Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with malware/trojan/virus prob (Digital protection?)


  • This topic is locked This topic is locked
24 replies to this topic

#1 jamessmith_uk

jamessmith_uk

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 29 April 2010 - 12:19 PM

hi,

am looking for some help with removing something nasty which has infected my lap top.

After downloading a file my computer came up with the digital protection screens stating my computer was being hacked and offering a removal program at discounr etc.

i went through the malwarebytes removal method but this doesnt appear to have worked.

my antivirus is AVG 9 and that show it is supposedly protecting my computer as it has all boxes ticked as working. Once i switch my computer on i'm met with a screen for windows defender saying it needs switching on but i think this may well have been part of the malware.
in the icon bar at the bottom the red shields appear with messages about infections however the grammer and spelling is poor on these leading me to believe again its malware.

I've also had the porn shortcut icons appear on my desktop as well.

i'd be very grateful for any hep with this problem.





DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:33:15.12 on 29/04/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.845 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\STacSV.exe
svchost.exe "C:\Windows\system32\amstreamp.exe"
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\dllhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\AppData\Local\temp\sysmon64x.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wuauclt.exe
C:\Users\ADMINI~1\AppData\Local\Temp\asd45B6.tmp.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [sysmon64x.exe] c:\users\administrator\appdata\local\temp\sysmon64x.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1227184072285&h=8829c87208702b4e7e10b6ba434b64e7/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: avgrsstx.dll
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-5 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-5 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-5 242896]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-26 179712]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-10-1 111616]

=============== Created Last 30 ================

2010-04-29 15:23:25 0 ----a-w- c:\users\administrator\defogger_reenable
2010-04-29 15:17:48 0 d-----w- c:\program files\Digital Protection
2010-04-28 00:49:00 32 --s-a-w- c:\windows\system32\767430202.dat
2010-04-27 22:39:01 53248 ----a-w- c:\windows\system32\pragmabbr.dll
2010-04-27 22:39:00 53248 ----a-w- c:\windows\system32\pragmaserf.dll
2010-04-27 22:38:55 147 ----a-w- c:\windows\system32\PRAGMAsrcr.dat
2010-04-27 22:38:39 823808 ----a-w- c:\windows\system32\drivers\hfmhtjvv.sys
2010-04-27 22:38:24 0 d-----w- c:\users\admini~1\appdata\roaming\E3AE9B0AF92703C741E6CFB2F705A153
2010-04-22 22:43:16 0 d-----w- c:\program files\Veetle
2010-04-16 20:25:31 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:25:26 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 20:25:25 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 20:25:25 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 20:24:57 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-16 20:24:57 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-16 20:24:52 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 20:24:52 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:24:52 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:24:40 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:24:39 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:49:11 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 00:05:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:05:50 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 00:05:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 17:36:22 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:36:18 98304 ----a-w- c:\windows\system32\cabview.dll

==================== Find3M ====================

2010-04-21 20:28:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 19:52:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:51:35 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 20:19:10 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-11 20:19:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-11 20:19:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-11 20:19:10 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-11 20:19:04 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-11 20:18:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-10 18:51:33 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-24 09:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2008-11-20 13:05:39 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-02 06:34:22 76 --sh--r- c:\windows\CT4CET.bin
2009-11-14 20:20:27 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-11-14 20:20:27 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-11-14 20:20:32 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-11-14 23:13:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-05 19:03:12 88 --sh--r- c:\windows\system32\ABAA080905.sys
2010-01-05 19:03:22 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:43:10.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 01 May 2010 - 08:45 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


+++++++++++++++++++++


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 01 May 2010 - 12:45 PM

thanks for the help. i'd like to clean my laptop if possible.

many thanks

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 01 May 2010 - 01:19 PM

Hi,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton 360 or AVG Free 9.0.

Important note: It is important to run the removal tool after you uninstall the AV that you wish to remove.

Norton removal tool --> HERE
AVG removal tool --> HERE


++++++++++++++++++++++++++


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 01 May 2010 - 03:09 PM

hi.

thanks for your help so far.

ok heres my combo fix log

ComboFix 10-05-01.01 - Administrator 01/05/2010 20:43:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1047 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
c:\program files\Dell\MediaDirect\PCMService.exe
c:\program files\Fingerprint Reader Suite\launcher.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\programdata\4XPjYE8t.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\Administrator\AppData\Local\{4D64AEAC-AB78-4AB2-AFF4-D9616F79659D}
c:\users\Administrator\AppData\Local\{4D64AEAC-AB78-4AB2-AFF4-D9616F79659D}\chrome.manifest
c:\users\Administrator\AppData\Local\{4D64AEAC-AB78-4AB2-AFF4-D9616F79659D}\chrome\content\_cfg.js
c:\users\Administrator\AppData\Local\{4D64AEAC-AB78-4AB2-AFF4-D9616F79659D}\chrome\content\overlay.xul
c:\users\Administrator\AppData\Local\{4D64AEAC-AB78-4AB2-AFF4-D9616F79659D}\install.rdf
c:\users\Administrator\AppData\Roaming\E3AE9B0AF92703C741E6CFB2F705A153
c:\users\Administrator\AppData\Roaming\E3AE9B0AF92703C741E6CFB2F705A153\enemies-names.txt
c:\users\Administrator\AppData\Roaming\E3AE9B0AF92703C741E6CFB2F705A153\lsrslt.ini
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\windows\OEM02Mon .exe
c:\windows\OEM02Mon.exe
c:\windows\system32\767430202.dat
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\drivers\hfmhtjvv.sys . . . . failed to delete

#6 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 01 May 2010 - 03:10 PM


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hfmhtjvv
-------\Service_hfmhtjvv


((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 19:53 . 2010-05-01 19:53 32 ----a-w- c:\windows\system32\767430202.dat
2010-05-01 19:51 . 2010-05-01 19:54 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-01 19:51 . 2010-05-01 19:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-01 19:51 . 2010-05-01 19:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-01 19:35 . 2010-05-01 19:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG9
2010-04-27 22:38 . 2010-05-01 19:54 823808 ----a-w- c:\windows\system32\drivers\hfmhtjvv.sys
2010-04-22 22:43 . 2010-04-22 22:43 -------- d-----w- c:\program files\Veetle
2010-04-16 20:25 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:25 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 20:25 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 20:25 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 20:24 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:24 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 20:24 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:24 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:24 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:49 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 00:05 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:05 . 2010-04-28 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 00:05 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 22:36 . 2010-04-13 23:40 0 ----a-w- c:\users\Administrator\AppData\Local\Flaqeciyozoxujes.bin
2010-04-13 22:36 . 2010-04-13 22:36 120 ----a-w- c:\users\Administrator\AppData\Local\Eqijewob.dat
2010-04-13 17:36 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:36 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 19:54 . 2010-02-19 14:35 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-01 19:52 . 2008-09-30 20:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-01 19:50 . 2008-11-20 15:14 -------- d-----w- c:\program files\Fingerprint Reader Suite
2010-05-01 19:42 . 2010-05-01 19:13 112 ----a-w- c:\programdata\AaLTkH1s.dat
2010-05-01 18:59 . 2008-11-20 21:31 -------- d-----w- c:\program files\Symantec
2010-05-01 18:58 . 2008-10-25 07:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-26 18:10 . 2008-11-19 22:12 5972 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2010-04-21 20:28 . 2010-03-04 23:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-17 18:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 23:17 . 2010-03-08 22:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B
2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-13 19:52 . 2010-03-13 19:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:52 . 2010-03-04 23:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:51 . 2010-03-04 23:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 20:19 . 2010-03-11 20:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-11 20:19 . 2010-03-11 20:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-11 20:18 . 2010-03-11 20:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-10 19:08 . 2010-03-10 18:34 -------- d-----w- c:\program files\Yahoo!
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-10 18:34 . 2010-03-10 18:34 -------- d-----w- c:\users\Administrator\AppData\Roaming\Yahoo!
2010-03-10 18:33 . 2008-11-20 15:50 -------- d-----w- c:\program files\CCleaner
2010-03-10 17:47 . 2010-03-10 17:47 -------- d-----w- c:\program files\TrendMicro
2010-03-10 05:23 . 2010-02-16 19:18 -------- d-----w- c:\programdata\avg9
2010-03-10 00:20 . 2010-03-10 00:20 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-03-10 00:19 . 2010-03-10 00:19 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 23:16 . 2010-03-04 23:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-04 23:13 . 2008-11-20 12:23 -------- d-----w- c:\program files\AVG
2010-02-26 22:02 . 2008-11-19 21:43 100432 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 16:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 16:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 16:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 16:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 16:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 19:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 19:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 19:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-10-02 06:34 . 2008-10-02 06:34 76 --sh--r- c:\windows\CT4CET.bin
2010-01-05 19:03 . 2009-01-18 01:13 88 --sh--r- c:\windows\System32\ABAA080905.sys
2010-01-05 19:03 . 2009-01-18 01:03 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Fingerprint Reader Suite\launcher .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\WindowsMobile\wmdSync .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [N/A]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [N/A]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [N/A]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-01 35844]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2010-05-01 35844]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2010-05-01 35844]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-20 12:27 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-01 19:10 35844 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:53,fd,1e,9a,85,c0,ca,01

R0 vhvwieu;vhvwieu; [x]
R2 slsvcAudiosrv;Software Licensing slsvcAudiosrv;c:\windows\system32\amstreamp.exe [2008-01-19 63488]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HFMHTJVV
*Deregistered* - hfmhtjvv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\At1.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At10.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At11.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At12.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At13.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At14.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At15.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At16.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At17.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At18.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At19.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At2.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At20.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At21.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At22.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At23.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At24.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At3.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At4.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At5.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At6.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At7.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At8.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\At9.job
- c:\windows\Fonts\V2PQ1juXi.com [2010-05-01 19:10]

2010-05-01 c:\windows\Tasks\User_Feed_Synchronization-{0D8C1C51-72A6-4F88-9557-989D1E2523F4}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 20:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hfmhtjvv]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="RealPlayer.MP4.6"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\SecuROM\License information*]
"datasecu"=hex:39,f5,32,46,63,96,62,1a,5c,10,aa,4f,cc,85,8a,c1,ae,a7,fd,8a,c5,
3a,a4,10,98,c0,8e,3b,22,9f,0d,b0,71,aa,6b,3c,9b,da,2d,d0,f1,86,26,93,ca,51,\
"rkeysecu"=hex:cb,10,f7,8f,90,21,e1,b7,a2,8c,f9,9f,9a,d8,bf,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3792)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-05-01 21:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 20:05
ComboFix2.txt 2010-03-10 18:25

Pre-Run: 39,483,248,640 bytes free
Post-Run: 40,842,129,408 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B056F219243D12571E14BAFB0F6F5F9C


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 02 May 2010 - 01:12 AM

Hi,


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\system32\browserchoice.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.




2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

AtJob::

TDL::
C:\Windows\system32\DRIVERS\kbdclass.sys

Rootkit::
c:\windows\system32\drivers\hfmhtjvv.sys
c:\windows\Fonts\V2PQ1juXi.com
C:\Users\Administrator\AppData\Local\temp\sysmon64x.exe
c:\users\administrator\appdata\local\temp\sysmon64x.exe
c:\windows\system32\767430202.dat
c:\windows\system32\767430202.dat
c:\windows\system32\pragmabbr.dll
c:\windows\system32\pragmaserf.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\drivers\hfmhtjvv.sys
c:\users\Administrator\AppData\Local\Flaqeciyozoxujes.bin
c:\users\Administrator\AppData\Local\Eqijewob.dat
c:\programdata\AaLTkH1s.dat

Folder::
c:\program files\Digital Protection

DDS::
uRun: [sysmon64x.exe] c:\users\administrator\appdata\local\temp\sysmon64x.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)

RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Fingerprint Reader Suite\launcher .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\WindowsMobile\wmdSync .exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

Driver::
vhvwieu

DirLook::
c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B
c:\users\admini~1\appdata\roaming\E3AE9B0AF92703C741E6CFB2F705A153


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 03 May 2010 - 07:06 AM

hi,

am working my way through your post now, however it wouldnt let me save the contents of the virusscan to clipboard so i've copied and pasted them now,

File information
File Name : browserchoice.exe
File Size : 293376 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : da1919d896dbd5895e138932ae9e398b
SHA1 : 361bee6e2535d9fc10a01ac6686be55d854fc5ba


Scanner results : Scanners did not find malware!


Time : 2010/05/03 12:59:59 (BST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20100501070118 2010-05-01 - 0.088
AhnLab V3 2010.04.30.02 2010.04.30 2010-04-30 - 0.079
AntiVir 8.2.1.224 7.10.7.18 2010-05-03 - 0.261
Antiy 2.0.18 20100429.4301541 2010-04-29 - 0.016
Arcavir 2009 201005020249 2010-05-02 - 0.188
Authentium 5.1.1 201005030444 2010-05-03 - 1.319
AVAST! 4.7.4 100503-0 2010-05-03 - 0.022
AVG 8.5.793 271.1.1/2851 2010-05-03 - 0.277
BitDefender 7.81008.5692969 7.31491 2010-05-03 - 3.649
ClamAV 0.95.3 10892 2010-05-03 - 0.057
Comodo 3.13.579 4738 2010-05-02 - 0.082
CP Secure 1.3.0.5 2010.05.03 2010-05-03 - 0.082
Dr.Web 5.0.2.3300 2010.05.03 2010-05-03 - 7.143
F-Prot 4.4.4.56 20100503 2010-05-03 - 1.301
F-Secure 7.02.73807 2010.05.03.05 2010-05-03 - 0.181
Fortinet 4.0.14 11.764 2010-05-01 - 0.082
GData 21.72/21.24 20100502 2010-05-02 - 0.086
Ikarus T3.1.01.80 2010.05.03.75770 2010-05-03 - 5.884
JiangMin 13.0.900 2010.05.03 2010-05-03 - 0.080
Kaspersky 5.5.10 2010.05.03 2010-05-03 - 0.132
KingSoft 2009.2.5.15 2010.5.3.17 2010-05-03 - 0.080
McAfee 5400.1158 5970 2010-05-02 - 0.023
Microsoft 1.5703 2010.05.01 2010-05-01 - 0.085
Norman 6.04.12 6.04.00 2010-05-02 - 4.008
nProtect 20100501.01 8055427 2010-05-01 - 0.079
Panda 9.05.01 2010.05.01 2010-05-01 - 0.084
Quick Heal 10.00 2010.05.01 2010-05-01 - 0.083
Rising 20.0 22.45.04.03 2010-04-30 - 0.088
Sophos 3.06.0 4.52 2010-05-03 - 3.688
Sunbelt 3.9.2418.2 6248 2010-05-01 - 0.080
Symantec 1.3.0.24 20100502.005 2010-05-02 - 0.057
The Hacker 6.5.2.0 v00275 2010-05-01 - 0.080
Trend Micro 9.120-1004 7.144.06 2010-05-03 - 0.044
VBA32 3.12.12.4 20100502.0849 2010-05-02 - 2.539
ViRobot 20100501 2010.05.01 2010-05-01 - 0.081
VirusBuster 4.5.11.10 10.126.11/2000534 2010-05-02 - 2.471

Edited by jamessmith_uk, 03 May 2010 - 07:23 AM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 03 May 2010 - 07:42 AM

Hi,

Please post the contents of ComboFix.txt when ready. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 03 May 2010 - 07:54 AM

ComboFix 10-05-02.03 - Administrator 03/05/2010 13:32:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1087 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\767430202.dat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\system32\driVERs\hfmhtjvv.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vhvwieu
-------\Legacy_hfmhtjvv
-------\Service_hfmhtjvv


((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 12:41 . 2010-05-03 12:41 32 ----a-w- c:\windows\system32\767430202.dat
2010-05-03 12:39 . 2010-05-03 12:41 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-03 12:39 . 2010-05-03 12:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-03 12:39 . 2010-05-03 12:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-01 19:35 . 2010-05-01 19:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG9
2010-04-27 22:38 . 2010-05-03 12:42 823808 ----a-w- c:\windows\system32\drivers\hfmhtjvv.sys
2010-04-22 22:43 . 2010-04-22 22:43 -------- d-----w- c:\program files\Veetle
2010-04-16 20:25 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:25 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 20:25 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 20:25 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 20:24 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:24 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 20:24 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:24 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:24 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:49 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 00:05 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:05 . 2010-04-28 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 00:05 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 22:36 . 2010-04-13 23:40 0 ----a-w- c:\users\Administrator\AppData\Local\Flaqeciyozoxujes.bin
2010-04-13 22:36 . 2010-04-13 22:36 120 ----a-w- c:\users\Administrator\AppData\Local\Eqijewob.dat
2010-04-13 17:36 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:36 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:46 . 2010-05-03 12:46 68614 ----a-w- c:\programdata\4XPjYE8t.exe
2010-05-03 12:43 . 2008-11-20 15:14 -------- d-----w- c:\program files\Fingerprint Reader Suite
2010-05-03 12:43 . 2010-03-25 22:41 439816 ----a-w- c:\users\Administrator\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-03 12:41 . 2010-02-19 14:35 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-03 12:40 . 2008-09-30 20:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-01 23:59 . 2010-05-01 19:13 112 ----a-w- c:\programdata\AaLTkH1s.dat
2010-05-01 18:59 . 2008-11-20 21:31 -------- d-----w- c:\program files\Symantec
2010-05-01 18:58 . 2008-10-25 07:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-26 18:10 . 2008-11-19 22:12 5972 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2010-04-21 20:29 . 2010-04-21 20:29 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 20:28 . 2010-03-04 23:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 20:28 . 2010-04-21 20:28 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-17 18:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 23:17 . 2010-03-08 22:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B
2010-04-09 20:18 . 2010-04-09 20:18 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-13 19:52 . 2010-03-13 19:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:52 . 2010-03-04 23:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:51 . 2010-03-04 23:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 20:19 . 2010-03-11 20:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-11 20:19 . 2010-03-11 20:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-11 20:18 . 2010-03-11 20:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-10 19:08 . 2010-03-10 18:34 -------- d-----w- c:\program files\Yahoo!
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-10 18:34 . 2010-03-10 18:34 -------- d-----w- c:\users\Administrator\AppData\Roaming\Yahoo!
2010-03-10 18:33 . 2008-11-20 15:50 -------- d-----w- c:\program files\CCleaner
2010-03-10 17:47 . 2010-03-10 17:47 388096 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 17:47 . 2010-03-10 17:47 -------- d-----w- c:\program files\TrendMicro
2010-03-10 05:23 . 2010-02-16 19:18 -------- d-----w- c:\programdata\avg9
2010-03-10 00:20 . 2010-03-10 00:20 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-03-10 00:19 . 2010-03-10 00:19 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 23:16 . 2010-03-04 23:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-04 23:13 . 2008-11-20 12:23 -------- d-----w- c:\program files\AVG
2010-02-26 22:02 . 2008-11-19 21:43 100432 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 16:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 16:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 16:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 16:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 16:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 19:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 19:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 19:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-10-02 06:34 . 2008-10-02 06:34 76 --sh--r- c:\windows\CT4CET.bin
2010-01-05 19:03 . 2009-01-18 01:13 88 --sh--r- c:\windows\System32\ABAA080905.sys
2010-01-05 19:03 . 2009-01-18 01:03 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Fingerprint Reader Suite\launcher .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\WindowsMobile\wmdSync .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\admini~1\appdata\roaming\E3AE9B0AF92703C741E6CFB2F705A153 ----


---- Directory of c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2010-05-03 35844]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-05-03 35844]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-03 35844]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [N/A]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2010-05-03 35844]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2010-05-03 35844]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-05-03 35844]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-03 35844]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2010-05-03 35844]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2010-05-03 35844]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-05-03 12:43 35844 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-20 12:27 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-03 12:43 35844 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:53,fd,1e,9a,85,c0,ca,01

R2 ehstartRemoteRegistry;Windows Media Center Service Launcher ehstartRemoteRegistry;c:\windows\system32\12520437e.exe [2008-01-19 66560]
R2 slsvcAudiosrv;Software Licensing slsvcAudiosrv;c:\windows\system32\amstreamp.exe [x]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HFMHTJVV
*Deregistered* - hfmhtjvv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\At1.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At10.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At11.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At12.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At13.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At14.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At15.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At16.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At17.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At18.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At19.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At2.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At20.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At21.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At22.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At23.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At24.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At3.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At4.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At5.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At6.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At7.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At8.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\At9.job
- c:\programdata\4XPjYE8t.exe [2010-05-03 12:46]

2010-05-03 c:\windows\Tasks\User_Feed_Synchronization-{0D8C1C51-72A6-4F88-9557-989D1E2523F4}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hfmhtjvv]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="RealPlayer.MP4.6"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\SecuROM\License information*]
"datasecu"=hex:39,f5,32,46,63,96,62,1a,5c,10,aa,4f,cc,85,8a,c1,ae,a7,fd,8a,c5,
3a,a4,10,98,c0,8e,3b,22,9f,0d,b0,71,aa,6b,3c,9b,da,2d,d0,f1,86,26,93,ca,51,\
"rkeysecu"=hex:cb,10,f7,8f,90,21,e1,b7,a2,8c,f9,9f,9a,d8,bf,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3936)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Fingerprint Reader Suite\psqltray.exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-03 13:51:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 12:51
ComboFix2.txt 2010-05-01 20:05
ComboFix3.txt 2010-03-10 18:25

Pre-Run: 37,766,643,712 bytes free
Post-Run: 37,579,452,416 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 29158657FD0BE964B7D741B37142F6DD


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 03 May 2010 - 09:01 AM

Hi,

New sets of infections are present, please limit the use of internet and PC, it's heavily infected.


+++++++++++++++++++++++++

The next tool that I want you to use is very powerful, please don't do anything with it unless instructed. Thanks.

Download The Avenger2 by SwanDog46.
  1. Unzip avenger.exe to your desktop.
  2. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

    CODE
    Drivers to disable:
    hfmhtjvv

    Drivers to delete:
    hfmhtjvv

    Files to delete:
    c:\windows\system32\driVERs\hfmhtjvv.sys
    c:\windows\system32\767430202.dat
    c:\users\Administrator\AppData\Local\Flaqeciyozoxujes.bin
    c:\users\Administrator\AppData\Local\Eqijewob.dat
    c:\programdata\4XPjYE8t.exe
    c:\programdata\AaLTkH1s.dat
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

  3. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  4. Read the prompt that appears, and press OK.
  5. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  6. Press the "Execute" button.
  7. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  8. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log (C:\avenger.txt) will open. Please paste that log here in your next post.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 03 May 2010 - 09:48 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "hfmhtjvv" disabled successfully.
Driver "hfmhtjvv" deleted successfully.
File "c:\windows\system32\driVERs\hfmhtjvv.sys" deleted successfully.
File "c:\windows\system32\767430202.dat" deleted successfully.
File "c:\users\Administrator\AppData\Local\Flaqeciyozoxujes.bin" deleted successfully.
File "c:\users\Administrator\AppData\Local\Eqijewob.dat" deleted successfully.
File "c:\programdata\4XPjYE8t.exe" deleted successfully.
File "c:\programdata\AaLTkH1s.dat" deleted successfully.
File "c:\windows\Tasks\At1.job" deleted successfully.
File "c:\windows\Tasks\At10.job" deleted successfully.
File "c:\windows\Tasks\At11.job" deleted successfully.
File "c:\windows\Tasks\At12.job" deleted successfully.
File "c:\windows\Tasks\At13.job" deleted successfully.
File "c:\windows\Tasks\At14.job" deleted successfully.
File "c:\windows\Tasks\At15.job" deleted successfully.
File "c:\windows\Tasks\At16.job" deleted successfully.
File "c:\windows\Tasks\At17.job" deleted successfully.
File "c:\windows\Tasks\At18.job" deleted successfully.
File "c:\windows\Tasks\At19.job" deleted successfully.
File "c:\windows\Tasks\At2.job" deleted successfully.
File "c:\windows\Tasks\At20.job" deleted successfully.
File "c:\windows\Tasks\At21.job" deleted successfully.
File "c:\windows\Tasks\At22.job" deleted successfully.
File "c:\windows\Tasks\At23.job" deleted successfully.
File "c:\windows\Tasks\At24.job" deleted successfully.
File "c:\windows\Tasks\At3.job" deleted successfully.
File "c:\windows\Tasks\At4.job" deleted successfully.
File "c:\windows\Tasks\At5.job" deleted successfully.
File "c:\windows\Tasks\At6.job" deleted successfully.
File "c:\windows\Tasks\At7.job" deleted successfully.
File "c:\windows\Tasks\At8.job" deleted successfully.
File "c:\windows\Tasks\At9.job" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:03 AM

Posted 03 May 2010 - 09:55 AM

Looks good.

Can you please run Combofix again, Disable your Anti virus / anti malware programs then double click the Combofix icon. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 03 May 2010 - 11:12 AM

ComboFix 10-05-02.03 - Administrator 03/05/2010 16:58:25.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1114 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Fingerprint Reader Suite\launcher.exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
c:\windows\system32\767430202.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 16:04 . 2010-05-03 16:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-03 16:04 . 2010-05-03 16:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-03 16:04 . 2010-05-03 16:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-01 19:35 . 2010-05-01 19:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG9
2010-04-22 22:43 . 2010-04-22 22:43 -------- d-----w- c:\program files\Veetle
2010-04-21 20:29 . 2010-04-21 20:29 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 20:28 . 2010-04-21 20:28 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 20:25 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:25 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 20:25 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 20:25 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 20:24 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:24 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 20:24 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:24 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:24 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:49 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 00:05 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:05 . 2010-04-28 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 00:05 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 17:36 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:36 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 20:18 . 2010-04-09 20:18 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 16:04 . 2008-11-20 15:14 -------- d-----w- c:\program files\Fingerprint Reader Suite
2010-05-03 15:55 . 2010-02-19 14:35 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-03 15:54 . 2008-09-30 20:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-03 12:43 . 2010-03-25 22:41 439816 ----a-w- c:\users\Administrator\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-01 19:10 . 2010-05-01 19:10 35840 ----a-w- c:\windows\Fonts\V2PQ1juXi.com
2010-05-01 18:59 . 2008-11-20 21:31 -------- d-----w- c:\program files\Symantec
2010-05-01 18:58 . 2008-10-25 07:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-26 18:10 . 2008-11-19 22:12 5972 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2010-04-21 20:28 . 2010-03-04 23:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-17 18:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 23:17 . 2010-03-08 22:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B
2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-13 19:52 . 2010-03-13 19:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:52 . 2010-03-04 23:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:51 . 2010-03-04 23:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 20:19 . 2010-03-11 20:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-11 20:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-11 20:19 . 2010-03-11 20:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-11 20:18 . 2010-03-11 20:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-10 19:08 . 2010-03-10 18:34 -------- d-----w- c:\program files\Yahoo!
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-10 18:34 . 2010-03-10 18:34 -------- d-----w- c:\users\Administrator\AppData\Roaming\Yahoo!
2010-03-10 18:33 . 2008-11-20 15:50 -------- d-----w- c:\program files\CCleaner
2010-03-10 17:47 . 2010-03-10 17:47 388096 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 17:47 . 2010-03-10 17:47 -------- d-----w- c:\program files\TrendMicro
2010-03-10 05:23 . 2010-02-16 19:18 -------- d-----w- c:\programdata\avg9
2010-03-10 00:20 . 2010-03-10 00:20 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-03-10 00:19 . 2010-03-10 00:19 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 23:16 . 2010-03-04 23:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-04 23:13 . 2008-11-20 12:23 -------- d-----w- c:\program files\AVG
2010-02-26 22:02 . 2008-11-19 21:43 100432 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 16:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 16:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 16:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 16:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 16:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 19:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 19:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 19:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-10-02 06:34 . 2008-10-02 06:34 76 --sh--r- c:\windows\CT4CET.bin
2010-01-05 19:03 . 2009-01-18 01:13 88 --sh--r- c:\windows\System32\ABAA080905.sys
2010-01-05 19:03 . 2009-01-18 01:03 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Fingerprint Reader Suite\launcher .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\WindowsMobile\wmdSync .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2010-05-03 35844]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-05-03 35844]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-03 35844]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [N/A]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2010-05-03 35844]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [N/A]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2010-05-03 35844]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-20 12:27 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:53,fd,1e,9a,85,c0,ca,01

R2 ehstartRemoteRegistry;Windows Media Center Service Launcher ehstartRemoteRegistry;c:\windows\system32\12520437e.exe [2008-01-19 66560]
R2 slsvcAudiosrv;Software Licensing slsvcAudiosrv;c:\windows\system32\amstreamp.exe [x]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\User_Feed_Synchronization-{0D8C1C51-72A6-4F88-9557-989D1E2523F4}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 17:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="RealPlayer.MP4.6"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\SecuROM\License information*]
"datasecu"=hex:39,f5,32,46,63,96,62,1a,5c,10,aa,4f,cc,85,8a,c1,ae,a7,fd,8a,c5,
3a,a4,10,98,c0,8e,3b,22,9f,0d,b0,71,aa,6b,3c,9b,da,2d,d0,f1,86,26,93,ca,51,\
"rkeysecu"=hex:cb,10,f7,8f,90,21,e1,b7,a2,8c,f9,9f,9a,d8,bf,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(1620)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2010-05-03 17:07:42
ComboFix-quarantined-files.txt 2010-05-03 16:07
ComboFix2.txt 2010-05-03 12:51
ComboFix3.txt 2010-05-01 20:05
ComboFix4.txt 2010-03-10 18:25

Pre-Run: 33,788,325,888 bytes free
Post-Run: 33,816,838,144 bytes free

- - End Of File - - 7E11C8253EAC511CEFA67F92F3B994A9


#15 jamessmith_uk

jamessmith_uk
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 03 May 2010 - 11:12 AM

ComboFix 10-05-02.03 - Administrator 03/05/2010 16:58:25.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1114 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Fingerprint Reader Suite\launcher.exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
c:\windows\system32\767430202.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-03 16:04 . 2010-05-03 16:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-03 16:04 . 2010-05-03 16:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-03 16:04 . 2010-05-03 16:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-01 19:35 . 2010-05-01 19:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG9
2010-04-22 22:43 . 2010-04-22 22:43 -------- d-----w- c:\program files\Veetle
2010-04-21 20:29 . 2010-04-21 20:29 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 20:28 . 2010-04-21 20:28 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-16 20:25 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:25 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-16 20:25 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-16 20:25 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-16 20:24 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:24 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 20:24 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:24 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:24 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:49 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 00:05 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:05 . 2010-04-28 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 00:05 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 17:36 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 17:36 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 20:18 . 2010-04-09 20:18 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 16:04 . 2008-11-20 15:14 -------- d-----w- c:\program files\Fingerprint Reader Suite
2010-05-03 15:55 . 2010-02-19 14:35 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-03 15:54 . 2008-09-30 20:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-03 12:43 . 2010-03-25 22:41 439816 ----a-w- c:\users\Administrator\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-01 19:10 . 2010-05-01 19:10 35840 ----a-w- c:\windows\Fonts\V2PQ1juXi.com
2010-05-01 18:59 . 2008-11-20 21:31 -------- d-----w- c:\program files\Symantec
2010-05-01 18:58 . 2008-10-25 07:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-26 18:10 . 2008-11-19 22:12 5972 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2010-04-21 20:28 . 2010-03-04 23:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-17 18:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 23:17 . 2010-03-08 22:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\8BDDA4CF286D95A7B12AB393D9336A5B
2010-03-22 19:32 . 2010-03-22 19:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-13 19:52 . 2010-03-13 19:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 19:52 . 2010-03-04 23:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 19:51 . 2010-03-04 23:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 20:19 . 2010-03-11 20:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-11 20:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-11 20:19 . 2010-03-11 20:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-11 20:18 . 2010-03-11 20:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-10 19:08 . 2010-03-10 18:34 -------- d-----w- c:\program files\Yahoo!
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-10 19:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-10 18:34 . 2010-03-10 18:34 -------- d-----w- c:\users\Administrator\AppData\Roaming\Yahoo!
2010-03-10 18:33 . 2008-11-20 15:50 -------- d-----w- c:\program files\CCleaner
2010-03-10 17:47 . 2010-03-10 17:47 388096 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 17:47 . 2010-03-10 17:47 -------- d-----w- c:\program files\TrendMicro
2010-03-10 05:23 . 2010-02-16 19:18 -------- d-----w- c:\programdata\avg9
2010-03-10 00:20 . 2010-03-10 00:20 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-03-10 00:19 . 2010-03-10 00:19 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 23:16 . 2010-03-04 23:14 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-03-04 23:13 . 2008-11-20 12:23 -------- d-----w- c:\program files\AVG
2010-02-26 22:02 . 2008-11-19 21:43 100432 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 16:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 16:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 16:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 16:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 16:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 19:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 19:22 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 19:22 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-10-02 06:34 . 2008-10-02 06:34 76 --sh--r- c:\windows\CT4CET.bin
2010-01-05 19:03 . 2009-01-18 01:13 88 --sh--r- c:\windows\System32\ABAA080905.sys
2010-01-05 19:03 . 2009-01-18 01:03 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Dell\Dell Webcam Manager\DellWMgr .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Fingerprint Reader Suite\launcher .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\SigmaTel\C-Major Audio\WDM\sttray .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\WindowsMobile\wmdSync .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 23:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2010-05-03 35844]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-05-03 35844]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-03 35844]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [N/A]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2010-05-03 35844]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [N/A]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2010-05-03 35844]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 23:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-20 12:27 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:53,fd,1e,9a,85,c0,ca,01

R2 ehstartRemoteRegistry;Windows Media Center Service Launcher ehstartRemoteRegistry;c:\windows\system32\12520437e.exe [2008-01-19 66560]
R2 slsvcAudiosrv;Software Licensing slsvcAudiosrv;c:\windows\system32\amstreamp.exe [x]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\User_Feed_Synchronization-{0D8C1C51-72A6-4F88-9557-989D1E2523F4}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 17:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,34,bd,0f,0a,b5,a8,40,b1,3d,62,\

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="RealPlayer.MP4.6"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML"

[HKEY_USERS\S-1-5-21-1322823359-3401090112-634230906-500\Software\SecuROM\License information*]
"datasecu"=hex:39,f5,32,46,63,96,62,1a,5c,10,aa,4f,cc,85,8a,c1,ae,a7,fd,8a,c5,
3a,a4,10,98,c0,8e,3b,22,9f,0d,b0,71,aa,6b,3c,9b,da,2d,d0,f1,86,26,93,ca,51,\
"rkeysecu"=hex:cb,10,f7,8f,90,21,e1,b7,a2,8c,f9,9f,9a,d8,bf,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(1620)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2010-05-03 17:07:42
ComboFix-quarantined-files.txt 2010-05-03 16:07
ComboFix2.txt 2010-05-03 12:51
ComboFix3.txt 2010-05-01 20:05
ComboFix4.txt 2010-03-10 18:25

Pre-Run: 33,788,325,888 bytes free
Post-Run: 33,816,838,144 bytes free

- - End Of File - - 7E11C8253EAC511CEFA67F92F3B994A9





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users