Infected w/ Fake Windows Security and/or BackDoor.Tdss.565

Hello kind and generous experts! :-)

A few days ago I was hit with the Fake Windows Security 2010. Crazy pops everywhere, Google results redirected to spam sites (any browser), and Chrome my primary browser didn't load and pages. Firefox and IE were working OK when directly typing in a URL. I had been running Panda Anti virus (never again) and without a firewall (bad I know)

First thing I tried is system restore to before I had the problem. That seemed to help and removed the crazy pop ups, but I still had Google results going to the wrong place and Chrome didn't work. Also have a new problem where the Just-in-time debugger is constantly trying to run. Other browsers are still OK when directly typing URLs.

Tried to get Spybot Search and Destroy to run (was already installed) but it hung on load.

Next I installed AVG Internet Security. Their firewall is now active. I ran their scan and it found and quarantined the below problems.

• Trojan horse Cyrptic HJ
• Trojan horse SHeur3.UMU
• Trojan horse Crypt.MBP

Rebooted but no change in computer behavior at this point.

Installed and ran Ad-aware, it found and quarantined the below problems.

• Win32.Adware.Burn4Free - Adware
• Win32.TrojanDownloader.Genome - Malware

Rebooted but no change in computer behavior at this point.

Next I installed and ran Malwarebytes, below is what is found and removed.

<snip>

Registry Keys Infected:
HKEY_CLASSES_ROOTInterface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTTypelib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtSettings{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTminibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTminibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREAvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWeather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

<snip>

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
<snip>

Rebooted but no change in computer behavior at this point.

So then I tried Spybot Search and Destroy again, this time it came up.
<trying to find logs>

Rebooted but no change in computer behavior at this point.

Next I ran Dr.Web Scanner for Windows. It found a few things. I can't find the log, so I don't know exactly. I had it fix what it found. But the problem is that whenever I reboot computer and rerun Dr.Web it is still finding and removing the below.

Process in memory: C:WINDOWSExplorer.EXE:512, Status=BackDoorTdss.565

So although a lot stuff has been cleaned up, the malware is still hiding somewhere.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Stefan at 14:09:51.37 on Tue 05/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1233 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9Identity ProtectionAgentBinAVGIDSAgent.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesWeather Watcherww.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesHPDigital Imagingbinhpomau08.exe
C:Program FilesHPDigital Imagingbinhpotdd01.exe
svchost.exe
C:Program FilesJungle Disk DesktopJungleDiskMonitor.exe
C:Documents and SettingsStefanLocal SettingsApplication DataGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:WINDOWSSYSTEM32taskmgr.exe
C:Program FilesAVGAVG9Identity Protectionagentbinavgidsmonitor.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesHPDigital Imagingbinhpoevm08.exe
C:Program FilesAVGAVG9avgfws9.exe
C:WINDOWSSystem32CTSvcCDA.EXE
C:WINDOWSsystem32crypserv.exe
C:Program FilesAVGAVG9avgam.exe
C:Program FilesAVGAVG9avgnsx.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesJavajre6binjqs.exe
C:Program FilesJungle Disk DesktopJungleDiskMonitor.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSSystem32tcpsvcs.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSSystem32HPZipm12.exe
C:Program FilesAVGAVG9avgui.exe
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:Documents and SettingsStefanLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesHPDigital ImagingBinhpoSTS08.exe
C:Program FilesHPDigital ImagingBinhpoFXM08.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsStefanMy DocumentsDownloadslz8p34aa.exe
C:DOCUME~1StefanLOCALS~1TempRarSFX39k3857.exe
C:DOCUME~1StefanLOCALS~1TempRarSFX3yax2gXP.exe
C:PROGRA~1COMMON~1MICROS~1VS7Debugvs7jit.exe
C:Documents and SettingsStefanMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Virtual Storage Mount Notification: {3cf560dc-dfcb-4737-82c2-9564ca8f733b} - c:windowssystem32VSMntNtf.dll
BHO: IeCaptureBho Object: {7c1ce531-09e9-4fc5-9803-1c2956615786} - c:program filesgooglegoogle desktop searchGoogleDesktopIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.4.4525.1752swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {5AA06644-BC46-4220-A460-47A6EB47C96D} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [WeatherWatcher] c:program filesweather watcherww.exe
uRun: [Google Update] "c:documents and settingsstefanlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe" MSRun
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:docume~1stefanstartm~1programsstartupshortc~1.lnk -

c:windowssystem32taskmgr.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpoffi~1.lnk - c:program fileshpdigital

imagingbinhpomau08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpoddt~1.lnk - c:program fileshpdigital

imagingbinhpotdd01.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupjungle~1.lnk - c:program filesjungle

disk desktopJungleDiskMonitor.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:program filespokerstarsPokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:progra~1micros~3office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:windowssystem32Shdocvw.dll
DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -

hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} - hxxp://www.merriam-webster.com/toolbar/webinstall.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://pdclive.convergys.com/download/iftwclix.cab
DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} - hxxp://fdl.msn.com/public/investor/v11/ticker.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -

hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238199286859
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} -

hxxp://xms.keynote.com/applications/connector/download/ConnectorLauncher.cab
DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://10.0.0.104/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37986.4012152778
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} - hxxp://www.therealyellowpageslive.net/live/ezlistng.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/51/install/gtdownls.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -

hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} -

hxxp://helpdeskreports.cmg.convergys.com/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - hxxp://wsp.livedownloads.com/nugster/dlControl.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

hxxps://convergys.webex.com/client/latest/webex/ieatgpc.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -

hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:windowssystem32WPDShServiceObj.dll
SSODL: EldosMountNotificator - {3CF560DC-DFCB-4737-82C2-9564CA8F733B} - c:windowssystem32VSMntNtf.dll
STS: Virtual Storage Mount Notification: {3cf560dc-dfcb-4737-82c2-9564ca8f733b} -

c:windowssystem32VSMntNtf.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1stefanapplic~1mozillafirefoxprofiles5w0a0j4d.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:documents and settingsstefanapplication

datamozillafirefoxprofiles5w0a0j4d.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}compone

ntsfrozen.dll
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - plugin: c:documents and settingsstefanlocal settingsapplication

datagoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1895.7162npCIDetect14.dll
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla

firefoxextensions{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla

firefoxextensions{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js -

pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -

pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js -

pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -

pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js -

pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual",

"http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js -

pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add",

"addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36",

"getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled",

true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js -

pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet",

false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable",

false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime",

20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:windowssystem32driversAVGIDSxx.sys [2010-5-3 25096]
R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2010-5-3 52872]
R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-5-3 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2010-5-3 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys

[2010-5-3 29512]
R1 AvgTdiX;AVG Network Redirector;c:windowssystem32driversavgtdix.sys [2010-5-3 242896]
R1 CbFs;CbFs;c:windowssystem32driverscbfs.sys [2010-3-25 145504]
R2 avg9wd;AVG WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-5-3 308064]
R2 avgfws9;AVG Firewall;c:program filesavgavg9avgfws9.exe [2010-5-3 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:program filesavgavg9identity protectionagentbinAVGIDSAgent.exe

[2010-5-3 5888008]
R2 DPIFLTNT;DPIFLTNT;c:windowssystem32dpifltnt.sys [2003-12-31 17775]
R2 JungleDiskService;JungleDiskService;c:program filesjungle disk desktopJungleDiskMonitor.exe

[2010-3-19 6858496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe

[2010-2-4 1285864]
R3 Avgfwdx;Avgfwdx;c:windowssystem32driversavgfwdx.sys [2010-5-3 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:program filesavgavg9identity

protectionagentdriverplatform_xpAVGIDSDriver.sys [2010-5-3 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:program filesavgavg9identity

protectionagentdriverplatform_xpAVGIDSFilter.sys [2010-5-3 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:program filesavgavg9identity

protectionagentdriverplatform_xpAVGIDSShim.sys [2010-5-3 26120]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-3-21

133104]
S3 Avgfwfd;AVG network filter service;c:windowssystem32driversavgfwdx.sys [2010-5-3 30104]
S3 UltraMonMirror;UltraMonMirror;c:windowssystem32driversultramonmirror.sys -->

c:windowssystem32driversUltraMonMirror.sys [?]

=============== Created Last 30 ================

2010-05-04 18:08:44 0 ----a-w- c:documents and settingsstefandefogger_reenable
2010-05-04 16:18:17 0 d-----w- c:documents and settingsstefanDoctorWeb
2010-05-04 12:10:39 0 d-----w- c:docume~1stefanapplic~1Malwarebytes
2010-05-04 12:10:17 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-05-04 12:10:15 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-05-04 12:10:15 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-04 12:10:15 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-05-03 19:34:22 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-05-03 19:32:40 0 d-----w- c:program filesExterminate It!
2010-05-03 19:11:09 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-05-03 19:11:01 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-05-03 19:08:10 0 dc-h--w-

c:docume~1alluse~1applic~1{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-03 19:07:47 0 d-----w- c:program filesLavasoft
2010-05-03 15:59:25 0 d--h--w- C:$AVG
2010-05-03 15:32:39 12464 ----a-w- c:windowssystem32avgrsstx.dll
2010-05-03 15:32:38 25096 ----a-w- c:windowssystem32driversAVGIDSxx.sys
2010-05-03 15:32:37 52872 ----a-w- c:windowssystem32driversavgrkx86.sys
2010-05-03 15:32:33 242896 ----a-w- c:windowssystem32driversavgtdix.sys
2010-05-03 15:32:24 216200 ----a-w- c:windowssystem32driversavgldx86.sys
2010-05-03 15:32:13 0 d-----w- c:windowssystem32driversAvg
2010-05-03 15:29:24 50968 ----a-w- c:windowssystem32avgfwdx.dll
2010-05-03 15:29:24 30104 ----a-w- c:windowssystem32driversavgfwdx.sys
2010-05-03 15:26:26 0 d-----w- c:docume~1alluse~1applic~1avg9
2010-04-29 21:27:29 0 d-----w- c:program filesSDHelper (Spybot - Search & Destroy)
2010-04-29 17:17:36 0 d-----w- c:windowssystem32wbemRepository

==================== Find3M ====================

2010-03-24 14:58:27 19545 ----a-w- c:windowshpoins01.dat
2010-03-10 13:18:21 13824 ----a-w- c:windowssystem32dllcacheieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:windowssystem32dllcacheie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32dllcachevbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:windowssystem32dllcachemrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:windowssystem32dllcacheiexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:windowssystem32dllcacheieakui.dll
2010-02-19 23:47:50 3604480 ----a-w- c:windowssystem32GPhotos.scr
2010-02-17 13:10:28 2189952 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-17 13:10:28 2189952 ----a-w- c:windowssystem32dllcachentoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:windowssystem32dllcachentkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32dllcachentkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:windowssystem32dllcachentkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:windowssystem32dllcache6to4svc.dll
2010-02-11 12:02:15 226880 ----a-w- c:windowssystem32dllcachetcpip6.sys
2010-02-05 17:38:58 235576 ----a-w- c:windowssystem32VSNetRdr.dll
2010-02-05 17:38:58 137272 ----a-w- c:windowssystem32VSMntNtf.dll
2008-03-25 01:38:26 62464 ----a-w- c:program filesCakeConverter.exe
2008-03-17 00:09:24 46592 ----a-w- c:program filesPokerFunctions.dll
2003-10-29 12:53:28 176128 ----a-w- c:program filesdirms.exe
2008-09-05 23:32:14 32768 --sha-w- c:windowssystem32configsystemprofilelocal

settingshistoryhistory.ie5mshist012008090520080906index.dat

============= FINISH: 14:12:38.46 ===============

Edited by Orange Blossom, 04 May 2010 - 07:00 PM.
Merged topics then posts removing redundant portions. ~ OB

Sorry about the multiple posts. On my infected machine I get timeout replies. Not being impatient. :-)

It's the infection causing that. I've removed the duplicates. ~ OB

Edited by Orange Blossom, 04 May 2010 - 07:00 PM.

Hello StefanMurphy Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.















Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall

Hey thewall,

Thanks for helping me, below is the requested log.



ComboFix 10-05-06.05 - Stefan 05/07/2010 11:02:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2050 [GMT -4:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\vlc-0.9.6-win32.exe
c:\documents and settings\Stefan\Application Data\BITS
c:\documents and settings\Stefan\Application Data\BITS\BITS.ini
c:\documents and settings\Stefan\Application Data\BITS\DHTTable.dat
c:\documents and settings\Stefan\Application Data\BITS\ProxyList.ini
c:\program files\FlashGet Network
c:\program files\FlashGet Network\Flashget\dbghelp.dll
c:\program files\FlashGet Network\Flashget\fgoption.ini
c:\program files\FlashGet Network\Flashget\JCCHS.INI
c:\program files\FlashGet Network\Flashget\LiveUpdateEx.exe
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\0.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\1.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\10.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\11.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\12.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\13.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\14.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\15.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\16.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\17.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\18.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\19.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\2.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\20.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\21.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\3.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\4.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\5.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\6.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\7.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\8.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\9.bmp
c:\program files\FlashGet Network\Flashget\modules\garage\Headers\nologin.bmp
c:\program files\FlashGet Network\Flashget\P2PCfg.ini
c:\program files\FlashGet Network\Flashget\P2PShare.dat
c:\program files\FlashGet Network\Flashget\p2spmgr.ini
c:\program files\FlashGet Network\Flashget\p4spmgr.ini
c:\program files\FlashGet Network\Flashget\Profiles\config.dat
c:\program files\FlashGet Network\Flashget\Profiles\tasks.dat
c:\windows\Downloaded Program Files\bsa
c:\windows\system32\Data

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))
.

2010-05-07 14:22 . 2010-05-07 14:22 -------- d-----w- c:\documents and settings\Stefan\Local Settings\Application Data\Opera
2010-05-07 14:22 . 2010-05-07 14:22 -------- d-----w- c:\program files\Opera
2010-05-05 22:38 . 2010-05-05 22:38 -------- d-----w- c:\documents and settings\Stefan\Application Data\AVG9
2010-05-05 00:37 . 2010-05-07 14:30 -------- d-----w- c:\documents and settings\Stefan\Application Data\vlc
2010-05-04 16:18 . 2010-05-04 16:18 -------- d-----w- c:\documents and settings\Stefan\DoctorWeb
2010-05-04 12:10 . 2010-05-04 12:10 -------- d-----w- c:\documents and settings\Stefan\Application Data\Malwarebytes
2010-05-04 12:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 12:10 . 2010-05-04 12:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 12:10 . 2010-05-04 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 12:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-03 19:34 . 2010-05-03 19:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-03 19:32 . 2010-05-03 19:33 -------- d-----w- c:\program files\Exterminate It!
2010-05-03 19:11 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-03 19:11 . 2010-05-03 19:10 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-03 19:08 . 2010-05-03 19:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-03 19:08 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-03 19:07 . 2010-05-03 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-03 19:07 . 2010-05-03 19:08 -------- d-----w- c:\program files\Lavasoft
2010-05-03 15:59 . 2010-05-03 15:59 -------- d-----w- C:\$AVG
2010-05-03 15:32 . 2010-05-03 15:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-03 15:32 . 2010-05-03 15:32 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-05-03 15:32 . 2010-05-03 15:32 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-05-03 15:32 . 2010-05-03 15:32 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-03 15:32 . 2010-05-03 15:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-03 15:32 . 2010-05-03 15:32 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-03 15:32 . 2010-05-07 11:44 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-03 15:29 . 2010-05-03 15:29 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-05-03 15:29 . 2010-05-03 15:29 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-05-03 15:26 . 2010-05-03 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-03 14:00 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-05-03 14:00 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-05-03 14:00 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-05-03 14:00 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-29 21:27 . 2010-04-29 21:27 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-29 17:17 . 2010-04-29 17:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-18 22:35 . 2010-04-18 22:35 -------- d-----w- c:\documents and settings\Debby\Application Data\DivX
2010-04-18 22:24 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Debby\Application Data\Mozilla\Firefox\Profiles\y3ft6p78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-18 22:24 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Debby\Application Data\Mozilla\Firefox\Profiles\y3ft6p78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-18 22:24 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Debby\Application Data\Mozilla\Firefox\Profiles\y3ft6p78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-18 22:24 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Debby\Application Data\Mozilla\Firefox\Profiles\y3ft6p78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 14:56 . 2008-03-11 13:35 -------- d-----w- c:\documents and settings\Stefan\Application Data\WeatherWatcher
2010-05-05 16:20 . 2010-03-21 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-05 14:20 . 2008-03-10 15:58 -------- d-----w- c:\documents and settings\Stefan\Application Data\TeraCopy
2010-05-05 00:51 . 2007-11-15 01:16 -------- d-----w- c:\program files\Weather Watcher
2010-05-05 00:14 . 2007-02-06 01:08 -------- d-----w- c:\documents and settings\Stefan\Application Data\uTorrent
2010-05-03 19:06 . 2004-09-18 21:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-03 18:22 . 2003-12-31 16:51 76696 ----a-w- c:\documents and settings\Stefan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 18:15 . 2009-09-21 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-03 18:10 . 2009-08-19 14:01 -------- d-----w- c:\program files\PageBreeze
2010-05-03 18:07 . 2003-12-08 17:04 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-03 18:05 . 2009-01-25 16:37 -------- d-----w- c:\program files\HandBrake
2010-05-03 18:00 . 2009-08-23 01:34 -------- d-----w- c:\program files\DebugMode
2010-05-03 17:57 . 2003-12-08 17:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-03 17:35 . 2007-02-06 01:07 -------- d-----w- c:\program files\uTorrent
2010-05-03 15:37 . 2008-03-07 23:32 -------- d-----w- c:\program files\Ace Utilities
2010-05-03 15:27 . 2008-06-21 16:58 -------- d-----w- c:\program files\AVG
2010-04-18 01:50 . 2006-12-26 00:40 -------- d-----w- c:\documents and settings\Stefan\Application Data\dvdcss
2010-03-31 02:51 . 2010-03-30 13:31 -------- d-----w- c:\documents and settings\Stefan\Application Data\Winamp
2010-03-30 13:32 . 2006-02-20 20:46 -------- d-----w- c:\program files\Winamp
2010-03-25 13:04 . 2009-10-27 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\JungleDisk
2010-03-25 13:04 . 2009-10-27 23:40 -------- d-----w- c:\program files\Jungle Disk Desktop
2010-03-24 14:58 . 2010-03-24 14:40 19545 ----a-w- c:\windows\hpoins01.dat
2010-03-21 20:52 . 2003-12-31 19:42 -------- d-----w- c:\program files\Google
2010-03-17 19:22 . 2010-03-17 19:20 -------- d-----w- c:\documents and settings\Stefan\Application Data\Digsby
2010-03-17 19:22 . 2010-03-17 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2010-03-17 19:16 . 2010-03-17 19:15 -------- d-----w- c:\program files\Digsby
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-08-29 11:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10 . 1980-01-01 06:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-10 17:19 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-06-30 21:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-03-25 01:38 . 2008-03-25 01:38 62464 ----a-w- c:\program files\CakeConverter.exe
2008-03-17 00:09 . 2008-03-17 00:09 46592 ----a-w- c:\program files\PokerFunctions.dll
2003-10-29 12:53 . 2003-10-29 12:53 176128 ----a-w- c:\program files\dirms.exe
2007-11-27 05:56 . 2007-11-27 05:56 28672 ----a-w- c:\program files\mozilla firefox\components\FlashgetXpi.dll
2006-10-17 14:36 . 2006-10-18 15:17 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-04-16 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DRIVERS\tcpip.sys
[-] 2008-07-24 . 3C966F647BAB332093CB0F92692B5CB8 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . EF7834C1D9DDF4C7DA697D8C24A03791 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{0E653882-06F5-48CA-9726-BFABE5E50CE0}"
[HKEY_CLASSES_ROOT\CLSID\{0E653882-06F5-48CA-9726-BFABE5E50CE0}]
2010-02-05 17:38 137272 ----a-w- c:\windows\SYSTEM32\VSMntNtf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
2010-03-19 22:20 790784 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
2010-03-19 22:20 790784 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
2010-03-19 22:20 790784 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2008-01-23 1028096]
"Google Update"="c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Stefan\Start Menu\Programs\Startup\
Shortcut to taskmgr.exe.lnk - c:\windows\SYSTEM32\taskmgr.exe [2002-8-29 135680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp officejet 4100 series.lnk - c:\program files\HP\Digital Imaging\bin\hpomau08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\HP\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2010-3-19 6858496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-03 15:32 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Stefan^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Stefan\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atpefwak
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PayPal Virtual Debit Card
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALLUpdate]
2008-11-25 01:44 869888 ----a-w- c:\program files\ALLPlayer\ALLUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-05-03 15:30 2064736 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 09:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 14:43 57344 ----a-w- c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 07:04 114741 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 16:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 16:51 118784 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 16:55 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 16:22 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 16:22 1622016 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
2002-11-05 15:32 77824 ----a-w- c:\progra~1\Ofoto\OfotoNow\OFUSBS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:50 40960 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 23:38 64512 ----a-w- c:\windows\SYSTEM32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-27 00:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-05-04 00:28 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-12-08 17:14 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ----a-w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Themes"=2 (0x2)
"pgsql-8.3"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"AVGIDSAgent"=2 (0x2)
"avgfws9"=2 (0x2)
"avg9wd"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation
"WinampAgent"="c:\program files\Winamp\winampa.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Hummingbird\\Connectivity\\8.00\\Exceed\\exceed.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Retrospect\\Retrospect 7.5\\Retrospect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\SYSTEM32\DRIVERS\AVGIDSxx.sys [5/3/2010 11:32 AM 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [5/3/2010 11:32 AM 52872]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [5/3/2010 3:11 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/3/2010 11:32 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/3/2010 11:32 AM 242896]
R1 CbFs;CbFs;c:\windows\SYSTEM32\DRIVERS\cbfs.sys [3/25/2010 9:04 AM 145504]
R2 DPIFLTNT;DPIFLTNT;c:\windows\SYSTEM32\dpifltnt.sys [12/31/2003 4:05 PM 17775]
R2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [3/19/2010 6:21 PM 6858496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1285864]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/3/2010 11:29 AM 30104]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2010 4:51 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [5/3/2010 11:29 AM 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [5/3/2010 11:29 AM 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [5/3/2010 11:29 AM 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [5/3/2010 11:29 AM 26120]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
S4 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/3/2010 11:29 AM 308064]
S4 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [5/3/2010 11:30 AM 2325816]
S4 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [5/3/2010 11:29 AM 5888008]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:10]

2010-04-19 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-10-01 18:28]

2010-05-06 c:\windows\Tasks\Defraggler Volume E Task.job
- c:\program files\Defraggler\df.exe [2009-10-01 18:28]

2010-05-02 c:\windows\Tasks\dirms c compact.job
- c:\program files\dirms.exe [2003-10-29 12:53]

2010-05-02 c:\windows\Tasks\dirms c.job
- c:\program files\dirms.exe [2003-10-29 12:53]

2010-05-02 c:\windows\Tasks\dirms e compact.job
- c:\program files\dirms.exe [2003-10-29 12:53]

2010-05-02 c:\windows\Tasks\dirms e.job
- c:\program files\dirms.exe [2003-10-29 12:53]

2010-04-26 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p officejet 4100 series272A572217594EBCF1CEE215E352B92AD073FDE4269442710.job
- c:\program files\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2010-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-24 20:51]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 20:51]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-21 20:51]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2173773102-1046967406-3019061355-1009Core.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 00:32]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2173773102-1046967406-3019061355-1009UA.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 00:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} - hxxp://www.merriam-webster.com/toolbar/webinstall.cab
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} - hxxp://xms.keynote.com/applications/connector/download/ConnectorLauncher.cab
DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} - hxxp://www.therealyellowpageslive.net/live/ezlistng.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\5w0a0j4d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1895.7162\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Google IME Autoupdater - c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-07 11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2173773102-1046967406-3019061355-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:69,4f,66,f1,4b,06,4e,b5,48,8e,a9,f8,a1,9b,09,a6,4e,a7,28,9b,ac,92,7f,
a8,c3,bd,6a,6a,28,45,05,84,9a,cf,1f,cd,98,e9,5d,c6,2c,01,17,9b,1d,2e,d5,12,\
"??"=hex:ef,9e,5e,28,59,08,65,82,3c,ca,22,83,d2,82,c7,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-07 11:21:51
ComboFix-quarantined-files.txt 2010-05-07 15:21

Pre-Run: 14,799,044,608 bytes free
Post-Run: 15,275,216,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - E43E80C5A3554472895C02C1C1490074

Only been a few minutes, but so far so good. Chrome is working again. Search results aren't redirecting. No just in time debugger pop ups. Great thanks!

Any other steps I need to take?

Sounds good but we want to run another scan to see if we can find any leftovers:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.

• Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
• Read the "Advantages - Requirements and Limitations" then press the ... button.
• You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
• When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
• Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
• Click on My Computer under the Scan section. OK any warnings from your protection programs.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
• Click on Save Report As... and change the Files of type to Text file (.txt)
• Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
• Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.

-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

OK, not clean yet. What is the next step? Thanks!!!


Monday, May 10, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 10, 2010 10:32:20
Records in database: 4090415
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
E:\
F:\
G:\
Scan statistics
Objects scanned 143413
Threats found 7
Infected objects found 8
Suspicious objects found 0
Scan duration 06:03:28

File name Threat Threats count
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\1\38981d01-391aa6ce Infected: Exploit.Java.Agent.c 1
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\1\38981d01-391aa6ce Infected: Trojan-Downloader.Java.Agent.cq 1
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\37\6968de25-76954d20 Infected: Trojan-Downloader.Java.Agent.cf 1
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\55\d1a0977-2d28aace Infected: Trojan-Downloader.Java.Agent.ct 1
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\55\d1a0977-2d28aace Infected: Trojan-Downloader.Java.Agent.cu 1
C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\6.0\55\d1a0977-2d28aace Infected: Trojan-Downloader.Java.Agent.cv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1793\A0555624.sys Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.

Some of that will be gone when we uninstall ComboFix. You do need to clean out your Java cache by following the instructions in the link below and then update your version of Java. Be sure to clean off all the old versions you have on the machine now as stated in the instructions for Java.



http://support.f-secure.com/enu/home/virus...javacache.shtml






Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "JDK 6 Update 20 (JDK or JRE)".
• Click the "Download JRE" button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
• If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
• When the Java Setup - Welcome window opens, click the Install > button.
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





When this is completed if the computer is still running good we will be able to finish up.

Did the steps as instructed above. Everything is looking good. Reran Kapersky and the bad stuff is all in the recycle bin.

That sounds really good. I believe we can go ahead and close up now.


Uninstall Combofix

• Press the Windows Key + R on your keyboard.
• Now copy & paste the green bolded text in the run-box and click OK.
  
  ComboFix /Uninstall
  
  <Notice the space between the "x" and "/".>
  
  

  

• The following will implement some very important cleanup procedures as well as reset System Restore points.

You can go ahead and delete GMER and DDS now if they are still on your desktop.







Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
   Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
   Go here to check for & install updates to Microsoft applications
   Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
2. Keep your non-Microsoft applications updated as well
   Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
3. Make Internet Explorer more secure
   Click Start > Run
   Type Inetcpl.cpl & click OK
   Click on the Security tab
   Click Reset all zones to default level
   Make sure the Internet Zone is selected & Click Custom level
   In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
   Next Click OK, then Apply button and then OK to exit the Internet Properties page.
4. Install SpywareBlaster & make sure to update it regularly
   SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
   If you don't know what activex controls are, see here
   You can download SpywareBlaster from here
5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date

If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum.


thewall

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.