:06 . 2009-05-09 01:14 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2010-04-12 23:06 . 2009-05-09 01:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-04-12 23:06 . 2009-05-09 01:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2010-04-12 23:05 . 2010-04-12 23:06 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\program files\iTunes
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:40 . 2010-04-10 00:40 -------- d-----w- c:\program files\Bonjour
2010-04-10 00:37 . 2010-04-10 00:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-08 17:13 . 2010-04-08 17:13 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 01:57 . 2010-04-08 01:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 17:45 . 2010-04-19 06:29 -------- d-----w- c:\documents and settings\leOWNER\Application Data\vlc
2010-04-03 15:40 . 2010-04-03 15:40 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-03 15:40 . 2010-04-03 15:40 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-03 15:40 . 2010-04-03 15:40 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-03 15:40 . 2010-04-03 15:40 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-03 15:40 . 2010-04-03 15:40 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-03 15:40 . 2010-04-03 15:40 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-03 15:40 . 2010-04-03 15:40 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-03 15:40 . 2010-04-03 15:40 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-03 15:40 . 2010-04-03 15:40 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-03 15:40 . 2010-04-03 15:40 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-03 15:40 . 2010-04-03 15:40 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-03 15:39 . 2010-04-03 15:39 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-03 15:39 . 2010-04-03 15:39 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-23 16:55 . 2010-03-23 16:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 16:38 . 2008-08-04 04:26 16608 ----a-w- c:\windows\gdrv.sys
2010-04-19 07:47 . 2008-08-04 18:42 -------- d-----w- c:\program files\PokerStars
2010-04-19 07:47 . 2008-08-04 07:41 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-15 19:02 . 2010-01-15 22:24 117760 ----a-w- c:\documents and settings\leOWNER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-15 07:00 . 2008-10-22 20:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 20:08 . 2009-02-11 00:41 -------- d-----w- c:\program files\PartyGaming
2010-04-12 23:48 . 2008-08-04 07:39 17480 ----a-w- c:\documents and settings\leOWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-11 22:25 . 2008-08-04 20:34 -------- d-----w- c:\documents and settings\leOWNER\Application Data\Skype
2010-04-11 18:47 . 2008-08-04 21:02 -------- d-----w- c:\documents and settings\leOWNER\Application Data\skypePM
2010-04-10 00:46 . 2009-09-05 04:14 -------- d-----w- c:\program files\iPod
2010-04-10 00:46 . 2008-11-18 10:05 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 00:42 . 2008-11-18 10:05 -------- d-----w- c:\program files\QuickTime
2010-04-08 06:05 . 2008-08-04 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-07 07:41 . 2009-12-17 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 07:40 . 2010-01-15 22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-07 07:40 . 2010-01-17 07:58 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 21:31 . 2009-12-16 21:32 -------- d-----w- c:\program files\IObit
2010-04-06 21:18 . 2008-11-27 16:00 -------- d-----w- c:\program files\CCleaner
2010-04-06 18:30 . 2008-11-20 17:17 1 ----a-w- c:\documents and settings\leOWNER\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-01 06:28 . 2008-09-02 20:56 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 06:27 . 2008-12-06 16:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46 . 2009-12-17 22:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-17 22:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 17:13 . 2008-08-04 18:54 -------- d-----w- c:\program files\PostgreSQL
2010-03-22 18:43 . 2008-12-08 01:33 -------- d-----w- c:\documents and settings\leOWNER\Application Data\dvdcss
2010-03-21 00:07 . 2010-03-08 00:23 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-03-21 00:06 . 2010-03-08 00:23 -------- d-----w- c:\program files\DVDVideoSoft
2010-03-15 18:05 . 2009-03-11 02:40 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-15 18:05 . 2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 18:05 . 2009-03-11 02:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 18:05 . 2009-03-11 02:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:50 . 2008-10-29 19:57 -------- d-----w- c:\documents and settings\leOWNER\Application Data\U3
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\documents and settings\leOWNER\Application Data\StreamTorrent
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-02-19 17:52 . 2010-02-19 17:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 23:23 . 2010-02-18 23:23 -------- d-----w- c:\program files\AutoTask
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 01:13 . 2010-02-03 01:13 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-02-03 01:13 . 2010-02-03 01:13 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-27 06:09 . 2010-01-27 06:09 61440 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-sse.dll
2010-01-27 06:09 . 2010-01-27 06:09 503808 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcp71.dll
2010-01-27 06:09 . 2010-01-27 06:09 499712 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\jmc.dll
2010-01-27 06:09 . 2010-01-27 06:09 348160 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcr71.dll
2010-01-27 06:09 . 2010-01-27 06:09 12800 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-d3d.dll
2010-01-24 08:46 . 2009-12-10 08:56 133744 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-18_21.35.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-19 16:37 . 2010-04-19 16:37 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2010-04-19 16:38 . 2010-04-19 16:38 16384 c:\windows\Temp\Perflib_Perfdata_568.dat
- 2010-04-18 19:09 . 2010-04-18 19:09 49152 c:\windows\assembly\GAC_MSIL\EasyHook\2.5.0.0__4b580fca19d0b0c5\EasyHook.dll
+ 2010-04-19 06:38 . 2010-04-19 06:38 49152 c:\windows\assembly\GAC_MSIL\EasyHook\2.5.0.0__4b580fca19d0b0c5\EasyHook.dll
+ 2010-04-19 16:47 . 2010-04-19 16:47 8192 c:\windows\ERDNT\4-19-2010\Users\00000004\UsrClass.dat
+ 2010-04-19 16:47 . 2010-04-19 16:47 8192 c:\windows\ERDNT\4-19-2010\Users\00000002\UsrClass.dat
+ 2010-04-19 16:47 . 2010-04-19 16:47 229376 c:\windows\ERDNT\4-19-2010\Users\00000006\UsrClass.dat
+ 2010-04-19 16:47 . 2010-04-19 16:47 253952 c:\windows\ERDNT\4-19-2010\Users\00000003\NTUSER.DAT
+ 2010-04-19 16:47 . 2010-04-19 16:47 249856 c:\windows\ERDNT\4-19-2010\Users\00000001\NTUSER.DAT
+ 2010-04-19 16:47 . 2005-10-20 16:02 163328 c:\windows\ERDNT\4-19-2010\ERDNT.EXE
- 2010-04-18 19:09 . 2010-04-18 19:09 101376 c:\windows\assembly\GAC_32\HSFtp\9.0.3741.32980__cd71ef675eaacb81\HSFtp.dll
+ 2010-04-18 22:45 . 2010-04-18 22:45 101376 c:\windows\assembly\GAC_32\HSFtp\9.0.3741.32980__cd71ef675eaacb81\HSFtp.dll
+ 2010-04-18 22:45 . 2010-04-18 22:45 599040 c:\windows\assembly\GAC_32\HEMGUI\1.0.9.106__6ab470301e931f98\HEMGUI.dll
- 2010-04-18 19:09 . 2010-04-18 19:09 599040 c:\windows\assembly\GAC_32\HEMGUI\1.0.9.106__6ab470301e931f98\HEMGUI.dll
+ 2010-04-19 16:47 . 2010-04-19 16:47 5734400 c:\windows\ERDNT\4-19-2010\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-02 21:46 133104 ----atw- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 04:35 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 04:35 622592 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHped06]
2004-12-16 21:29 339968 ----a-w- c:\progra~1\HP\{BA2D9~1\PExpress\HPHPED06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 04:35 49152 ----a-w- c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
2010-03-26 20:48 2708312 ----a-w- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TurboHddUsb]
2010-02-03 01:13 3327488 ----a-w- c:\program files\TurboHddUsb\TurboHddUsb.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\B2BPOKER\\NoiQpoker\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 4:49 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/10/2009 10:40 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/10/2009 10:40 PM 242696]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2/2/2010 9:13 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 2:05 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 2:05 PM 308064]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [8/4/2008 12:51 AM 80392]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2/3/2009 4:23 AM 65536]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2/2/2010 9:13 PM 17792]
S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2/18/2010 7:25 PM 4224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004Core.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004UA.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\leOWNER\Application Data\Mozilla\Firefox\Profiles\neawp4qo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.forum.pourquoichercher.com/forumdisplay.php?f=3|http://www.reuters.com/article/technologyNews/idUSTRE55O18D20090625|http://www.forum.pourquoichercher.com/search.php?do=getnew
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-19 13:00:27
ComboFix-quarantined-files.txt 2010-04-19 17:00
ComboFix2.txt 2010-04-18 21:36

Pre-Run: 20,080,939,008 bytes free
Post-Run: 20,043,505,664 bytes free

- - End Of File - - 82F142DC68FA75CED4F7E3FB1952A8AB


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 20 April 2010 - 11:35 PM

Hi 1sabelle,

How's the computer running now?

Make sure to include your F:\ drive on the next scans:

1. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 April 2010 - 03:44 PM

hi,

malwarebytes didn't find anything, but I scan about 2 times a week so I probably cleaned stuff before, would you like me to find previous infections??


kaspersky scan found 3 objects, but all 3 are the same and they are my poker data base software... it is use by thousands of players to keep track of your sessions and opponents sessions, there is updates a couple times a month, so how do I know it's really safe?

I know that from their forum, previous post about viruses found were posted but it was suppose to be a mistake by certain anti virus...

found the a couple links about this

http://forums.holdemmanager.com/99782-post10.html

http://forums.holdemmanager.com/manager-ge...n-question.html
http://forums.holdemmanager.com/manager-ge...-found-hem.html
http://forums.holdemmanager.com/manager-ge...ated-virus.html
http://forums.holdemmanager.com/manager-ge...because-hm.html

so how do I know this is not a big scam? I kind of really need this software

anyway here is the kasper log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 21, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 14:39:37
Records in database: 3957819
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 174870
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:43:48


File name / Threat / Threats count
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v41BF0FF4\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe Infected: Backdoor.Win32.Poison.avdv 1
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe Infected: Backdoor.Win32.Poison.awfj 1
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe Infected: Backdoor.Win32.Poison.awfl 1

Selected area has been scanned.





#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 21 April 2010 - 05:35 PM

Let's scan those files.

Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v41BF0FF4\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

    C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe

    C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Edited by sempai, 21 April 2010 - 05:36 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 April 2010 - 06:26 PM

killcomp.gif


VirSCAN.org Scanned Report :
Scanned time : 2010/04/21 19:15:30 (EDT)
Scanner results: 56% Scanner(s) (20/36) found malware!
File Name : cvtres.exe
File Size : 17408 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 75f71c671606acbda883418fd833055f
SHA1 : a053f8013e7fb82c9c42b44130df66908775db5a
Online report : http://virscan.org/report/2102a166a4c36c85...bf748f6406.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422001645 2010-04-22 4.82 Backdoor.Generic!IK
AhnLab V3 2010.04.21.01 2010.04.21 2010-04-21 1.06 -
AntiVir 8.2.1.220 7.10.6.169 2010-04-21 0.25 -
Antiy 2.0.18 20100421.4239290 2010-04-21 0.12 Backdoor/Win32.Poison.avdv
Arcavir 2009 201004211709 2010-04-21 0.03 -
Authentium 5.1.1 201004211703 2010-04-21 1.32 W32/Backdoor2.GAMQ (Exact)
AVAST! 4.7.4 100421-1 2010-04-21 0.00 -
AVG 8.5.720 271.1.1/2827 2010-04-22 0.23 -
BitDefender 7.81008.5686372 7.31322 2010-04-22 4.13 -
ClamAV 0.95.3 10778 2010-04-22 0.01 Trojan.Poison-953
Comodo 3.13.579 4660 2010-04-21 0.88 Backdoor.Win32.Poison.avdv
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.04 -
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.63 -
F-Prot 4.4.4.56 20100421 2010-04-21 1.25 W32/Backdoor2.GAMQ (exact)
F-Secure 7.02.73807 2010.04.21.13 2010-04-21 9.88 Backdoor.Win32.Poison.avdv [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.29 W32/Poison.AVDV!tr.bdr
GData 21.5/21.2 20100421 2010-04-21 6.97 Backdoor.Win32.Poison.avdv [Engine:A]
ViRobot 20100421 2010.04.21 2010-04-21 0.41 -
Ikarus T3.1.01.80 2010.04.21.75683 2010-04-21 5.76 Backdoor.Generic
JiangMin 13.0.900 2010.04.21 2010-04-21 1.18 Backdoor/Poison.dfv
Kaspersky 5.5.10 2010.04.21 2010-04-21 0.06 Backdoor.Win32.Poison.avdv
KingSoft 2009.2.5.15 2010.4.21.21 2010-04-21 0.74 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.21 2010-04-21 6.57 Backdoor:Win32/Bisar!rts
Norman 6.04.11 6.04.00 2010-04-21 6.01 -
Panda 9.05.01 2010.04.21 2010-04-21 1.59 -
Trend Micro 9.120-1004 7.118.15 2010-04-21 0.04 -
Quick Heal 10.00 2010.04.21 2010-04-21 1.50 Backdoor.Poison.auah
Rising 20.0 22.44.02.05 2010-04-21 1.18 -
Sophos 3.06.0 4.52 2010-04-22 3.52 Mal/Generic-A
Sunbelt 3.9.2418.2 6205 2010-04-21 5.99 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100421.002 2010-04-21 0.05 -
nProtect 20100421.01 8037035 2010-04-21 7.40 Backdoor/W32.Poison.17408.X
The Hacker 6.5.2.0 v00265 2010-04-20 0.36 Backdoor/Poison.auwb
VBA32 3.12.12.4 20100420.2102 2010-04-20 2.83 Backdoor.Win32.Poison.auah
VirusBuster 4.5.11.10 10.124.21/2029765 2010-04-21 2.31 Backdoor.Agent.PQZJ


____________
_____________
_____________

VirSCAN.org Scanned Report :
Scanned time : 2010/04/21 19:18:28 (EDT)
Scanner results: 72% Scanner(s) (26/36) found malware!
File Name : HMImport.exe
File Size : 17408 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 46019c841722c2cf6f8d9bcd4fe9434c
SHA1 : d6e16d8072fb8f17f705f19f2295ffbdf857662e
Online report : http://virscan.org/report/a7cc7f276dc4c476...73ca3113cf.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422001645 2010-04-22 4.75 Backdoor.Generic!IK
AhnLab V3 2010.04.21.01 2010.04.21 2010-04-21 2.10 Win-Trojan/Poison.17408.CG
AntiVir 8.2.1.220 7.10.6.169 2010-04-21 0.25 BDS/Poison.avej
Antiy 2.0.18 20100421.4239290 2010-04-21 0.12 Backdoor/Win32.Poison.awfj
Arcavir 2009 201004211709 2010-04-21 0.03 -
Authentium 5.1.1 201004211703 2010-04-21 1.25 W32/Backdoor2.GAMQ (Exact)
AVAST! 4.7.4 100421-1 2010-04-21 0.00 -
AVG 8.5.720 271.1.1/2827 2010-04-22 0.23 -
BitDefender 7.81008.5686372 7.31322 2010-04-22 3.60 -
ClamAV 0.95.3 10778 2010-04-22 0.01 Trojan.Poison-953
Comodo 3.13.579 4660 2010-04-21 0.87 UnclassifiedMalware
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.04 BackDoor.W32.Poison.awfj
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.72 -
F-Prot 4.4.4.56 20100421 2010-04-21 1.25 W32/Backdoor2.GAMQ (exact)
F-Secure 7.02.73807 2010.04.21.13 2010-04-21 10.65 Backdoor.Win32.Poison.awfj [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.20 W32/Poison.AWFJ!tr.bdr
GData 21.5/21.2 20100421 2010-04-21 6.61 Backdoor.Win32.Poison.awfj [Engine:A]
ViRobot 20100421 2010.04.21 2010-04-21 0.41 -
Ikarus T3.1.01.80 2010.04.21.75683 2010-04-21 5.78 Backdoor.Generic
JiangMin 13.0.900 2010.04.21 2010-04-21 1.18 Backdoor/Poison.dfv
Kaspersky 5.5.10 2010.04.21 2010-04-21 0.06 Backdoor.Win32.Poison.awfj
KingSoft 2009.2.5.15 2010.4.21.21 2010-04-21 0.63 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.21 2010-04-21 6.42 Backdoor:Win32/Bisar!rts
Norman 6.04.11 6.04.00 2010-04-21 6.01 W32/Smalldoor.JGFC
Panda 9.05.01 2010.04.21 2010-04-21 1.69 -
Trend Micro 9.120-1004 7.118.15 2010-04-21 0.02 BKDR_POISON.AEE
Quick Heal 10.00 2010.04.21 2010-04-21 1.48 Backdoor.Poison.auah
Rising 20.0 22.44.02.05 2010-04-21 1.13 -
Sophos 3.06.0 4.52 2010-04-22 3.53 Mal/Generic-A
Sunbelt 3.9.2418.2 6205 2010-04-21 5.36 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100421.002 2010-04-21 0.20 Backdoor.Trojan
nProtect 20100421.01 8037035 2010-04-21 7.73 Backdoor/W32.Poison.17408.X
The Hacker 6.5.2.0 v00265 2010-04-20 0.38 Backdoor/Poison.avbi
VBA32 3.12.12.4 20100420.2102 2010-04-20 2.82 Backdoor.Win32.Poison.auah
VirusBuster 4.5.11.10 10.124.21/2029765 2010-04-21 2.32 Backdoor.Agent.PQZJ


_________
___________
___________

VirSCAN.org Scanned Report :
Scanned time : 2010/04/21 19:22:55 (EDT)
Scanner results: 69% Scanner(s) (25/36) found malware!
File Name : HoldemManager.exe
File Size : 17408 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7501e71afe4835136720707eee1df280
SHA1 : 6ca81c8346153d6a03b4618a4fe900dc2a57b2c3
Online report : http://virscan.org/report/d28b0be42e5f5330...fa67495731.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422001645 2010-04-22 6.91 Backdoor.Generic!IK
AhnLab V3 2010.04.21.01 2010.04.21 2010-04-21 1.19 -
AntiVir 8.2.1.220 7.10.6.169 2010-04-21 0.25 BDS/Poison.awfl
Antiy 2.0.18 20100421.4239290 2010-04-21 0.12 Backdoor/Win32.Poison.awfl
Arcavir 2009 201004211709 2010-04-21 0.03 -
Authentium 5.1.1 201004211703 2010-04-21 1.26 W32/Backdoor2.GAMQ (Exact)
AVAST! 4.7.4 100421-1 2010-04-21 0.00 -
AVG 8.5.720 271.1.1/2827 2010-04-22 0.24 -
BitDefender 7.81008.5686372 7.31322 2010-04-22 3.63 Backdoor.Generic.231163
ClamAV 0.95.3 10778 2010-04-22 0.01 Trojan.Poison-953
Comodo 3.13.579 4660 2010-04-21 0.89 UnclassifiedMalware
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.05 BackDoor.W32.Poison.awfl
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.73 -
F-Prot 4.4.4.56 20100421 2010-04-21 1.32 W32/Backdoor2.GAMQ (exact)
F-Secure 7.02.73807 2010.04.21.13 2010-04-21 10.67 Backdoor.Win32.Poison.awfl [AVP]
Fortinet 4.0.14 11.702 2010-04-15 0.16 W32/Poison.AWFL!tr.bdr
GData 21.5/21.2 20100421 2010-04-21 6.71 Backdoor.Win32.Poison.awfl [Engine:A]
ViRobot 20100421 2010.04.21 2010-04-21 0.41 -
Ikarus T3.1.01.80 2010.04.21.75683 2010-04-21 5.78 Backdoor.Generic
JiangMin 13.0.900 2010.04.21 2010-04-21 1.19 Backdoor/Poison.dfv
Kaspersky 5.5.10 2010.04.21 2010-04-21 0.06 Backdoor.Win32.Poison.awfl
KingSoft 2009.2.5.15 2010.4.21.21 2010-04-21 0.68 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.21 2010-04-21 6.36 Backdoor:Win32/Bisar!rts
Norman 6.04.11 6.04.00 2010-04-21 6.01 W32/Smalldoor.JGYR
Panda 9.05.01 2010.04.21 2010-04-21 1.66 -
Trend Micro 9.120-1004 7.118.15 2010-04-21 0.02 TROJ_Gen.MZ40M2
Quick Heal 10.00 2010.04.21 2010-04-21 1.48 Backdoor.Poison.auah
Rising 20.0 22.44.02.05 2010-04-21 1.13 -
Sophos 3.06.0 4.52 2010-04-22 3.53 Mal/Generic-A
Sunbelt 3.9.2418.2 6205 2010-04-21 5.21 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100421.002 2010-04-21 0.05 Backdoor.Trojan
nProtect 20100421.01 8037035 2010-04-21 7.38 Backdoor/W32.Poison.17408.X
The Hacker 6.5.2.0 v00265 2010-04-20 0.37 -
VBA32 3.12.12.4 20100420.2102 2010-04-20 2.81 Backdoor.Win32.Poison.auah
VirusBuster 4.5.11.10 10.124.21/2029765 2010-04-21 2.32 Backdoor.Agent.PQZJ



#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:29 PM

Posted 22 April 2010 - 08:06 AM

Hi,

I'm afraid I have a bad news. The scan files are all indeed malwares.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.



++++++++++++++++++++++


Please do the next instructions if you do not wish to reformat:

1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/309748/trojan-horse-backdoor-htj-log-and-more/

Collect::
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v41BF0FF4\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
C:\Documents and Settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



2. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 1sabelle

1sabelle
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 April 2010 - 10:20 AM

I'll start by this to give me time to back up my stuff and then I might format

is the backdoor trojan the reason gmer.exe was not working?

is there a way it could infect other computer on the network?


i'm doing the scan but for now here is the log _____

ComboFix 10-04-21.01 - leOWNER 04/22/2010 10:12:16.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2376 [GMT -4:00]
Running from: c:\documents and settings\leOWNER\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\leOWNER\Desktop\New Folder\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v41BF0FF4\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
file zipped: c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
file zipped: c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v41BF0FF4\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
c:\documents and settings\leOWNER\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v65632DD7\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HoldemManager.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-20 16:40 . 2010-04-20 16:40 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-20 16:39 . 2010-04-20 16:39 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-20 00:51 . 2010-04-22 05:25 0 ----a-w- c:\documents and settings\leOWNER\Local Settings\Application Data\prvlcl.dat
2010-04-19 16:46 . 2010-04-19 16:46 -------- d-----w- c:\program files\ERUNT
2010-04-19 00:59 . 2010-04-19 00:59 -------- d-----w- c:\documents and settings\leOWNER\Local Settings\Application Data\In The Money
2010-04-18 22:07 . 2010-04-18 22:07 -------- d-----w- c:\documents and settings\leOWNER\Application Data\AVG9
2010-04-13 18:56 . 2010-04-13 18:56 -------- d-----w- c:\program files\TrendMicro
2010-04-12 23:10 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-12 23:06 . 2009-05-09 01:14 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2010-04-12 23:06 . 2009-05-09 01:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2010-04-12 23:06 . 2009-05-09 01:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2010-04-12 23:05 . 2010-04-12 23:06 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\program files\iTunes
2010-04-10 00:46 . 2010-04-10 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:40 . 2010-04-10 00:40 -------- d-----w- c:\program files\Bonjour
2010-04-10 00:37 . 2010-04-10 00:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-08 17:13 . 2010-04-08 17:13 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-08 01:57 . 2010-04-08 01:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 17:45 . 2010-04-19 06:29 -------- d-----w- c:\documents and settings\leOWNER\Application Data\vlc
2010-04-03 15:40 . 2010-04-03 15:40 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-03 15:40 . 2010-04-03 15:40 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-03 15:40 . 2010-04-03 15:40 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-03 15:40 . 2010-04-03 15:40 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-03 15:40 . 2010-04-03 15:40 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-03 15:40 . 2010-04-03 15:40 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-03 15:40 . 2010-04-03 15:40 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-03 15:40 . 2010-04-03 15:40 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-03 15:40 . 2010-04-03 15:40 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-03 15:40 . 2010-04-03 15:40 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-03 15:40 . 2010-04-03 15:40 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-03 15:39 . 2010-04-03 15:39 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-23 16:55 . 2010-03-23 16:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 14:01 . 2008-08-04 04:26 16608 ----a-w- c:\windows\gdrv.sys
2010-04-22 05:55 . 2008-11-20 17:17 1 ----a-w- c:\documents and settings\leOWNER\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-21 01:50 . 2008-08-04 07:41 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-21 01:37 . 2008-08-04 18:42 -------- d-----w- c:\program files\PokerStars
2010-04-20 16:39 . 2009-03-11 02:40 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-15 19:02 . 2010-01-15 22:24 117760 ----a-w- c:\documents and settings\leOWNER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-15 07:00 . 2008-10-22 20:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 20:08 . 2009-02-11 00:41 -------- d-----w- c:\program files\PartyGaming
2010-04-12 23:48 . 2008-08-04 07:39 17480 ----a-w- c:\documents and settings\leOWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-12 23:11 . 2010-04-12 23:11 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-11 22:25 . 2008-08-04 20:34 -------- d-----w- c:\documents and settings\leOWNER\Application Data\Skype
2010-04-11 18:47 . 2008-08-04 21:02 -------- d-----w- c:\documents and settings\leOWNER\Application Data\skypePM
2010-04-10 00:46 . 2009-09-05 04:14 -------- d-----w- c:\program files\iPod
2010-04-10 00:46 . 2008-11-18 10:05 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 00:42 . 2008-11-18 10:05 -------- d-----w- c:\program files\QuickTime
2010-04-08 06:05 . 2008-08-04 18:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-07 07:41 . 2009-12-17 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 07:40 . 2010-01-15 22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-07 07:40 . 2010-01-17 07:58 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 21:31 . 2009-12-16 21:32 -------- d-----w- c:\program files\IObit
2010-04-06 21:18 . 2008-11-27 16:00 -------- d-----w- c:\program files\CCleaner
2010-04-01 06:28 . 2008-09-02 20:56 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 06:27 . 2008-12-06 16:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:46 . 2009-12-17 22:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-17 22:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 17:13 . 2008-08-04 18:54 -------- d-----w- c:\program files\PostgreSQL
2010-03-22 18:43 . 2008-12-08 01:33 -------- d-----w- c:\documents and settings\leOWNER\Application Data\dvdcss
2010-03-21 00:07 . 2010-03-08 00:23 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-03-21 00:06 . 2010-03-08 00:23 -------- d-----w- c:\program files\DVDVideoSoft
2010-03-15 18:05 . 2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-15 18:05 . 2009-03-11 02:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-15 18:05 . 2009-03-11 02:40 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:50 . 2008-10-29 19:57 -------- d-----w- c:\documents and settings\leOWNER\Application Data\U3
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\documents and settings\leOWNER\Application Data\StreamTorrent
2010-02-22 01:29 . 2010-02-22 01:29 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 01:13 . 2010-02-03 01:13 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-02-03 01:13 . 2010-02-03 01:13 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-27 06:09 . 2010-01-27 06:09 61440 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-sse.dll
2010-01-27 06:09 . 2010-01-27 06:09 503808 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcp71.dll
2010-01-27 06:09 . 2010-01-27 06:09 499712 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\jmc.dll
2010-01-27 06:09 . 2010-01-27 06:09 348160 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-633b8659-n\msvcr71.dll
2010-01-27 06:09 . 2010-01-27 06:09 12800 ----a-w- c:\documents and settings\leOWNER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44a4ef89-n\decora-d3d.dll
2010-01-24 08:46 . 2009-12-10 08:56 133744 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-18_21.35.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-22 13:59 . 2010-04-22 13:59 16384 c:\windows\Temp\Perflib_Perfdata_464.dat
+ 2010-04-22 14:00 . 2010-04-22 14:00 16384 c:\windows\Temp\Perflib_Perfdata_278.dat
+ 2010-04-20 20:59 . 2010-04-20 20:59 49152 c:\windows\assembly\temp\89YNC1QF4H\EasyHook.dll
+ 2010-04-20 23:21 . 2010-04-20 23:21 49152 c:\windows\assembly\GAC_MSIL\EasyHook\2.5.0.0__4b580fca19d0b0c5\EasyHook.dll
- 2010-04-18 19:09 . 2010-04-18 19:09 49152 c:\windows\assembly\GAC_MSIL\EasyHook\2.5.0.0__4b580fca19d0b0c5\EasyHook.dll
+ 2010-04-19 16:47 . 2010-04-19 16:47 8192 c:\windows\ERDNT\4-19-2010\Users\00000004\UsrClass.dat
+ 2010-04-19 16:47 . 2010-04-19 16:47 8192 c:\windows\ERDNT\4-19-2010\Users\00000002\UsrClass.dat
+ 2008-04-14 12:00 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
- 2008-04-14 12:00 . 2010-01-29 05:02 361600 c:\windows\system32\drivers\tcpip.sys
+ 2010-04-19 16:47 . 2010-04-19 16:47 229376 c:\windows\ERDNT\4-19-2010\Users\00000006\UsrClass.dat
+ 2010-04-19 16:47 . 2010-04-19 16:47 253952 c:\windows\ERDNT\4-19-2010\Users\00000003\NTUSER.DAT
+ 2010-04-19 16:47 . 2010-04-19 16:47 249856 c:\windows\ERDNT\4-19-2010\Users\00000001\NTUSER.DAT
+ 2010-04-19 16:47 . 2005-10-20 16:02 163328 c:\windows\ERDNT\4-19-2010\ERDNT.EXE
+ 2010-04-20 20:59 . 2010-04-20 20:59 101376 c:\windows\assembly\temp\YB0DQ3GTIJ\HSFtp.dll
+ 2010-04-20 20:59 . 2010-04-20 20:59 705536 c:\windows\assembly\temp\0PQ3STIJK9\HEMGUI.dll
- 2010-04-18 19:09 . 2010-04-18 19:09 101376 c:\windows\assembly\GAC_32\HSFtp\9.0.3741.32980__cd71ef675eaacb81\HSFtp.dll
+ 2010-04-18 22:45 . 2010-04-18 22:45 101376 c:\windows\assembly\GAC_32\HSFtp\9.0.3741.32980__cd71ef675eaacb81\HSFtp.dll
- 2010-04-18 19:09 . 2010-04-18 19:09 599040 c:\windows\assembly\GAC_32\HEMGUI\1.0.9.106__6ab470301e931f98\HEMGUI.dll
+ 2010-04-18 22:45 . 2010-04-18 22:45 599040 c:\windows\assembly\GAC_32\HEMGUI\1.0.9.106__6ab470301e931f98\HEMGUI.dll
+ 2010-04-19 16:47 . 2010-04-19 16:47 5734400 c:\windows\ERDNT\4-19-2010\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-15 18:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-02 21:46 133104 ----atw- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 04:35 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 04:35 622592 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHped06]
2004-12-16 21:29 339968 ----a-w- c:\progra~1\HP\{BA2D9~1\PExpress\HPHPED06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 04:35 49152 ----a-w- c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 18:01 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 18:01 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
2010-03-26 20:48 2708312 ----a-w- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TurboHddUsb]
2010-02-03 01:13 3327488 ----a-w- c:\program files\TurboHddUsb\TurboHddUsb.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\B2BPOKER\\NoiQpoker\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 4:49 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/10/2009 10:40 PM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/10/2009 10:40 PM 242896]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2/2/2010 9:13 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/15/2010 2:05 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 2:05 PM 308064]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [8/4/2008 12:51 AM 80392]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2/3/2009 4:23 AM 65536]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2/2/2010 9:13 PM 17792]
S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2/18/2010 7:25 PM 4224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004Core.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1275210071-1417001333-1004UA.job
- c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 21:46]

2010-04-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-04-06 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\leOWNER\Application Data\Mozilla\Firefox\Profiles\neawp4qo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.forum.pourquoichercher.com/forumdisplay.php?f=3|http://www.reuters.com/article/technologyNews/idUSTRE55O18D20090625|http://www.forum.pourquoichercher.com/search.php?do=getnew
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\leOWNER\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-22 10:18:49
ComboFix-quarantined-files.txt 2010-04-22 14:18
ComboFix2.txt 2010-04-18 21:36

Pre-Run: 19,939,659,776 bytes free
Post-Run: 20,013,936,640 bytes free

- - End Of File - - 53B01E854E28C78231AE971B1ADB56B1
Upload was successful





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users