Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results Hijack (possible Vista Defender Pro virus side effect)


  • This topic is locked This topic is locked
28 replies to this topic

#1 Puli

Puli

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 21 April 2010 - 08:31 PM

Hello, My first time posting here. I apologize in advance if I mess something up or if I'm unclear. Recently I was infected with the Vista Defender Pro virus. Thanks to some things I found on the internet I was able to edit the registry to allow me to install malwarebytes. That then proceeded to remove the virus, or at least most of the things that are noticeable to me. I do still have problems, either from another virus that came along at the same time as the VDP one, or because of damage caused by VDP. The main issue is that my google search results are hijacked and I am sent to another website. I normally use Firefox with the NoScript addon so the sites that I am sent to end up just being blank with an indecipherable link only, no actual data. So far I have tried many different Anti-Virus/Anti-Spyware programs to fix my problem. AVG, McAfee, Avira, Spybot S&D, Spyware doctor, Hitman Pro, HijackThis. I only used the free trials/versons of those listed, so some didn't actually remove things they found. I just used those to try and find files that I could look up. I think that is most everything I did, just want to give as much info as possible.

I tried to follow the instructions on this site fully but when I went to run gmer I got a blue screen right after it started to scan, saying something along the lines of shutting down to prevent damage to the system. The same thing happened when I tried to run it in safemode.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Josh at 20:57:09.27 on Wed 04/21/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1659 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Josh\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [PlayNC Launcher]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\josh\appdata\roaming\mozilla\firefox\profiles\oidppttm.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\josh\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\josh\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\josh\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\josh\appdata\roaming\mozilla\firefox\profiles\oidppttm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-1 343664]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-21 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-20 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-20 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-20 242696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-20 267432]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-20 308064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-20 60936]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-21 112592]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-9-1 70728]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-12-20 1153368]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-1 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-1 43288]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-23 21504]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-9-1 65448]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-21 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-21 1141712]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2010-04-22 00:55:53 0 ----a-w- c:\users\josh\defogger_reenable
2010-04-22 00:19:23 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-22 00:19:23 110624 ----a-w- c:\windows\system32\drivers\tskD624.tmp
2010-04-21 20:08:26 0 d-----w- c:\program files\Trend Micro
2010-04-21 18:55:26 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-04-21 18:55:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-21 18:55:25 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-21 18:55:25 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-21 18:55:25 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-21 18:55:25 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-21 18:55:25 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-21 18:55:25 131 ----a-w- c:\windows\IDB.zip
2010-04-21 18:55:25 1152444 ----a-w- c:\windows\UDB.zip
2010-04-21 18:55:00 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-21 18:55:00 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-21 18:55:00 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-04-21 18:54:54 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-21 18:54:54 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-21 18:54:54 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-21 18:54:54 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-21 18:54:36 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-21 18:54:35 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-21 18:54:20 0 d-----w- c:\users\josh\appdata\roaming\PC Tools
2010-04-21 18:54:20 0 d-----w- c:\programdata\PC Tools
2010-04-21 18:54:20 0 d-----w- c:\program files\Spyware Doctor
2010-04-21 18:54:20 0 d-----w- c:\program files\common files\PC Tools
2010-04-21 02:06:34 238 ----a-w- c:\windows\system32\.crusader
2010-04-21 01:57:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-21 01:57:39 0 d-----w- c:\programdata\Hitman Pro
2010-04-21 01:57:38 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-21 01:55:21 0 d-----w- C:\escw_9_sa
2010-04-20 14:53:01 0 d-----w- c:\users\josh\appdata\roaming\Avira
2010-04-20 14:50:31 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-20 14:50:28 0 d-----w- c:\programdata\Avira
2010-04-20 14:50:28 0 d-----w- c:\program files\Avira
2010-04-20 12:22:24 0 d-----w- c:\program files\Windows Portable Devices
2010-04-20 12:21:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-20 06:10:53 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-20 06:10:51 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-20 06:10:51 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-20 06:06:48 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-20 05:59:50 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-20 05:59:49 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-20 05:59:49 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-20 05:53:42 0 d-----w- C:\4f5853fd0eb636ebcede6ac841ae4ce3
2010-04-20 05:40:47 0 d--h--w- C:\$AVG
2010-04-20 05:39:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:39:32 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:39:27 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:39:25 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:36:34 0 d-----w- c:\program files\AVG
2010-04-20 05:36:19 0 d-----w- c:\programdata\avg9
2010-04-20 02:39:22 0 d-----w- c:\users\josh\appdata\roaming\Malwarebytes
2010-04-20 02:39:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:39:15 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 02:39:15 0 d-----w- c:\programdata\Malwarebytes
2010-04-20 02:39:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 01:20:00 58 --sh--w- c:\windows\system32\User.ini
2010-04-20 01:19:58 0 d-----w- c:\users\josh\appdata\roaming\272A812BF5470781EBC80F7C53B39D57
2010-04-20 01:19:06 0 d-----w- C:\QUARANTINE
2010-04-17 18:52:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-17 18:52:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-17 18:52:18 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-17 03:42:55 0 d-----w- c:\windows\system32\eu-ES
2010-04-17 03:42:55 0 d-----w- c:\windows\system32\ca-ES
2010-04-17 03:42:50 0 d-----w- c:\windows\system32\vi-VN
2010-04-14 13:04:52 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 13:04:52 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 13:04:52 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 13:04:47 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 13:04:47 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 13:04:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 13:04:27 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 13:04:26 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 13:04:23 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 13:04:22 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 13:04:22 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 13:00:36 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:59:40 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-31 12:48:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 12:48:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-29 21:58:54 0 d-----w- c:\windows\system32\EventProviders
2010-03-29 21:11:21 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-29 21:11:15 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-29 21:11:14 30720 ----a-w- c:\windows\system32\httpapi.dll

==================== Find3M ====================

2010-04-22 00:13:14 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-20 19:23:11 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-20 19:23:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-20 19:23:10 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-20 12:21:59 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-29 23:30:31 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 23:51:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2008-05-24 03:03:27 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-21 02:24:20 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-04-21 02:24:21 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-04-21 02:24:20 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-04-15 07:55:44 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:59:25.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 27 April 2010 - 08:31 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 27 April 2010 - 10:39 AM

Thanks for being able to help me out, I can see that you guys here are extremely busy. Just to fill you in on what has happened since my first post last week: I discovered that I cannot access the Windows Update website, nor does Windows update work. Yesterday when I came home from work I found that my computer had been re-infected by the av.exe virus. I used the same process to fix it. I ran a registry fixer so that exe files would work, then I ran a new install of malwarebytes to get rid of what it could. I still have the logs from that saved in malwarebytes if you ever want to see them.


OTL logfile created on: 4/27/2010 11:01:06 AM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Josh\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.71 Gb Total Space | 112.72 Gb Free Space | 24.73% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.74 Gb Free Space | 57.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 3.74 Gb Total Space | 1.64 Gb Free Space | 43.94% Space Free | Partition Type: FAT32

Computer Name: JOSH-PC
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/27 10:58:04 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Josh\Desktop\OTL.exe
PRC - [2010/04/23 08:33:06 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/23 08:33:01 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/20 01:50:58 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/04/20 01:38:55 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/04/20 01:38:54 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/04/20 01:38:24 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/04/01 13:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/21 19:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/09/10 10:58:25 | 000,168,960 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmplayer.exe
PRC - [2009/08/31 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/08/31 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/08/31 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2009/08/31 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/08/31 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/08/31 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
PRC - [2009/04/27 18:09:52 | 000,093,960 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/09/19 08:30:34 | 003,674,112 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/09/19 04:03:58 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/05/17 00:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) -- C:\Program Files\PharosSystems\Core\CTskMstr.exe
PRC - [2008/03/14 04:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 04:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/03/14 04:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2008/01/29 20:41:50 | 000,104,712 | ---- | M] () -- C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
PRC - [2008/01/15 14:31:58 | 000,155,648 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe


========== Modules (SafeList) ==========

MOD - [2010/04/27 10:58:04 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Josh\Desktop\OTL.exe
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Viewpoint Manager Service)
SRV - [2010/04/20 01:38:24 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/21 19:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/01/18 14:14:24 | 001,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/12/09 15:23:34 | 000,365,280 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/10/31 09:16:22 | 000,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/31 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/08/31 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2009/08/31 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/08/31 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/04/27 18:09:52 | 000,093,960 | ---- | M] (Sling Media Inc.) [Auto | Running] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService)
SRV - [2009/03/16 18:47:00 | 002,780,212 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/09/19 04:03:58 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2008/08/14 00:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/05/17 00:12:54 | 000,290,816 | ---- | M] (Pharos Systems International) [Auto | Running] -- C:\Program Files\PharosSystems\Core\CTskMstr.exe -- (Pharos Systems ComTaskMaster)
SRV - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/01/29 20:41:48 | 000,015,872 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/15 14:31:58 | 000,155,648 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)


========== Driver Services (SafeList) ==========

DRV - [2010/04/23 08:33:01 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/04/21 21:05:47 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2010/04/20 01:39:27 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/04/20 01:39:26 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/08/31 20:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/08/31 20:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/08/31 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/08/31 20:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/08/31 20:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/08/31 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/14 03:33:00 | 007,766,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/04/15 03:55:43 | 000,020,152 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/04/15 03:55:43 | 000,019,128 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/04/15 03:55:43 | 000,017,592 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/03/29 15:34:16 | 000,025,344 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\VClone.sys -- (VClone)
DRV - [2008/01/29 20:41:42 | 000,025,216 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2008/01/15 14:34:04 | 000,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\Windows\nvoclock.sys -- (NVR0Dev)
DRV - [2008/01/15 07:16:22 | 000,131,616 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2008/01/15 07:00:36 | 002,011,224 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/08/07 15:48:33 | 000,025,160 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2007/02/15 20:56:49 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 03:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.69
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}:5.0.12
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/06/17 20:52:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/04/25 00:29:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 10:41:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/20 10:40:59 | 000,000,000 | ---D | M]

[2009/03/02 04:23:28 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Extensions
[2009/03/02 04:23:28 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/26 19:12:57 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions
[2010/04/21 20:21:45 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/11/21 18:17:11 | 000,000,000 | ---D | M] -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\firefox@tvunetworks.com
[2009/05/26 23:03:38 | 000,002,105 | ---- | M] () -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\searchplugins\digg.xml
[2010/04/20 13:21:11 | 000,004,859 | ---- | M] () -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\searchplugins\isohunt---bt-search.xml
[2009/08/30 03:54:14 | 000,000,952 | ---- | M] () -- C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\searchplugins\youtube-video-search.xml
[2010/04/26 19:12:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/04 10:39:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
[2009/08/31 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/04/05 20:32:02 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/03/16 14:19:08 | 000,610,419 | ---- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 data2.activshopper.com #[Trackware.ActivShopper]
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 127.0.0.1 ads.ad2games.com
O1 - Hosts: 16151 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe File not found
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-385192728-1322132304-2723306943-1000..\Run: [PlayNC Launcher] File not found
O4 - HKU\S-1-5-21-385192728-1322132304-2723306943-1001..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Josh\Pictures\FFv13.jpg
O24 - Desktop BackupWallPaper: C:\Users\Josh\Pictures\FFv13.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{098ca63e-1635-11dd-8cb1-001ec932571d}\Shell - "" = AutoRun
O33 - MountPoints2\{098ca63e-1635-11dd-8cb1-001ec932571d}\Shell\AutoRun\command - "" = G:\autorun.exe -- File not found
O33 - MountPoints2\{2fd4ed38-1a0b-11dd-a0b6-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2fd4ed38-1a0b-11dd-a0b6-806e6f6e6963}\Shell\AutoRun\command - "" = H:\autorun.exe -- File not found
O33 - MountPoints2\{3f6e072c-ca16-11de-a3f1-001ec932571d}\Shell - "" = AutoRun
O33 - MountPoints2\{3f6e072c-ca16-11de-a3f1-001ec932571d}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-385192728-1322132304-2723306943-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

MsConfig - StartUpReg: avast! - hkey= - key= - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe File not found
MsConfig - StartUpReg: DKPProfilerUploader - hkey= - key= - C:\Program Files\DKP Profiler Uploader\DKPProfilerUploader.exe File not found
MsConfig - StartUpReg: mcagent_exe - hkey= - key= - C:\Program Files\McAfee.com\Agent\mcagent.exe File not found
MsConfig - StartUpReg: mcexecwin - hkey= - key= - C:\Users\Josh\AppData\Local\Temp\lle8tzji.DLL File not found
MsConfig - StartUpReg: RayV - hkey= - key= - C:\Program Files\RayV\RayV\RayV.exe File not found
MsConfig - State: "bootini" - 0
MsConfig - State: "startup" - 2
MsConfig - State: "services" - 2

SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: klmdb.sys - Driver
SafeBootMin: McAfeeEngineService - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Drivers32: msacm.ac3acm - C:\Windows\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\Windows\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: VIDC.XVID - C:\Windows\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/05/23 22:55:09 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/27 10:57:55 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Users\Josh\Desktop\OTL.exe
[2010/04/26 17:14:47 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/22 20:01:11 | 000,562,856 | ---- | C] (Google Inc.) -- C:\Users\Josh\Desktop\hromeSetup.exe
[2010/04/21 21:14:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2010/04/21 21:02:42 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\gmer
[2010/04/21 20:37:18 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\New Folder
[2010/04/21 20:08:56 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\tdsskiller
[2010/04/21 16:08:26 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/21 16:08:18 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Josh\Desktop\HJTInstall.exe
[2010/04/21 15:19:05 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Local\Threat Expert
[2010/04/21 14:55:25 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll
[2010/04/21 14:55:25 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDRes.dll
[2010/04/21 14:55:25 | 000,149,456 | ---- | C] (PC Tools) -- C:\Windows\SGDetectionTool.dll
[2010/04/21 14:55:00 | 000,233,136 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2010/04/21 14:55:00 | 000,100,136 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2010/04/21 14:54:54 | 000,207,280 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2010/04/21 14:54:54 | 000,087,784 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2010/04/21 14:54:35 | 000,070,408 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2010/04/21 14:54:20 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/21 14:54:20 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\PC Tools
[2010/04/21 14:54:20 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/04/21 14:54:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/04/21 14:53:39 | 034,596,344 | ---- | C] (PC Tools ) -- C:\Users\Josh\Desktop\7.0.0.538f-sdasetup.exe
[2010/04/20 21:57:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/04/20 21:57:38 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/20 21:57:28 | 005,650,240 | ---- | C] (SurfRight B.V.) -- C:\Users\Josh\Desktop\HitmanPro35.exe
[2010/04/20 21:55:21 | 000,000,000 | ---D | C] -- C:\escw_9_sa
[2010/04/20 11:44:49 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\hosts
[2010/04/20 10:53:01 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\Avira
[2010/04/20 10:50:33 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2010/04/20 10:50:31 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/04/20 10:50:31 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/04/20 10:50:31 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntmgr.sys
[2010/04/20 10:50:30 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\System32\drivers\avgntdd.sys
[2010/04/20 10:50:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/04/20 10:50:28 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/20 08:22:24 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2010/04/20 02:10:53 | 000,092,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAnimation.dll
[2010/04/20 02:10:51 | 003,023,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbon.dll
[2010/04/20 02:10:51 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbonRes.dll
[2010/04/20 02:08:54 | 000,369,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMPhoto.dll
[2010/04/20 02:08:51 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2010/04/20 02:08:49 | 000,829,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2010/04/20 02:08:49 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2010/04/20 02:08:48 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecs.dll
[2010/04/20 02:08:48 | 000,828,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2010/04/20 02:08:48 | 000,667,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2010/04/20 02:08:48 | 000,351,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2010/04/20 02:08:48 | 000,321,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PhotoMetadataHandler.dll
[2010/04/20 02:08:48 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2010/04/20 02:08:48 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiag.exe
[2010/04/20 02:08:48 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiagn.dll
[2010/04/20 02:08:48 | 000,189,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecsExt.dll
[2010/04/20 02:08:48 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2010/04/20 02:08:47 | 001,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2010/04/20 02:08:47 | 001,064,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2010/04/20 02:08:47 | 001,030,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2010/04/20 02:08:47 | 000,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2010/04/20 02:08:47 | 000,793,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll
[2010/04/20 02:08:47 | 000,519,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll
[2010/04/20 02:08:47 | 000,486,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2010/04/20 02:08:47 | 000,481,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2010/04/20 02:08:47 | 000,218,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2010/04/20 02:08:47 | 000,190,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2010/04/20 02:08:47 | 000,161,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2010/04/20 02:06:48 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDShextAutoplay.exe
[2010/04/20 02:06:47 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\BthMtpContextHandler.dll
[2010/04/20 02:06:39 | 000,060,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceConnectApi.dll
[2010/04/20 02:06:34 | 000,546,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpd_ci.dll
[2010/04/20 02:06:34 | 000,350,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDSp.dll
[2010/04/20 02:06:34 | 000,334,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceApi.dll
[2010/04/20 02:06:34 | 000,196,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceWMDRM.dll
[2010/04/20 02:06:34 | 000,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceTypes.dll
[2010/04/20 02:06:34 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceClassExtension.dll
[2010/04/20 01:59:50 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\oleaccrc.dll
[2010/04/20 01:59:49 | 000,555,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAutomationCore.dll
[2010/04/20 01:53:42 | 000,000,000 | ---D | C] -- C:\4f5853fd0eb636ebcede6ac841ae4ce3
[2010/04/20 01:40:47 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/04/20 01:39:37 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/04/20 01:39:32 | 000,242,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/04/20 01:39:27 | 000,216,200 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/04/20 01:39:25 | 000,029,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/04/20 01:39:25 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\Avg
[2010/04/20 01:36:34 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/20 01:36:19 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/04/20 01:04:52 | 002,131,808 | ---- | C] (AVG Technologies) -- C:\Users\Josh\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/04/20 01:00:54 | 129,231,360 | ---- | C] (Microsoft Corporation) -- C:\Users\Josh\Desktop\McAfee-VirusScan-AntiSpiware-Enterprise-8.7i-with-Patch-2-32-bit.exe
[2010/04/19 22:39:22 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\Malwarebytes
[2010/04/19 22:39:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/19 22:39:15 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/19 22:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/19 22:39:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/19 21:19:58 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Roaming\272A812BF5470781EBC80F7C53B39D57
[2010/04/19 21:19:21 | 000,000,000 | ---D | C] -- C:\Users\Josh\AppData\Local\Windows Server
[2010/04/19 21:19:06 | 000,000,000 | ---D | C] -- C:\QUARANTINE
[2010/04/17 14:52:18 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/04/17 14:52:18 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010/04/17 14:52:18 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/04/16 23:42:55 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/04/16 23:42:55 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/04/16 23:42:50 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/04/14 09:04:47 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 09:04:47 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 09:04:44 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/14 09:04:27 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/14 09:04:26 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm
[2010/04/11 17:28:58 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\Douglas Adams, Hitchhikers Trilogy - all 5 books
[2010/04/07 12:26:42 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\Dolphin_2.0_RC1_Win32
[2010/04/07 12:26:29 | 004,958,095 | ---- | C] (Igor Pavlov) -- C:\Users\Josh\Desktop\Dolphin_2.0_RC1_Win32.exe
[2010/04/01 20:06:40 | 000,000,000 | ---D | C] -- C:\Users\Josh\Desktop\iv-calc_files
[2010/03/31 08:48:40 | 000,180,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/03/31 08:48:38 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/03/31 08:48:38 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2010/03/31 08:48:35 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/03/29 17:58:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/03/29 17:11:21 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/03/29 17:11:14 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/27 11:07:50 | 003,670,016 | -HS- | M] () -- C:\Users\Josh\NTUSER.DAT
[2010/04/27 11:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At12.job
[2010/04/27 10:58:04 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Josh\Desktop\OTL.exe
[2010/04/27 10:53:08 | 000,001,726 | ---- | M] () -- C:\Users\Josh\Documents\Default.rdp
[2010/04/27 10:48:10 | 059,302,741 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/04/27 10:29:03 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/27 10:29:03 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/27 10:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At11.job
[2010/04/27 09:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At10.job
[2010/04/27 08:29:43 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At9.job
[2010/04/27 08:29:43 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At8.job
[2010/04/27 08:29:28 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At7.job
[2010/04/27 08:29:28 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At6.job
[2010/04/27 08:29:27 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At5.job
[2010/04/27 08:29:27 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At4.job
[2010/04/27 08:29:27 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At3.job
[2010/04/27 08:29:26 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At2.job
[2010/04/27 08:29:26 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/04/27 08:29:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/26 23:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At24.job
[2010/04/26 22:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At23.job
[2010/04/26 21:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At22.job
[2010/04/26 20:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At21.job
[2010/04/26 19:28:20 | 000,756,154 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/26 19:28:20 | 000,639,306 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/26 19:28:20 | 000,119,946 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/26 19:23:24 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/26 19:22:40 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/26 19:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At20.job
[2010/04/26 18:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At19.job
[2010/04/26 17:01:17 | 3487,010,816 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/26 17:00:12 | 000,524,288 | -HS- | M] () -- C:\Users\Josh\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/26 17:00:12 | 000,065,536 | -HS- | M] () -- C:\Users\Josh\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/26 16:59:44 | 003,832,709 | -H-- | M] () -- C:\Users\Josh\AppData\Local\IconCache.db
[2010/04/26 16:46:12 | 000,011,712 | -HS- | M] () -- C:\Users\Josh\AppData\Local\0jf5835bS5a
[2010/04/26 16:46:12 | 000,011,712 | -HS- | M] () -- C:\ProgramData\0jf5835bS5a
[2010/04/26 16:42:45 | 000,011,700 | -HS- | M] () -- C:\ProgramData\1166257537
[2010/04/26 16:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At17.job
[2010/04/26 15:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At16.job
[2010/04/26 14:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At15.job
[2010/04/26 13:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At14.job
[2010/04/26 12:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At13.job
[2010/04/25 17:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At18.job
[2010/04/23 08:33:01 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/04/22 20:01:12 | 000,562,856 | ---- | M] (Google Inc.) -- C:\Users\Josh\Desktop\hromeSetup.exe
[2010/04/21 21:11:24 | 170,675,731 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/21 21:05:47 | 000,110,624 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvstor32.sys
[2010/04/21 21:02:13 | 000,284,915 | ---- | M] () -- C:\Users\Josh\Desktop\gmer.zip
[2010/04/21 20:56:39 | 000,525,824 | ---- | M] () -- C:\Users\Josh\Desktop\dds.scr
[2010/04/21 20:55:53 | 000,000,000 | ---- | M] () -- C:\Users\Josh\defogger_reenable
[2010/04/21 20:55:33 | 000,050,477 | ---- | M] () -- C:\Users\Josh\Desktop\Defogger.exe
[2010/04/21 20:08:46 | 000,154,469 | ---- | M] () -- C:\Users\Josh\Desktop\tdsskiller.zip
[2010/04/21 16:08:27 | 000,001,876 | ---- | M] () -- C:\Users\Josh\Desktop\HijackThis.lnk
[2010/04/21 16:08:20 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Josh\Desktop\HJTInstall.exe
[2010/04/21 15:52:01 | 360,513,580 | ---- | M] () -- C:\Users\Josh\Desktop\backup.reg
[2010/04/21 14:54:50 | 000,001,761 | ---- | M] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/04/21 14:54:02 | 034,596,344 | ---- | M] (PC Tools ) -- C:\Users\Josh\Desktop\7.0.0.538f-sdasetup.exe
[2010/04/21 08:57:37 | 000,000,238 | ---- | M] () -- C:\Windows\System32\.crusader
[2010/04/21 01:06:56 | 000,001,787 | ---- | M] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/04/20 21:57:34 | 005,650,240 | ---- | M] (SurfRight B.V.) -- C:\Users\Josh\Desktop\HitmanPro35.exe
[2010/04/20 21:54:23 | 075,518,840 | ---- | M] () -- C:\Users\Josh\Desktop\escw_90_sa_sfx.exe
[2010/04/20 11:44:26 | 000,150,596 | ---- | M] () -- C:\Users\Josh\Desktop\hosts.zip
[2010/04/20 10:50:56 | 000,001,849 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/04/20 10:48:18 | 044,089,584 | ---- | M] () -- C:\Users\Josh\Desktop\avira_antivir_personal_en.exe
[2010/04/20 10:41:01 | 000,001,726 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/04/20 08:21:35 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2010/04/20 01:47:56 | 000,000,240 | ---- | M] () -- C:\Windows\win.ini
[2010/04/20 01:39:40 | 000,001,649 | ---- | M] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/04/20 01:39:39 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/04/20 01:39:27 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/04/20 01:39:26 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/04/20 01:39:25 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/04/20 01:04:52 | 002,131,808 | ---- | M] (AVG Technologies) -- C:\Users\Josh\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/04/20 01:01:04 | 129,231,360 | ---- | M] (Microsoft Corporation) -- C:\Users\Josh\Desktop\McAfee-VirusScan-AntiSpiware-Enterprise-8.7i-with-Patch-2-32-bit.exe
[2010/04/19 22:39:19 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/19 22:37:23 | 000,000,371 | ---- | M] () -- C:\Users\Josh\Desktop\fx.inf
[2010/04/19 22:20:48 | 000,007,830 | -HS- | M] () -- C:\Users\Josh\AppData\Local\22k5paIc
[2010/04/19 22:20:48 | 000,007,830 | -HS- | M] () -- C:\ProgramData\22k5paIc
[2010/04/19 22:12:46 | 000,007,822 | -HS- | M] () -- C:\Users\Josh\AppData\Local\3231008778
[2010/04/19 22:12:46 | 000,007,822 | -HS- | M] () -- C:\ProgramData\3231008778
[2010/04/19 21:20:00 | 000,000,058 | -HS- | M] () -- C:\Windows\System32\User.ini
[2010/04/16 23:51:49 | 000,284,576 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/14 17:55:02 | 000,053,760 | ---- | M] () -- C:\Users\Josh\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/07 12:26:35 | 004,958,095 | ---- | M] (Igor Pavlov) -- C:\Users\Josh\Desktop\Dolphin_2.0_RC1_Win32.exe
[2010/04/06 12:28:52 | 000,122,120 | ---- | M] () -- C:\Users\Josh\Desktop\Huff.pdf
[2010/04/06 12:28:52 | 000,055,808 | ---- | M] () -- C:\Users\Josh\Desktop\06-07MediaPeople.xls
[2010/04/01 20:06:45 | 000,101,964 | ---- | M] () -- C:\Users\Josh\Desktop\iv-calc.shtml
[2010/04/01 09:47:42 | 000,006,656 | ---- | M] () -- C:\Users\Josh\Desktop\NoiseAnalysisPostProcessor.java
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/29 17:48:26 | 000,069,576 | ---- | M] () -- C:\Users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/26 16:42:34 | 000,011,712 | -HS- | C] () -- C:\Users\Josh\AppData\Local\0jf5835bS5a
[2010/04/26 16:42:34 | 000,011,700 | -HS- | C] () -- C:\ProgramData\1166257537
[2010/04/26 14:35:23 | 000,011,712 | -HS- | C] () -- C:\ProgramData\0jf5835bS5a
[2010/04/21 21:11:26 | 3487,010,816 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/21 21:02:12 | 000,284,915 | ---- | C] () -- C:\Users\Josh\Desktop\gmer.zip
[2010/04/21 20:56:33 | 000,525,824 | ---- | C] () -- C:\Users\Josh\Desktop\dds.scr
[2010/04/21 20:55:53 | 000,000,000 | ---- | C] () -- C:\Users\Josh\defogger_reenable
[2010/04/21 20:55:32 | 000,050,477 | ---- | C] () -- C:\Users\Josh\Desktop\Defogger.exe
[2010/04/21 20:08:44 | 000,154,469 | ---- | C] () -- C:\Users\Josh\Desktop\tdsskiller.zip
[2010/04/21 16:08:27 | 000,001,876 | ---- | C] () -- C:\Users\Josh\Desktop\HijackThis.lnk
[2010/04/21 15:51:13 | 360,513,580 | ---- | C] () -- C:\Users\Josh\Desktop\backup.reg
[2010/04/21 14:55:26 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll.old
[2010/04/21 14:55:26 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll
[2010/04/21 14:55:25 | 001,152,444 | ---- | C] () -- C:\Windows\UDB.zip
[2010/04/21 14:55:25 | 000,000,882 | ---- | C] () -- C:\Windows\RegSDImport.xml
[2010/04/21 14:55:25 | 000,000,879 | ---- | C] () -- C:\Windows\RegISSImport.xml
[2010/04/21 14:55:25 | 000,000,131 | ---- | C] () -- C:\Windows\IDB.zip
[2010/04/21 14:55:00 | 000,007,387 | ---- | C] () -- C:\Windows\System32\drivers\pctgntdi.cat
[2010/04/21 14:54:54 | 000,007,412 | ---- | C] () -- C:\Windows\System32\drivers\PCTAppEvent.cat
[2010/04/21 14:54:54 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctcore.cat
[2010/04/21 14:54:50 | 000,001,761 | ---- | C] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/04/21 14:54:36 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctplsg.cat
[2010/04/20 22:06:34 | 000,000,238 | ---- | C] () -- C:\Windows\System32\.crusader
[2010/04/20 21:57:49 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/20 21:57:39 | 000,001,787 | ---- | C] () -- C:\Users\Public\Desktop\Hitman Pro 3.5.lnk
[2010/04/20 21:50:54 | 075,518,840 | ---- | C] () -- C:\Users\Josh\Desktop\escw_90_sa_sfx.exe
[2010/04/20 11:44:23 | 000,150,596 | ---- | C] () -- C:\Users\Josh\Desktop\hosts.zip
[2010/04/20 10:50:56 | 000,001,849 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/04/20 10:48:07 | 044,089,584 | ---- | C] () -- C:\Users\Josh\Desktop\avira_antivir_personal_en.exe
[2010/04/20 10:41:01 | 000,001,726 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/04/20 08:21:35 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2010/04/20 01:39:40 | 000,001,649 | ---- | C] () -- C:\Users\Public\Desktop\AVG Free 9.0.lnk
[2010/04/20 01:39:25 | 059,302,741 | ---- | C] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/04/20 01:39:25 | 000,113,461 | ---- | C] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/04/19 22:51:38 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At24.job
[2010/04/19 22:51:38 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At23.job
[2010/04/19 22:51:38 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At22.job
[2010/04/19 22:51:38 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At21.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At20.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At19.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At18.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At17.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At16.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At15.job
[2010/04/19 22:51:37 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At14.job
[2010/04/19 22:51:36 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At13.job
[2010/04/19 22:51:36 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At12.job
[2010/04/19 22:51:36 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At11.job
[2010/04/19 22:51:36 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At10.job
[2010/04/19 22:51:35 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At5.job
[2010/04/19 22:51:35 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At4.job
[2010/04/19 22:51:35 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At3.job
[2010/04/19 22:51:35 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At2.job
[2010/04/19 22:51:34 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/04/19 22:39:19 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/19 22:37:22 | 000,000,371 | ---- | C] () -- C:\Users\Josh\Desktop\fx.inf
[2010/04/19 22:12:36 | 000,007,822 | -HS- | C] () -- C:\Users\Josh\AppData\Local\3231008778
[2010/04/19 21:34:25 | 000,007,822 | -HS- | C] () -- C:\ProgramData\3231008778
[2010/04/19 21:20:48 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At9.job
[2010/04/19 21:20:47 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At8.job
[2010/04/19 21:20:45 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At7.job
[2010/04/19 21:20:44 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At6.job
[2010/04/19 21:20:00 | 000,000,058 | -HS- | C] () -- C:\Windows\System32\User.ini
[2010/04/19 21:19:34 | 000,007,830 | -HS- | C] () -- C:\Users\Josh\AppData\Local\22k5paIc
[2010/04/19 21:19:34 | 000,007,830 | -HS- | C] () -- C:\ProgramData\22k5paIc
[2010/04/06 12:29:09 | 000,122,120 | ---- | C] () -- C:\Users\Josh\Desktop\Huff.pdf
[2010/04/06 12:29:09 | 000,055,808 | ---- | C] () -- C:\Users\Josh\Desktop\06-07MediaPeople.xls
[2010/04/01 20:06:39 | 000,101,964 | ---- | C] () -- C:\Users\Josh\Desktop\iv-calc.shtml
[2010/04/01 09:47:40 | 000,006,656 | ---- | C] () -- C:\Users\Josh\Desktop\NoiseAnalysisPostProcessor.java
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/11 01:47:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/17 15:48:41 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2009/07/17 15:48:38 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2009/07/17 15:48:38 | 000,881,664 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/07/17 15:48:38 | 000,205,824 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/07/17 15:48:37 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/07/17 15:48:37 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/06/05 09:58:26 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/04/22 19:31:39 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2006/11/07 15:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/01/09 00:13:02 | 015,849,968 | ---- | M] () -- C:\AdobeAIRInstaller.exe


< MD5 for: AGP440.SYS >
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/18 23:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2008/04/15 03:46:35 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\drivers\agp440.sys
[2008/04/15 03:46:35 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_8ed06b47\AGP440.sys
[2008/04/15 03:46:35 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16400_none_b82caac9c18a4e3b\AGP440.sys
[2008/04/15 03:46:35 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=BF34B4A0E0B64440C5389AA6B902F4AD -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20496_none_b85af81edaeb8461\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/18 23:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/04/15 03:46:52 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2008/04/15 03:55:43 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys
[2008/04/15 03:55:43 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys
[2008/04/15 03:55:43 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys
[2008/04/15 03:55:43 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys
[2008/04/15 03:46:34 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys
[2008/04/15 03:46:34 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys
[2008/04/15 03:46:52 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2008/04/15 03:46:52 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008/04/22 03:07:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/04/22 03:07:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/04/22 03:07:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys
[2008/04/22 03:07:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/18 23:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/18 23:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRAID.SYS >
[2008/01/18 23:43:02 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvraid.sys
[2008/01/18 23:43:02 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvraid.sys
[2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\drivers\nvraid.sys
[2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvraid.sys

< MD5 for: NVRD32.SYS >
[2008/01/15 07:16:22 | 000,131,616 | ---- | M] (NVIDIA Corporation) MD5=049E81B6FB41C73619ED3FE4DF7D8638 -- C:\Drivers\storage\R176246\nvrd32.sys
[2008/01/15 07:16:22 | 000,131,616 | ---- | M] (NVIDIA Corporation) MD5=049E81B6FB41C73619ED3FE4DF7D8638 -- C:\Windows\System32\drivers\nvrd32.sys
[2008/01/15 07:16:22 | 000,131,616 | ---- | M] (NVIDIA Corporation) MD5=049E81B6FB41C73619ED3FE4DF7D8638 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_136c9f51\nvrd32.sys

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/18 23:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: NVSTOR32.SYS >
[2008/01/15 07:16:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) MD5=7EBA6C9A0A295B1559EFB9062E701218 -- C:\Drivers\storage\R176246\nvstor32.sys
[2010/04/21 21:05:47 | 000,110,624 | ---- | M] (NVIDIA Corporation) MD5=7EBA6C9A0A295B1559EFB9062E701218 -- C:\Windows\System32\drivers\nvstor32.sys
[2008/01/15 07:16:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) MD5=7EBA6C9A0A295B1559EFB9062E701218 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_136c9f51\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2008/01/18 23:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/18 23:34:10 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2008/01/18 23:34:10 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2009/04/11 02:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/20 01:39:27 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/04/20 01:39:26 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/04/23 08:33:01 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2010/04/26 19:23:24 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/02/20 16:53:34 | 000,411,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/23 07:10:13 | 000,106,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/23 07:10:19 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/23 07:10:13 | 000,079,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2010/04/21 21:05:47 | 000,110,624 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvstor32.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2010/02/05 09:18:02 | 000,100,136 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2010/02/18 10:07:16 | 000,904,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2010/02/18 07:28:13 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Josh\Desktop\Europe, The final countdown.mp3:Roxio EMC Stream
@Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:8CEFE51A
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >
OTL Extras logfile created on: 4/27/2010 11:01:06 AM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Josh\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.71 Gb Total Space | 112.72 Gb Free Space | 24.73% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.74 Gb Free Space | 57.37% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 3.74 Gb Total Space | 1.64 Gb Free Space | 43.94% Space Free | Partition Type: FAT32

Computer Name: JOSH-PC
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00BCCFA8-8B8C-4A30-A131-02991B3D3A8D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war soulstorm\soulstorm.exe |
"{05C141D8-1731-4066-9CFC-F40AC034D9E0}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{09299FCF-2CBA-4B99-840E-8CF80D258BB5}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{0C06A362-D10F-4A23-B7C3-7858FCC9FCC6}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{11714CAA-E328-491C-A38F-825E5AEE99C0}" = protocol=6 | dir=in | app=c:\program files\azureus\azureus.exe |
"{145384F1-4841-4859-8F3D-FFBC9D6EBD14}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{19632091-FAFD-4553-A82B-F8ADA9F775DC}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{1A4D353A-F08A-4D3C-9520-F279DD8F75B0}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{21E75F78-9498-4C9D-8811-8280838A1CB4}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{32A882EB-F643-4672-A78D-96411D132A32}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{34AA73C5-BB0E-4F00-BEEE-76549E969F29}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{3931EB45-1A4F-4450-95F5-FF93D348E0F2}" = protocol=17 | dir=in | app=c:\program files\curse\curseclient.exe |
"{3998D17F-F0A9-46C1-8D8D-51E913929C5E}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{39F8F6F5-BF34-4463-B5E6-FB48D0CDCF1D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{445FBD47-538C-413F-8AC5-F6D44D5B6508}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{4510DDC9-22B6-45ED-9E5E-129D86E64583}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{489FB05B-CB23-434B-BA46-2EED7A37A6AF}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{498B0A6C-53D5-47B3-B898-1EF5EDD65ACD}" = protocol=17 | dir=in | app=c:\program files\azureus\azureus.exe |
"{4F5BE8C3-1005-4F36-9B53-2114CE5D5D8E}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{5145E2EC-ACBF-4F8E-9756-421197A3E39B}" = protocol=6 | dir=in | app=c:\program files\rayv\rayv\rayv.exe |
"{54D5173D-87D1-4FD6-B5F7-84572F45C773}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{56BE2D67-91CF-4558-BCB1-FC68BB1B7768}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{6322ADC6-3395-4E62-956F-0132F8149737}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{66CAE46D-BAA1-4628-9CD8-756AAED33E55}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{6C5A57AE-0F34-4178-865D-82C5F3CC2F24}" = dir=in | app=c:\program files\skype\phone\skype .exe |
"{7048E2C4-730F-40EC-A1AD-37940AD272AC}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{7183D497-A8DE-46DA-8A57-6238D56DE2B3}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{74636E5E-0B07-4F91-AEF9-BFD69CC03A45}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{7F1C9A78-5796-40C4-9257-BC3228BD9DB8}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{82A655D9-6AF9-4EF9-ABE0-ED17C2F30E37}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{91ED480F-1E1F-44A6-85F4-9181FADAD85D}" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe |
"{941A49F8-ECB4-464F-82FA-9910E17BF514}" = protocol=17 | dir=in | app=c:\program files\rayv\rayv\rayv.dll |
"{96D3CA6B-B42D-45BD-BB6F-FF6CCCBB87AB}" = protocol=17 | dir=in | app=c:\program files\rayv\rayv\rayv.exe |
"{98257808-BF09-4ECF-8532-672EABB8C85D}" = dir=in | app=c:\program files\avg\avg9\avgupd.exe |
"{9BA42550-D810-47F9-8812-FE1B7CBA1188}" = protocol=6 | dir=in | app=c:\program files\rayv\rayv\rayv.dll |
"{9E38BCE4-5FF0-4C5C-A1AC-105EA6412B13}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B13FF222-62D7-4F7B-9043-2164AA375918}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{B5AE0F1D-C866-4317-9AB2-9C39903ABC5E}" = dir=in | app=c:\program files\pharossystems\core\ctskmstr.exe |
"{BA770A5F-BE60-45C7-843D-D5B5D6D798B2}" = protocol=6 | dir=in | app=c:\program files\curse\curseclient.exe |
"{BB24C00E-4F45-4966-918B-230219107F67}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{C9C8ECAB-4CB9-47AB-BD18-3941F6408F34}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{CED213CF-2E11-4976-B4D1-8D7FCA935F37}" = dir=in | app=c:\program files\avg\avg9\avgnsx.exe |
"{CF7F2794-8F70-4595-8515-EBCD08355347}" = protocol=6 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{D5CB6802-74BD-4A5C-83A4-90E535BAB576}" = protocol=17 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{D6FDBD77-036B-4F74-B8F2-8641F5A6956D}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{D90BAEAD-D24C-420B-836D-6194A7EC2EF3}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{DDF76F2E-DA8D-4593-B97F-B453384BE70D}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{E16FFA08-BF38-40C4-A940-59DF3844F9BC}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{E4344F30-BC1D-43A6-B421-148CBA00C60C}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\dawn of war soulstorm\soulstorm.exe |
"{EF7ABEA1-7D07-4A41-BCBF-EBF0833148B9}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{F3B69FC7-6B5B-4F77-AD1E-EE21BA2966DF}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F5C1AB5E-1072-46B9-BE73-0E153A187051}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{FA88195D-3C5C-44D7-8BB3-B147113E84DF}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{FC9BBDA3-42D8-4CB1-A45B-3D82FD8AE37C}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"TCP Query User{1C590B4A-6C69-4F46-B042-D83F022C63EB}C:\program files\heroes of newerth\hon.exe" = protocol=6 | dir=in | app=c:\program files\heroes of newerth\hon.exe |
"TCP Query User{61F53253-8C43-4060-94A4-B179A496FC8A}C:\program files\java\jre1.6.0\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre1.6.0\bin\java.exe |
"TCP Query User{A2E70DFB-4065-4C6B-ABED-ED6E87F814FF}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{1AD064A8-C832-4489-ABC0-F4C48BD5EB38}C:\program files\heroes of newerth\hon.exe" = protocol=17 | dir=in | app=c:\program files\heroes of newerth\hon.exe |
"UDP Query User{56A82987-B5FE-4500-B7F7-09FE1EB0C890}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{73C06213-FA32-4F9B-9D3A-92CADD985F6B}C:\program files\java\jre1.6.0\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre1.6.0\bin\java.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = QualxServ Service Agreement
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150120}" = J2SE Runtime Environment 5.0 Update 12
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{362D5167-9716-44BE-89FD-BF9EB6EF814B}" = DawnOfWar
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8
"{4C78E7B2-AE8C-492E-8A97-BA6A641C616B}" = Enterprise Architect 7.1 - 30 Day Trial
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5887D64D-2663-43FB-B4BD-7464C56AB425}" = NVIDIA System Monitor
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{8DFB3904-FBDB-4C2B-AC98-20EFDD37C83D}" = GameTime+
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9EBDAF91-DADA-47CE-94F2-F5B004007934}" = System Requirements Lab
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A59BB15D-51B7-F12B-4548-8C0368243441}" = EA Download Manager UI
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A820D9E4-BCA5-4749-75A7-002AC27E7A5E}" = Pandora
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B823632F-3B72-4514-8861-B961CE263224}" = PostgreSQL 8.3
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{C0EED196-57F3-46B7-AC3B-B2DD45B01A43}" = MySQL Connector/ODBC 3.51
"{C6AA3FB7-804F-4808-AD91-B62D6ED9B788}" = Windows Vista Upgrade Advisor
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7769185-9A7C-48D4-8874-5388743A1DE2}" = Music, Photos & Videos Launcher
"{DD8408E9-9421-484F-979D-DB6361E3E828}" = Dawn Of War - Winter Assault
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F574616C-4C15-49CE-9C98-E998CD80264A}" = BlackBerry Device Software Updater
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"AVG9Uninstall" = AVG Free 9.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Azureus" = Azureus
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"Browser Defender_is1" = Browser Defender 2.0.6.15
"Champions Online" = Champions Online
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"EA Download Manager" = EA Download Manager
"Free FLV Converter_is1" = Free FLV Converter V 5.9.2
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"HitmanPro35" = Hitman Pro 3.5
"hon" = Heroes of Newerth
"InstallShield_{362D5167-9716-44BE-89FD-BF9EB6EF814B}" = DawnOfWar
"InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"InstallShield_{5887D64D-2663-43FB-B4BD-7464C56AB425}" = NVIDIA System Monitor
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.0.0 (Full)
"LimeWire" = LimeWire 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mids' Hero/Villain Designer" = Mids' Hero/Villain Designer
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenVPN" = OpenVPN 2.1_rc7
"Pharos" = Pharos
"PokerStars" = PokerStars
"PokerTracker3" = PokerTracker 3 (remove only)
"RealAlt_is1" = Real Alternative 1.9.0
"RealPlayer 6.0" = RealPlayer
"RM Converter_is1" = RM Converter 4.28
"Simple Sudoku_is1" = Simple Sudoku 4.2
"SopCast" = SopCast 3.2.4
"Spyware Doctor" = Spyware Doctor 7.0
"Steam App 500" = Left 4 Dead
"Steam App 9450" = Dawn of War: Soulstorm
"The Rosetta Stone" = The Rosetta Stone
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 1.0.0
"VSFilter_is1" = VSFilter 2.36
"Warcraft III" = Warcraft III
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.1.9
"World of Warcraft" = World of Warcraft

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"uTorrent" = µTorrent
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/22/2010 11:13:57 AM | Computer Name = Josh-PC | Source = SPP | ID = 16387
Description =

Error - 4/22/2010 11:13:57 AM | Computer Name = Josh-PC | Source = System Restore | ID = 8193
Description =

Error - 4/22/2010 11:13:57 AM | Computer Name = Josh-PC | Source = System Restore | ID = 8210
Description =

Error - 4/22/2010 2:32:24 PM | Computer Name = Josh-PC | Source = McLogEvent | ID = 259
Description = The file C:\$Recycle.Bin\S-1-5-21-385192728-1322132304-2723306943-1000\$R8YM601.exe
contains the EICAR test file Test. No cleaner available, OAS denied access and
continued. Detected using Scan engine version 5400.1158 DAT version 5959.0000.

Error - 4/23/2010 8:31:44 AM | Computer Name = Josh-PC | Source = VSS | ID = 8194
Description =

Error - 4/23/2010 8:32:19 AM | Computer Name = Josh-PC | Source = SPP | ID = 16387
Description =

Error - 4/23/2010 8:32:19 AM | Computer Name = Josh-PC | Source = System Restore | ID = 8193
Description =

Error - 4/23/2010 8:33:07 AM | Computer Name = Josh-PC | Source = VSS | ID = 8194
Description =

Error - 4/23/2010 8:33:11 AM | Computer Name = Josh-PC | Source = SPP | ID = 16387
Description =

Error - 4/23/2010 8:33:11 AM | Computer Name = Josh-PC | Source = System Restore | ID = 8193
Description =

[ System Events ]
Error - 4/26/2010 11:30:07 AM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 4/26/2010 5:29:53 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 4/26/2010 5:32:51 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 4/26/2010 5:45:18 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 4/26/2010 6:33:32 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 4/26/2010 7:23:39 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 4/26/2010 7:23:39 PM | Computer Name = Josh-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 4/27/2010 8:31:18 AM | Computer Name = Josh-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 10.69.6.26 for the Network Card with network
address 00FF899A30D9 has been denied by the DHCP server 10.69.6.25 (The DHCP Server
sent a DHCPNACK message).

Error - 4/27/2010 8:31:48 AM | Computer Name = Josh-PC | Source = Client Side Rendering Spooler | ID = 3
Description = The print spooler failed to reopen an existing printer connection
because it could not read the configuration information from the registry key S-1-5-21-385192728-1322132304-2723306943-1000\Printers\Connections\S-1-5-21-385192728-1322132304-2723306943-1000\Printers\Connections.
This can occur if the key name or values are malformed or missing.

Error - 4/27/2010 8:32:06 AM | Computer Name = Josh-PC | Source = Client Side Rendering Spooler | ID = 3
Description = The print spooler failed to reopen an existing printer connection
because it could not read the configuration information from the registry key S-1-5-21-385192728-1322132304-2723306943-1000\Printers\Connections\S-1-5-21-385192728-1322132304-2723306943-1000\Printers\Connections.
This can occur if the key name or values are malformed or missing.


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 28 April 2010 - 06:42 AM

Hi,

yes I would be interested in seeing the log from Malwarebytes. Please also try to run a scan with gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 28 April 2010 - 04:01 PM

Sorry it took so long to respond. Been at work all day. Here is the MalwareBytes log from Monday the 26th. I'll get right on running GMER if I can get that to work (Had trouble with it before).


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4040

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/26/2010 4:58:47 PM
mbam-log-2010-04-26 (16-58-47).txt

Scan type: Quick scan
Objects scanned: 118238
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\av.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Users\Josh\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Users\Josh\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


#6 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 28 April 2010 - 04:20 PM

Quick update on GMER (Posting from a different comp):
Ran it like the directions said normally an got a BSOD. Here is the Technical info on the BSOD:
STOP: 0x0000008E (0xC0000005, 0x81E7B650, 0x8BB6B530, 0x00000000)
storport.sys - Address 81E7B650 base at 81E47000, Datestamp 49e01ef7


In safemode It just stopped working during the scan, but there was no BSOD. Just a normal "***.exe has stopped working"

#7 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 28 April 2010 - 08:37 PM

Phew, Finally GMER ran in safe mode without problems. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-28 21:35:47
Windows 6.0.6002 Service Pack 2
Running: cznve4qk.exe; Driver: C:\Users\Josh\AppData\Local\Temp\pxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x81E98CDC]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x81E98ECE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x81E98982]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x81E990D6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 820FB96C 8 Bytes JMP 6B9E87F2
.text ntkrnlpa.exe!KeSetEvent + 621 820FBD84 4 Bytes [82, 89, E9, 81]
.text ntkrnlpa.exe!KeSetEvent + 6E5 820FBE48 4 Bytes [D6, 90, E9, 81]
.rsrc C:\Windows\system32\drivers\ndis.sys entry point in ".rsrc" section [0x82713014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtProtectVirtualMemory 777B4D34 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory 777B5674 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[952] ntdll.dll!KiUserExceptionDispatcher 777B5DC8 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[952] ole32.dll!CoCreateInstance 76019EA6 5 Bytes JMP 0118000A
.text C:\Windows\system32\svchost.exe[952] USER32.dll!GetCursorPos 765D0B88 5 Bytes JMP 0119000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtProtectVirtualMemory 777B4D34 5 Bytes JMP 0024000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtWriteVirtualMemory 777B5674 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!KiUserExceptionDispatcher 777B5DC8 5 Bytes JMP 0022000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7454A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74528395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7457CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7451C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\nvstor32 \Device\Harddisk0\DR0 86156AC8

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\ndis.sys suspicious modification
File C:\Windows\system32\drivers\nvstor32.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 29 April 2010 - 06:15 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 29 April 2010 - 10:34 AM

ComboFix did not install the Microsoft Windows Recovery Console. I guess that means it is already installed but I have never dealt with it before. Figured I'd mention it now in case I forgot later and it became important.

ComboFix 10-04-28.08 - Josh 04/29/2010 11:15:21.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.1908 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-385192728-1322132304-2723306943-500
c:\program files\Internet Explorer\wmpscfgs .exe
c:\users\Josh\AppData\Local\Windows Server
c:\users\Josh\AppData\Local\Windows Server\flags.ini
c:\users\Josh\AppData\Local\Windows Server\uses32.dat
c:\windows\system32\nvraidservice .exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 15:27 . 2010-04-29 15:27 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-04-29 15:07 . 2010-04-29 15:08 -------- d-----w- C:\32788R22FWJFW
2010-04-23 12:33 . 2010-04-23 12:33 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-23 12:32 . 2010-04-23 12:32 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-22 01:14 . 2010-04-22 01:14 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-21 20:08 . 2010-04-21 20:08 -------- d-----w- c:\program files\Trend Micro
2010-04-21 19:19 . 2010-04-21 19:19 -------- d-----w- c:\users\Josh\AppData\Local\Threat Expert
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\users\Josh\AppData\Roaming\PC Tools
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\programdata\PC Tools
2010-04-21 01:57 . 2010-04-29 12:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-21 01:57 . 2010-04-21 02:06 -------- d-----w- c:\programdata\Hitman Pro
2010-04-21 01:57 . 2010-04-21 01:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-21 01:55 . 2010-04-21 01:55 -------- d-----w- C:\escw_9_sa
2010-04-20 14:53 . 2010-04-20 14:53 -------- d-----w- c:\users\Josh\AppData\Roaming\Avira
2010-04-20 14:50 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-20 14:50 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-20 14:50 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-20 14:50 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-20 14:50 . 2010-04-20 14:50 -------- d-----w- c:\programdata\Avira
2010-04-20 14:50 . 2010-04-20 14:50 -------- d-----w- c:\program files\Avira
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-20 06:10 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-20 06:10 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-20 06:10 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-20 06:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-20 06:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-04-20 06:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-04-20 06:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-04-20 06:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-04-20 06:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-04-20 06:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-04-20 06:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-04-20 06:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-04-20 06:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-04-20 05:59 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-20 05:59 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-20 05:59 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-20 05:53 . 2010-04-20 05:59 -------- d-----w- C:\4f5853fd0eb636ebcede6ac841ae4ce3
2010-04-20 05:50 . 2010-04-20 05:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-20 05:40 . 2010-04-20 05:40 -------- d-----w- C:\$AVG
2010-04-20 05:39 . 2010-04-20 05:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:39 . 2010-04-23 12:33 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:39 . 2010-04-20 05:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:39 . 2010-04-29 12:32 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:39 . 2010-04-20 05:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\program files\AVG
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\programdata\avg9
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\users\Josh\AppData\Roaming\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:39 . 2010-04-26 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:19 . 2010-04-20 01:19 -------- d-----w- c:\users\Josh\AppData\Roaming\272A812BF5470781EBC80F7C53B39D57
2010-04-20 01:19 . 2010-04-26 20:42 -------- d-----w- C:\QUARANTINE
2010-04-17 18:52 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-17 18:52 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-17 18:52 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\ca-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\eu-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\vi-VN
2010-04-14 13:04 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 13:04 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 13:04 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 13:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 13:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 13:04 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 13:04 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 13:04 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 13:04 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 13:00 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:59 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-11 21:34 . 2010-04-11 21:34 6123008 ----a-w- c:\users\Josh\AppData\Roaming\Azureus\plugins\azemp\vuzeplayer.exe
2010-03-31 12:48 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 12:48 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 15:02 . 2008-04-21 04:57 -------- d-----w- c:\users\Josh\AppData\Roaming\Skype
2010-04-22 01:05 . 2008-04-15 07:55 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-21 22:34 . 2009-10-08 23:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-21 22:05 . 2010-04-21 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-21 18:55 . 2010-04-21 18:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-20 14:33 . 2008-05-23 23:15 -------- d-----w- c:\programdata\media center programs
2010-04-20 12:25 . 2009-03-19 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-20 12:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-20 12:21 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-20 12:21 . 2010-04-20 12:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-20 06:33 . 2008-07-13 23:53 -------- d-----w- c:\program files\QuickTime
2010-04-20 02:13 . 2010-02-06 06:00 -------- d-----w- c:\program files\iTunes
2010-04-20 02:13 . 2008-04-21 04:59 -------- d-----w- c:\program files\AIM6
2010-04-20 02:13 . 2008-11-13 22:13 -------- d-----w- c:\program files\Steam
2010-04-20 02:12 . 2008-12-20 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-17 03:58 . 2008-06-09 19:55 -------- d-----w- c:\programdata\NVIDIA
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-14 22:27 . 2008-04-29 03:32 -------- d-----w- c:\users\Josh\AppData\Roaming\Azureus
2010-04-11 21:31 . 2008-04-29 03:32 -------- d-----w- c:\program files\Azureus
2010-04-09 20:39 . 2009-07-17 19:25 -------- d-----w- c:\users\Josh\AppData\Roaming\vlc
2010-03-29 21:48 . 2008-04-21 02:07 69576 ----a-w- c:\users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-03 06:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-29 21:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-29 21:11 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-29 21:11 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-06 05:54 . 2010-02-06 05:54 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 13:25 . 2010-04-21 18:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 13:18 . 2010-04-21 18:55 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 13:17 . 2010-04-21 18:55 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 05:25 . 2008-08-03 21:12 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-01 00:07 . 2009-09-01 05:49 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-02 20:12 . 2008-05-02 20:12 0 --sh--w- c:\windows\S60E82BF1.tmp
2008-04-15 07:55 . 2008-04-15 07:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AIM6\aim6 .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\Elaborate Bytes\VirtualCloneDrive\vcddaemon .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\NVIDIA Corporation\nTune\ntunecmd .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Steam\steam .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlayNC Launcher"="" [N/A]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [N/A]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
c:\progra~1\ALWILS~1\Avast4\ashDisp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DKPProfilerUploader]
c:\program files\DKP Profiler Uploader\DKPProfilerUploader.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
c:\users\Josh\AppData\Local\Temp\lle8tzji.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RayV]
c:\program files\RayV\RayV\RayV.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,d6,79,e1,dd,ca,01

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2780212]
R3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [x]
R3 scsichk;scsichk;c:\windows\system32\scsichk.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-20 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-20 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-04-27 93960]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-Steam App 500 - c:\program files\Steam\steam.exe
AddRemove-Steam App 9450 - c:\program files\Steam\steam.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21E58.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\Software\SecuROM\License information*]
"datasecu"=hex:0f,53,61,8b,80,33,cd,0c,6e,67,77,e5,35,a5,f7,0b,d3,6e,0d,3e,c6,
38,5e,b1,a5,28,14,f4,cc,28,43,3f,af,1b,62,aa,54,08,22,b5,30,e0,f2,ed,46,af,\
"rkeysecu"=hex:f0,39,c1,30,3f,ab,92,8a,05,1b,38,f6,f1,0f,75,36

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-29 11:30:18
ComboFix-quarantined-files.txt 2010-04-29 15:30

Pre-Run: 127,059,595,264 bytes free
Post-Run: 127,251,156,992 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 75AA1DC43669A85EDE19645B8D3396D2


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 30 April 2010 - 07:41 AM

Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/311677/google-search-results-hijack-possible-vista-defender-pro-virus-side-effect/
Collect::
c:\windows\system32\scsichk.sys
RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AIM6\aim6 .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Research In Motion\Auto Update\rimautoupdate .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\roxwatchtray9 .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\Elaborate Bytes\VirtualCloneDrive\vcddaemon .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\NVIDIA Corporation\nTune\ntunecmd .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Steam\steam .exe

Driver::
scsichk


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

I see signs of up to four anti virus programs. Are all of them currently running?
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove all except one.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 30 April 2010 - 08:16 AM

ComboFix 10-04-29.05 - Josh 04/30/2010 8:49.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2250 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SCSICHK
-------\Service_scsichk


((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

2010-04-30 12:59 . 2010-04-30 13:01 -------- d-----w- c:\users\Josh\AppData\Local\temp
2010-04-30 12:59 . 2010-04-30 12:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-30 12:59 . 2010-04-30 12:59 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-04-22 01:14 . 2010-04-22 01:14 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-21 20:08 . 2010-04-21 20:08 -------- d-----w- c:\program files\Trend Micro
2010-04-21 19:19 . 2010-04-21 19:19 -------- d-----w- c:\users\Josh\AppData\Local\Threat Expert
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\users\Josh\AppData\Roaming\PC Tools
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\programdata\PC Tools
2010-04-21 01:57 . 2010-04-29 12:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-21 01:57 . 2010-04-21 02:06 -------- d-----w- c:\programdata\Hitman Pro
2010-04-21 01:57 . 2010-04-21 01:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-21 01:55 . 2010-04-21 01:55 -------- d-----w- C:\escw_9_sa
2010-04-20 14:53 . 2010-04-20 14:53 -------- d-----w- c:\users\Josh\AppData\Roaming\Avira
2010-04-20 14:50 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-20 14:50 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-20 14:50 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-20 14:50 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-20 14:50 . 2010-04-20 14:50 -------- d-----w- c:\programdata\Avira
2010-04-20 14:50 . 2010-04-20 14:50 -------- d-----w- c:\program files\Avira
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-20 06:10 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-20 06:10 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-20 06:10 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-20 06:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-20 06:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-04-20 06:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-04-20 06:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-04-20 06:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-04-20 06:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-04-20 06:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-04-20 06:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-04-20 06:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-04-20 06:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-04-20 05:59 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-20 05:59 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-20 05:59 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-20 05:53 . 2010-04-20 05:59 -------- d-----w- C:\4f5853fd0eb636ebcede6ac841ae4ce3
2010-04-20 05:40 . 2010-04-20 05:40 -------- d-----w- C:\$AVG
2010-04-20 05:39 . 2010-04-20 05:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:39 . 2010-04-23 12:33 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:39 . 2010-04-20 05:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:39 . 2010-04-29 22:27 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:39 . 2010-04-20 05:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\program files\AVG
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\programdata\avg9
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\users\Josh\AppData\Roaming\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:39 . 2010-04-26 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:19 . 2010-04-20 01:19 -------- d-----w- c:\users\Josh\AppData\Roaming\272A812BF5470781EBC80F7C53B39D57
2010-04-20 01:19 . 2010-04-26 20:42 -------- d-----w- C:\QUARANTINE
2010-04-17 18:52 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-17 18:52 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-17 18:52 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\ca-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\eu-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\vi-VN
2010-04-14 13:04 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 13:04 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 13:04 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 13:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 13:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 13:04 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 13:04 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 13:04 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 13:04 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 13:00 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:59 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 13:05 . 2008-04-21 04:57 -------- d-----w- c:\users\Josh\AppData\Roaming\Skype
2010-04-30 12:49 . 2008-12-20 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 12:49 . 2008-11-13 22:13 -------- d-----w- c:\program files\Steam
2010-04-30 12:49 . 2008-07-13 23:53 -------- d-----w- c:\program files\QuickTime
2010-04-30 12:49 . 2010-02-06 06:00 -------- d-----w- c:\program files\iTunes
2010-04-30 12:49 . 2008-04-21 04:59 -------- d-----w- c:\program files\AIM6
2010-04-22 01:05 . 2008-04-15 07:55 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-21 22:34 . 2009-10-08 23:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-21 22:05 . 2010-04-21 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-21 18:55 . 2010-04-21 18:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-20 14:33 . 2008-05-23 23:15 -------- d-----w- c:\programdata\media center programs
2010-04-20 12:25 . 2009-03-19 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-20 12:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-20 12:21 . 2010-04-20 12:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-17 03:58 . 2008-06-09 19:55 -------- d-----w- c:\programdata\NVIDIA
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-14 22:27 . 2008-04-29 03:32 -------- d-----w- c:\users\Josh\AppData\Roaming\Azureus
2010-04-11 21:31 . 2008-04-29 03:32 -------- d-----w- c:\program files\Azureus
2010-04-09 20:39 . 2009-07-17 19:25 -------- d-----w- c:\users\Josh\AppData\Roaming\vlc
2010-03-29 21:48 . 2008-04-21 02:07 69576 ----a-w- c:\users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 16:25 . 2010-03-31 12:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 12:48 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 06:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-29 21:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-29 21:11 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-29 21:11 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-05 13:25 . 2010-04-21 18:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 13:18 . 2010-04-21 18:55 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 13:17 . 2010-04-21 18:55 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 05:25 . 2008-08-03 21:12 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-01 00:07 . 2009-09-01 05:49 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-02 20:12 . 2008-05-02 20:12 0 --sh--w- c:\windows\S60E82BF1.tmp
2008-04-15 07:55 . 2008-04-15 07:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlayNC Launcher"="" [N/A]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
c:\progra~1\ALWILS~1\Avast4\ashDisp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DKPProfilerUploader]
c:\program files\DKP Profiler Uploader\DKPProfilerUploader.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
c:\users\Josh\AppData\Local\Temp\lle8tzji.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RayV]
c:\program files\RayV\RayV\RayV.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,d6,79,e1,dd,ca,01

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2780212]
R3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-20 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-20 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-04-27 93960]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-04-30 15944]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc23B5A.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\Software\SecuROM\License information*]
"datasecu"=hex:0f,53,61,8b,80,33,cd,0c,6e,67,77,e5,35,a5,f7,0b,d3,6e,0d,3e,c6,
38,5e,b1,a5,28,14,f4,cc,28,43,3f,af,1b,62,aa,54,08,22,b5,30,e0,f2,ed,46,af,\
"rkeysecu"=hex:f0,39,c1,30,3f,ab,92,8a,05,1b,38,f6,f1,0f,75,36

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(548)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Hitman Pro 3.5\HitmanPro35.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\System32\rundll32.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-04-30 09:12:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 13:12
ComboFix2.txt 2010-04-29 15:30

Pre-Run: 126,362,812,416 bytes free
Post-Run: 126,383,341,568 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 42C18D102BDE04925722F159685BCE47


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 30 April 2010 - 10:06 AM

Hi,

there are a couple more infected files. Please run this script as well:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\Skype\Phone\skype .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 30 April 2010 - 10:43 AM

ComboFix 10-04-29.05 - Josh 04/30/2010 11:23:33.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2074 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

2010-04-30 15:32 . 2010-04-30 15:33 -------- d-----w- c:\users\Josh\AppData\Local\temp
2010-04-30 15:32 . 2010-04-30 15:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-30 15:32 . 2010-04-30 15:32 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-04-30 15:32 . 2010-04-30 15:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-22 01:14 . 2010-04-22 01:14 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-21 20:08 . 2010-04-21 20:08 -------- d-----w- c:\program files\Trend Micro
2010-04-21 19:19 . 2010-04-21 19:19 -------- d-----w- c:\users\Josh\AppData\Local\Threat Expert
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\users\Josh\AppData\Roaming\PC Tools
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\programdata\PC Tools
2010-04-21 01:57 . 2010-04-30 13:08 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-21 01:57 . 2010-04-21 02:06 -------- d-----w- c:\programdata\Hitman Pro
2010-04-21 01:57 . 2010-04-21 01:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-21 01:55 . 2010-04-21 01:55 -------- d-----w- C:\escw_9_sa
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-20 06:10 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-20 06:10 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-20 06:10 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-20 06:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-20 06:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-04-20 06:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-04-20 06:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-04-20 06:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-04-20 06:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-04-20 06:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-04-20 06:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-04-20 06:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-04-20 06:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-04-20 05:59 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-20 05:59 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-20 05:59 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-20 05:53 . 2010-04-20 05:59 -------- d-----w- C:\4f5853fd0eb636ebcede6ac841ae4ce3
2010-04-20 05:40 . 2010-04-20 05:40 -------- d-----w- C:\$AVG
2010-04-20 05:39 . 2010-04-20 05:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:39 . 2010-04-23 12:33 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:39 . 2010-04-20 05:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:39 . 2010-04-29 22:27 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:39 . 2010-04-20 05:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\program files\AVG
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\programdata\avg9
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\users\Josh\AppData\Roaming\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:39 . 2010-04-26 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:19 . 2010-04-20 01:19 -------- d-----w- c:\users\Josh\AppData\Roaming\272A812BF5470781EBC80F7C53B39D57
2010-04-20 01:19 . 2010-04-26 20:42 -------- d-----w- C:\QUARANTINE
2010-04-17 18:52 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-17 18:52 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-17 18:52 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\ca-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\eu-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\vi-VN
2010-04-14 13:04 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 13:04 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 13:04 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 13:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 13:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 13:04 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 13:04 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 13:04 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 13:04 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 13:00 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:59 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 15:36 . 2008-04-21 04:57 -------- d-----w- c:\users\Josh\AppData\Roaming\Skype
2010-04-30 12:49 . 2008-12-20 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 12:49 . 2008-11-13 22:13 -------- d-----w- c:\program files\Steam
2010-04-30 12:49 . 2008-07-13 23:53 -------- d-----w- c:\program files\QuickTime
2010-04-30 12:49 . 2010-02-06 06:00 -------- d-----w- c:\program files\iTunes
2010-04-30 12:49 . 2008-04-21 04:59 -------- d-----w- c:\program files\AIM6
2010-04-23 12:33 . 2010-04-23 12:33 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-23 12:32 . 2010-04-23 12:32 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-22 01:05 . 2008-04-15 07:55 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-21 22:34 . 2009-10-08 23:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-21 22:05 . 2010-04-21 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-21 18:55 . 2010-04-21 18:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-20 14:33 . 2008-05-23 23:15 -------- d-----w- c:\programdata\media center programs
2010-04-20 12:25 . 2009-03-19 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-20 12:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-20 12:21 . 2010-04-20 12:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-20 05:50 . 2010-04-20 05:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-17 03:58 . 2008-06-09 19:55 -------- d-----w- c:\programdata\NVIDIA
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-14 22:27 . 2008-04-29 03:32 -------- d-----w- c:\users\Josh\AppData\Roaming\Azureus
2010-04-11 21:34 . 2010-04-11 21:34 6123008 ----a-w- c:\users\Josh\AppData\Roaming\Azureus\plugins\azemp\vuzeplayer.exe
2010-04-11 21:31 . 2008-04-29 03:32 -------- d-----w- c:\program files\Azureus
2010-04-09 20:39 . 2009-07-17 19:25 -------- d-----w- c:\users\Josh\AppData\Roaming\vlc
2010-03-29 21:48 . 2008-04-21 02:07 69576 ----a-w- c:\users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 16:25 . 2010-03-31 12:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 12:48 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 06:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-29 21:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-29 21:11 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-29 21:11 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-06 05:54 . 2010-02-06 05:54 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 13:25 . 2010-04-21 18:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 13:18 . 2010-04-21 18:55 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 13:17 . 2010-04-21 18:55 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 05:25 . 2008-08-03 21:12 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-01 00:07 . 2009-09-01 05:49 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-02 20:12 . 2008-05-02 20:12 0 --sh--w- c:\windows\S60E82BF1.tmp
2008-04-15 07:55 . 2008-04-15 07:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlayNC Launcher"="" [N/A]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
c:\progra~1\ALWILS~1\Avast4\ashDisp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DKPProfilerUploader]
c:\program files\DKP Profiler Uploader\DKPProfilerUploader.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
c:\users\Josh\AppData\Local\Temp\lle8tzji.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RayV]
c:\program files\RayV\RayV\RayV.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,d6,79,e1,dd,ca,01

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2780212]
R3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-20 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-20 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-04-27 93960]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc246B0.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\Software\SecuROM\License information*]
"datasecu"=hex:0f,53,61,8b,80,33,cd,0c,6e,67,77,e5,35,a5,f7,0b,d3,6e,0d,3e,c6,
38,5e,b1,a5,28,14,f4,cc,28,43,3f,af,1b,62,aa,54,08,22,b5,30,e0,f2,ed,46,af,\
"rkeysecu"=hex:f0,39,c1,30,3f,ab,92,8a,05,1b,38,f6,f1,0f,75,36

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4144)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-04-30 11:42:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 15:42
ComboFix2.txt 2010-04-30 13:12
ComboFix3.txt 2010-04-29 15:30

Pre-Run: 127,197,376,512 bytes free
Post-Run: 127,061,200,896 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 80CCD0F0CFC18049205B1F4EA241D0B5


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:44 AM

Posted 30 April 2010 - 10:46 AM

Hi,

it seems that didn't work, could you please repeat with this script:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\Skype\Phone\skype .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 Puli

Puli
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 30 April 2010 - 11:34 AM

I was having problems shutting down McAfee's On-Access Scanner, so I just uninstalled it. I was still deciding whether I wanted it or AVG. Will just go with AVG.


ComboFix 10-04-29.05 - Josh 04/30/2010 12:14:47.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2030 [GMT -4:00]
Running from: c:\users\Josh\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

2010-04-30 16:19 . 2010-04-30 16:21 -------- d-----w- c:\users\Josh\AppData\Local\temp
2010-04-30 16:19 . 2010-04-30 16:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-30 16:19 . 2010-04-30 16:19 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-04-30 16:19 . 2010-04-30 16:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-22 01:14 . 2010-04-22 01:14 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-21 20:08 . 2010-04-21 20:08 -------- d-----w- c:\program files\Trend Micro
2010-04-21 19:19 . 2010-04-21 19:19 -------- d-----w- c:\users\Josh\AppData\Local\Threat Expert
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\users\Josh\AppData\Roaming\PC Tools
2010-04-21 18:54 . 2010-04-21 18:54 -------- d-----w- c:\programdata\PC Tools
2010-04-21 01:57 . 2010-04-30 13:08 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-21 01:57 . 2010-04-21 02:06 -------- d-----w- c:\programdata\Hitman Pro
2010-04-21 01:57 . 2010-04-21 01:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-21 01:55 . 2010-04-21 01:55 -------- d-----w- C:\escw_9_sa
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Windows Portable Devices
2010-04-20 06:10 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-04-20 06:10 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-04-20 06:10 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-04-20 06:06 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-04-20 06:06 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-04-20 06:06 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-04-20 06:06 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-04-20 06:06 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-04-20 06:06 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-04-20 06:06 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-04-20 06:06 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-04-20 06:06 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-04-20 06:06 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-04-20 06:06 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-04-20 05:59 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-04-20 05:59 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-04-20 05:59 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-04-20 05:53 . 2010-04-20 05:59 -------- d-----w- C:\4f5853fd0eb636ebcede6ac841ae4ce3
2010-04-20 05:40 . 2010-04-20 05:40 -------- d-----w- C:\$AVG
2010-04-20 05:39 . 2010-04-20 05:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-20 05:39 . 2010-04-23 12:33 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-20 05:39 . 2010-04-20 05:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-20 05:39 . 2010-04-29 22:27 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-20 05:39 . 2010-04-20 05:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\program files\AVG
2010-04-20 05:36 . 2010-04-20 05:36 -------- d-----w- c:\programdata\avg9
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\users\Josh\AppData\Roaming\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 02:39 . 2010-04-26 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 02:39 . 2010-04-20 02:39 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 02:39 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:19 . 2010-04-20 01:19 -------- d-----w- c:\users\Josh\AppData\Roaming\272A812BF5470781EBC80F7C53B39D57
2010-04-20 01:19 . 2010-04-26 20:42 -------- d-----w- C:\QUARANTINE
2010-04-17 18:52 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-17 18:52 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-17 18:52 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\ca-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\eu-ES
2010-04-17 03:42 . 2010-04-17 03:44 -------- d-----w- c:\windows\system32\vi-VN
2010-04-14 13:04 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 13:04 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 13:04 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 13:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 13:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 13:04 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 13:04 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 13:04 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 13:04 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 13:00 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:59 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 16:21 . 2008-04-21 04:57 -------- d-----w- c:\users\Josh\AppData\Roaming\Skype
2010-04-30 16:10 . 2009-09-01 05:49 -------- d-----w- c:\program files\McAfee
2010-04-30 16:10 . 2008-04-15 00:15 -------- d-----w- c:\programdata\McAfee
2010-04-30 12:49 . 2008-12-20 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 12:49 . 2008-11-13 22:13 -------- d-----w- c:\program files\Steam
2010-04-30 12:49 . 2008-07-13 23:53 -------- d-----w- c:\program files\QuickTime
2010-04-30 12:49 . 2010-02-06 06:00 -------- d-----w- c:\program files\iTunes
2010-04-30 12:49 . 2008-04-21 04:59 -------- d-----w- c:\program files\AIM6
2010-04-23 12:33 . 2010-04-23 12:33 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-23 12:32 . 2010-04-23 12:32 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-22 01:05 . 2008-04-15 07:55 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2010-04-21 22:34 . 2009-10-08 23:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-21 22:05 . 2010-04-21 18:54 -------- d-----w- c:\program files\Spyware Doctor
2010-04-21 18:55 . 2010-04-21 18:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-20 14:33 . 2008-05-23 23:15 -------- d-----w- c:\programdata\media center programs
2010-04-20 12:25 . 2009-03-19 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-20 12:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-20 12:21 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-20 12:21 . 2010-04-20 12:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-20 05:50 . 2010-04-20 05:50 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-04-17 03:58 . 2008-06-09 19:55 -------- d-----w- c:\programdata\NVIDIA
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-17 03:45 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-14 22:27 . 2008-04-29 03:32 -------- d-----w- c:\users\Josh\AppData\Roaming\Azureus
2010-04-11 21:34 . 2010-04-11 21:34 6123008 ----a-w- c:\users\Josh\AppData\Roaming\Azureus\plugins\azemp\vuzeplayer.exe
2010-04-11 21:31 . 2008-04-29 03:32 -------- d-----w- c:\program files\Azureus
2010-04-09 20:39 . 2009-07-17 19:25 -------- d-----w- c:\users\Josh\AppData\Roaming\vlc
2010-03-29 21:48 . 2008-04-21 02:07 69576 ----a-w- c:\users\Josh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 16:25 . 2010-03-31 12:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 12:48 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16 . 2009-10-03 06:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-29 21:11 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-29 21:11 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-29 21:11 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-06 05:54 . 2010-02-06 05:54 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 13:25 . 2010-04-21 18:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 13:18 . 2010-04-21 18:55 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 13:17 . 2010-04-21 18:55 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-13 05:25 . 2008-08-03 21:12 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-02 20:12 . 2008-05-02 20:12 0 --sh--w- c:\windows\S60E82BF1.tmp
2008-04-15 07:55 . 2008-04-15 07:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlayNC Launcher"="" [N/A]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
c:\progra~1\ALWILS~1\Avast4\ashDisp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DKPProfilerUploader]
c:\program files\DKP Profiler Uploader\DKPProfilerUploader.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
c:\program files\McAfee.com\Agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
c:\users\Josh\AppData\Local\Temp\lle8tzji.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RayV]
c:\program files\RayV\RayV\RayV.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,d6,79,e1,dd,ca,01

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-16 2780212]
R3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-20 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-20 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-04-27 93960]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\oidppttm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc2F027.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-385192728-1322132304-2723306943-1000\Software\SecuROM\License information*]
"datasecu"=hex:0f,53,61,8b,80,33,cd,0c,6e,67,77,e5,35,a5,f7,0b,d3,6e,0d,3e,c6,
38,5e,b1,a5,28,14,f4,cc,28,43,3f,af,1b,62,aa,54,08,22,b5,30,e0,f2,ed,46,af,\
"rkeysecu"=hex:f0,39,c1,30,3f,ab,92,8a,05,1b,38,f6,f1,0f,75,36

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3752)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-04-30 12:29:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 16:29
ComboFix2.txt 2010-04-30 15:42
ComboFix3.txt 2010-04-30 13:12
ComboFix4.txt 2010-04-29 15:30

Pre-Run: 126,998,523,904 bytes free
Post-Run: 167,856,603,136 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 453B3D6E6B1A373FB8ABAB7B6956461F





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users