Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, possibly with pe_tdss.mtr


  • This topic is locked This topic is locked
15 replies to this topic

#1 jonwetzul023

jonwetzul023

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 02 July 2010 - 06:32 AM

Sorry to run dds in safe mode but without it i cannot run my computer. Ive tried everything please help.

Beside my computer getting the bluescreen error and browser redirect it will not respond unless in safe mode then it will bluescreen. I cannot tell you what the message says however since it suddenly bluescreens then reboots. I used the trend micro housecall and it said that the pe_tdss.mtr is problem. Even in safemode it bluescreens once in a while.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Jon at 23:46:45.06 on Thu 07/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.629 [GMT -5:00]

AV: ClamAV for Windows *On-access scanning enabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Jon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [AnyDVD] "c:\program files\slysoft\anydvd\AnyDVD.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\jon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Immunet Protect] "c:\program files\clamav for windows\1.0.26\iptray.exe"
mRun: [Prey Laptop Tracker] c:\prey\platform\windows\cron.exe --log
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\jon\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli fusstub

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\grjiobr7.default\
FF - prefs.js: browser.search.selectedEngine - IMDb
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\jon\application data\mozilla\firefox\profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\firefox\profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jon\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2006-3-22 9216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-3-22 71961]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-3-25 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-3-25 110608]
S1 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\drivers\ImmunetMonitor.sys [2010-5-15 20040]
S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2010-5-15 38856]
S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2010-5-15 29640]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-4-18 123856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-4-18 41680]
S2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-7 133104]
S2 ImmunetProtect;ClamAV for Windows;c:\program files\clamav for windows\1.0.26\agent.exe [2010-5-15 717552]
S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-3-22 36352]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2006-3-22 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2006-3-22 53248]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-22 29184]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-22 226304]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys --> c:\windows\system32\drivers\vaxscsi.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-07-02 03:31:31 0 d-----w- C:\9fd6a574282a642426e14f92e57ea3c6
2010-07-01 04:34:11 0 d-----w- c:\docume~1\jon\applic~1\QuickScan
2010-07-01 03:48:45 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-30 05:14:09 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-30 05:13:21 0 d-----w- c:\docume~1\alluse~1\applic~1\NOS(2)
2010-06-28 23:21:00 361 ----a-w- c:\windows\system32\aclecitr.dat
2010-06-28 23:21:00 307 ----a-w- c:\windows\system32\kbdbgshe.dat
2010-06-28 23:21:00 0 ----a-w- c:\windows\system32\wpdmtpui.dat
2010-06-28 20:55:28 320 ----a-w- c:\windows\system32\nethc.dat
2010-06-28 20:55:28 2884 ----a-w- c:\windows\system32\dpnhpcst.dat
2010-06-28 20:55:28 1282 ----a-w- c:\windows\system32\LCWizaDd.dat
2010-06-28 20:55:28 0 ----a-w- c:\windows\system32\MPG4DPCD.dat
2010-06-26 00:27:26 0 d-----w- c:\docume~1\jon\applic~1\TeamViewer
2010-06-26 00:26:46 0 d-----w- c:\program files\TeamViewer
2010-06-25 00:09:41 0 d-----w- c:\program files\VideoLAN
2010-06-23 12:12:23 0 d-----w- C:\f4d24b9414a216826ad7d49881
2010-06-17 20:30:06 0 d-----w- C:\Prey
2010-06-11 23:25:02 0 d-----w- C:\371674f8e85b8dc7e861abc524f03750
2010-06-11 03:33:31 0 d-----w- C:\c140f01d80ad9ad96ce7
2010-06-10 04:22:02 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-05 23:53:55 0 ----a-w- c:\documents and settings\jon\copy

==================== Find3M ====================

2010-07-02 03:55:22 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-07-01 04:08:15 25160 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-06-17 04:56:39 59880 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-15 18:06:08 38856 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2010-05-15 18:06:08 29640 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-05-15 18:06:08 20040 ----a-w- c:\windows\system32\drivers\ImmunetMonitor.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2004-09-02 18:50:28 73728 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\RA38PSUI.dll
2004-03-03 00:47:12 9116 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\RA38PSRE.dll
2004-03-03 00:47:12 9116 -c--a-w- c:\windows\inf\printwise\ld135\disk1\RA45PSRE.DLL
2003-09-09 15:18:58 73728 -c--a-w- c:\windows\inf\printwise\ld135\disk1\RA45PSUI.DLL
2002-10-03 10:49:08 262144 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\SETUP.EXE
2001-08-25 17:18:40 258048 -c--a-w- c:\windows\inf\printwise\ld135\disk1\SETUP.EXE
2009-02-12 02:49:12 4130 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-18 05:34:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 23:54:26.93 ===============


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 06 July 2010 - 07:04 AM

Hello jonwetzul023

Welcome to BleepingComputer smile.gif
==========================
One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to proceed with cleaning

=======
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
========

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 06 July 2010 - 11:03 PM

Thank you for your help.

22:25:55:796 1844 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
22:25:55:796 1844 ================================================================================
22:25:55:796 1844 SystemInfo:

22:25:55:796 1844 OS Version: 5.1.2600 ServicePack: 3.0
22:25:55:796 1844 Product type: Workstation
22:25:55:796 1844 ComputerName: LAPTOP
22:25:55:796 1844 UserName: Jon
22:25:55:796 1844 Windows directory: C:\WINDOWS
22:25:55:796 1844 System windows directory: C:\WINDOWS
22:25:55:796 1844 Processor architecture: Intel x86
22:25:55:796 1844 Number of processors: 2
22:25:55:796 1844 Page size: 0x1000
22:25:55:796 1844 Boot type: Safe boot with network
22:25:55:796 1844 ================================================================================
22:25:56:250 1844 Initialize success
22:25:56:265 1844
22:25:56:265 1844 Scanning Services ...
22:25:59:890 1844 Raw services enum returned 441 services
22:25:59:921 1844
22:25:59:921 1844 Scanning Drivers ...
22:26:00:937 1844 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:26:01:015 1844 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:26:01:062 1844 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
22:26:01:109 1844 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:26:01:187 1844 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:26:01:234 1844 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:26:01:328 1844 AnyDVD (af6919659bed77be144c56c0fa69f2c8) C:\WINDOWS\system32\Drivers\AnyDVD.sys
22:26:01:390 1844 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
22:26:01:437 1844 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:26:01:500 1844 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:26:01:546 1844 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:26:01:593 1844 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:26:01:640 1844 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:26:01:718 1844 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:26:01:796 1844 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:26:01:812 1844 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:26:01:875 1844 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:26:01:890 1844 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:26:01:937 1844 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:26:01:968 1844 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:26:02:015 1844 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:26:02:093 1844 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
22:26:02:156 1844 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
22:26:02:203 1844 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:26:02:265 1844 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:26:02:359 1844 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
22:26:02:421 1844 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:26:02:453 1844 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:26:02:500 1844 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:26:02:546 1844 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
22:26:02:578 1844 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:26:02:640 1844 ElbyCDFL (075d91e4de09a6f1ede77c341803d454) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
22:26:02:671 1844 ElbyCDIO (b9c4b3b780751e9dfbd5c344ea1418ea) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
22:26:02:718 1844 ElbyDelay (e205c313417da6fa7afe85912a310a65) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
22:26:02:765 1844 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:26:02:796 1844 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:26:02:906 1844 FdRedir (59558c6547d0362afb639ac682a9fcc3) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
22:26:02:906 1844 FileDisk2 (30967822edd32fb37f8209500724ae6c) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
22:26:02:921 1844 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:26:02:953 1844 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:26:03:000 1844 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:26:03:031 1844 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:26:03:062 1844 Ftdisk (7a07d384a6821cdf8565fd10739a3398) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:26:03:062 1844 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftdisk.sys. Real md5: 7a07d384a6821cdf8565fd10739a3398, Fake md5: 6ac26732762483366c3969c9e4d2259d
22:26:03:062 1844 File "C:\WINDOWS\system32\DRIVERS\ftdisk.sys" infected by TDSS rootkit ... 22:26:10:828 1844 Backup copy found, using it..
22:26:10:843 1844 will be cured on next reboot
22:26:10:968 1844 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
22:26:11:046 1844 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:26:11:093 1844 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:26:11:125 1844 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:26:11:187 1844 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:26:11:234 1844 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:26:11:281 1844 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:26:11:343 1844 HSFHWAZL (acc46dda7fece95a253ae88cea172e12) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:26:11:453 1844 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:26:11:625 1844 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:26:11:687 1844 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:26:11:765 1844 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:26:11:921 1844 IFXTPM (0a359837e021bc04a04a6fd189492c65) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
22:26:11:953 1844 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:26:12:000 1844 ImmunetMonitorDriver (cfdcaab336202f9d3232d1ef333211a4) C:\WINDOWS\system32\DRIVERS\ImmunetMonitor.sys
22:26:12:046 1844 ImmunetProtectDriver (34b824742736dfa4e6d9f778918d96ea) C:\WINDOWS\system32\DRIVERS\ImmunetProtect.sys
22:26:12:093 1844 ImmunetSelfProtectDriver (a905b761559e6fbc456c1137a720b547) C:\WINDOWS\system32\DRIVERS\ImmunetSelfProtect.sys
22:26:12:218 1844 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:26:12:265 1844 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:26:12:312 1844 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:26:12:359 1844 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:26:12:406 1844 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:26:12:421 1844 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:26:12:468 1844 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:26:12:500 1844 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:26:12:515 1844 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:26:12:562 1844 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
22:26:12:609 1844 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:26:12:656 1844 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:26:12:703 1844 ManyCam (c6d085c7045200143528136a43a65fde) C:\WINDOWS\system32\DRIVERS\ManyCam.sys
22:26:12:765 1844 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:26:12:828 1844 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:26:12:875 1844 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:26:12:890 1844 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:26:12:953 1844 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:26:12:984 1844 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:26:13:031 1844 MpFilter (dfa1cd670ea50a21c87c92c727c50950) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
22:26:13:078 1844 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:26:13:140 1844 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:26:13:203 1844 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:26:13:250 1844 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:26:13:328 1844 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:26:13:375 1844 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:26:13:406 1844 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:26:13:453 1844 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:26:13:500 1844 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:26:13:562 1844 Mvc25U870_VID_1262&PID_25FD (e88e7e9aa0ab34b6c664a4a43cea6316) C:\WINDOWS\system32\Drivers\Mvc25U870.sys
22:26:13:609 1844 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:26:13:656 1844 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:26:13:703 1844 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:26:13:703 1844 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:26:13:750 1844 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:26:13:812 1844 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:26:13:828 1844 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:26:13:859 1844 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:26:13:890 1844 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:26:13:906 1844 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:26:13:921 1844 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:26:13:968 1844 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:26:14:062 1844 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:26:14:312 1844 nv (e5851a969d6b63866bd2b8b2a16087ac) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:26:14:531 1844 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:26:14:562 1844 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:26:14:609 1844 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:26:14:656 1844 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:26:14:687 1844 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:26:14:734 1844 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:26:14:765 1844 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:26:14:843 1844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:26:14:859 1844 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:26:14:921 1844 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
22:26:15:015 1844 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:26:15:046 1844 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:26:15:109 1844 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:26:15:156 1844 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:26:15:250 1844 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:26:15:296 1844 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:26:15:328 1844 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:26:15:390 1844 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:26:15:406 1844 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:26:15:484 1844 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:26:15:531 1844 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:26:15:578 1844 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:26:15:625 1844 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
22:26:15:687 1844 s24trans (078eba5670fdaa041552cd86b984f2de) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:26:15:734 1844 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:26:15:765 1844 SEMWModem (9d06827395b38c489bc3cd81664326d6) C:\WINDOWS\system32\DRIVERS\GCXX.sys
22:26:15:796 1844 SEMWWNIC (2d02e441e3e3f3e85f97a5c87634f4b9) C:\WINDOWS\system32\DRIVERS\GCXXNet.sys
22:26:15:859 1844 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:26:15:921 1844 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
22:26:15:968 1844 shpf (b8e1ac2cdad522572bfc73781d0e37e2) C:\WINDOWS\system32\DRIVERS\shpf.sys
22:26:16:015 1844 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:26:16:062 1844 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
22:26:16:093 1844 SonyImgF (fb77021110eaa16ea6e0961c844ef0d2) C:\WINDOWS\system32\DRIVERS\SonyImgF.sys
22:26:16:125 1844 SPI (ad9436c46c10222b8f03405628a8cd86) C:\WINDOWS\system32\DRIVERS\SonyPI.sys
22:26:16:171 1844 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:26:16:250 1844 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
22:26:16:250 1844 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
22:26:16:265 1844 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:26:16:328 1844 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:26:16:468 1844 STHDA (bbbc5bf9a5f1fb5d57e91b944d2e51a5) C:\WINDOWS\system32\drivers\sthda.sys
22:26:16:578 1844 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:26:16:593 1844 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:26:16:656 1844 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:26:16:703 1844 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:26:16:765 1844 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:26:16:812 1844 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
22:26:16:875 1844 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:26:16:937 1844 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:26:16:984 1844 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:26:17:062 1844 ti21sony (26587ce8e6c6f16b8b4e7e2c16fa00bf) C:\WINDOWS\system32\drivers\ti21sony.sys
22:26:17:093 1844 tosporte (d626e0af9232d8799d3a449530f3c220) C:\WINDOWS\system32\DRIVERS\tosporte.sys
22:26:17:125 1844 Tosrfbd (0ec5206059d97a8dc785be73fb457ec7) C:\WINDOWS\system32\Drivers\tosrfbd.sys
22:26:17:156 1844 Tosrfbnp (33498b8f0b2ca549c2b7ffc1b3c0f1bc) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
22:26:17:187 1844 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
22:26:17:203 1844 Tosrfhid (5dbf390aab62dd0d4d43a9278614e001) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
22:26:17:218 1844 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
22:26:17:250 1844 TosRfSnd (0d86d15caff2b3203c785d604ec7c942) C:\WINDOWS\system32\drivers\TosRfSnd.sys
22:26:17:296 1844 Tosrfusb (c582b7716f0be7e65505365f4f941587) C:\WINDOWS\system32\Drivers\tosrfusb.sys
22:26:17:359 1844 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:26:17:437 1844 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:26:17:484 1844 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:26:17:531 1844 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:26:17:593 1844 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:26:17:609 1844 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:26:17:656 1844 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:26:17:671 1844 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:26:17:703 1844 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:26:17:734 1844 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:26:17:796 1844 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
22:26:17:921 1844 VBoxDrv (12525f65e8c561b66e0bce2de2018c0c) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
22:26:17:953 1844 VBoxNetAdp (b9d3c274e937a15fd2cef8aa1e4c3477) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
22:26:17:953 1844 VBoxNetFlt (601fe4801743b00b446ef8e21e753ed5) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
22:26:17:984 1844 VBoxUSBMon (4ac4d33350cdd927cd575934cf983e68) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
22:26:18:031 1844 VClone (56ff4c0d9a4c7da2c058d5fd6ed33c7e) C:\WINDOWS\system32\DRIVERS\VClone.sys
22:26:18:078 1844 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:26:18:109 1844 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:26:18:156 1844 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
22:26:18:343 1844 w39n51 (4e7b07653f4f9937cf62ad2869fba520) C:\WINDOWS\system32\DRIVERS\w39n51.sys
22:26:18:578 1844 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:26:18:625 1844 wceusbsh (4a954a20a4c73d6db13c0fe25f3f1b0c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
22:26:18:703 1844 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
22:26:18:765 1844 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:26:18:859 1844 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:26:19:000 1844 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:26:19:031 1844 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:26:19:078 1844 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:26:19:109 1844 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:26:19:156 1844 yukonwxp (96982cb3611bd4db9ed7a5ff2c29219f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
22:26:19:187 1844 Reboot required for cure complete..
22:26:19:875 1844 Cure on reboot scheduled successfully
22:26:19:875 1844
22:26:19:875 1844 Completed
22:26:19:875 1844
22:26:19:875 1844 Results:
22:26:19:875 1844 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:26:19:890 1844 File objects infected / cured / cured on reboot: 1 / 0 / 1
22:26:19:890 1844
22:26:19:937 1844 KLMD(ARK) unloaded successfully


ComboFix 10-07-06.02 - Jon 07/06/2010 22:40:03.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.422 [GMT -5:00]
Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
AV: ClamAV for Windows *On-access scanning disabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
The following files were disabled during the run:
C:\PROGRA~1\PHAROS~1\Core\PRNTRACK.DLL

/wow section - STAGE 3

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.

/wow section - STAGE 48

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file specified.
The system cannot find the file SoftAV00.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file SoftAV01.
Could Not Find C:\ComboFix\SoftAV0?

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file specified.
The system cannot find the file SoftAV00.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file SoftAV01.
Could Not Find C:\ComboFix\SoftAV0?

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file specified.
The system cannot find the file SoftAV00.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file SoftAV01.
Could Not Find C:\ComboFix\SoftAV0?

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file specified.
The system cannot find the file SoftAV00.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file SoftAV01.
Could Not Find C:\ComboFix\SoftAV0?

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file specified.
The system cannot find the file SoftAV00.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file SoftAV01.
Could Not Find C:\ComboFix\SoftAV0?

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
FINDSTR: Cannot read file list from temp0400

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file temp0700.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0800: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp0900: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp1500: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp1505: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
FINDSTR: Cannot open temp2000

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp2201: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
temp2200The system cannot find the file specified.
SED: can't read temp2201: No such file or directory
SED: can't read temp2201: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp2400: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read WrgNameDLL00: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
temp3101The process cannot access the file because it is being used by another process.
SED: can't read temp3106: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read VList02: No such file or directory
SED: can't read VList02: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
v-tmp0.datThe system cannot find the file specified.
SED: can't read temp3100: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
OriO4Files.datThe system cannot find the file specified.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
Could Not Find C:\ComboFix\OriO400

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp3200: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp3300: No such file or directory
FINDSTR: Cannot open temp3300
SED: can't read temp3300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
SED: can't read temp3300: No such file or directory

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file temp4700.
The system cannot find the file temp4700.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file temp4701.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The system cannot find the file temp4700.
Could Not Find C:\ComboFix\temp4700

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\adc_w32.dll
C:\Program Files\alggui.exe
C:\Program Files\nuar.old
C:\Program Files\skynet.dat
C:\Program Files\svchost.exe
C:\Program Files\Sysinternals Antivirus
C:\Program Files\wp3.dat
C:\Program Files\wp4.dat
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\xpsp1hfm.log

C:\WINDOWS\system32\drivers\aec.sys . . . is infected!!

C:\WINDOWS\system32\hid.dll . . . is infected!!

C:\WINDOWS\system32\midimap.dll . . . is infected!!

C:\WINDOWS\system32\dsound.dll . . . is infected!!

C:\WINDOWS\system32\rasauto.dll . . . is infected!!

C:\WINDOWS\system32\qmgr.dll . . . is infected!!

C:\WINDOWS\system32\netlogon.dll . . . is infected!!

C:\WINDOWS\system32\scecli.dll . . . is infected!!

C:\WINDOWS\system32\srsvc.dll . . . is infected!!

C:\WINDOWS\system32\comres.dll . . . is infected!!

C:\WINDOWS\system32\lpk.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd

Edited by jonwetzul023, 06 July 2010 - 11:04 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 07 July 2010 - 06:37 AM

You are welcome.
DO you use clam av still?
I would remove it.
It doesn't have any realtime protection if I am not mistaken and could cause some conflicts with Microsoft Security Essentials.

Please delete your version of combofix and download and run it once more please.
Post he log it makes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 07 July 2010 - 01:54 PM

To my knowledge Clam-av actually works better with another antivirus installed. I have removed it though, due to your recommendation.

ComboFix 10-07-06.03 - Jon 07/07/2010 6:58.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.342 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Jon\GoToAssistDownloadHelper.exe
c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
.
---- Previous Run -------
.
c:\program files\adc_w32.dll
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\skynet.dat
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\windows\system32\AutoRun.inf
c:\windows\xpsp1hfm.log

-- Previous Run --

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\srsvc.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\srsvc.dll . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\aec.sys . . . is infected!!

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

c:\windows\system32\dsound.dll . . . is infected!!

c:\windows\system32\rasauto.dll . . . is infected!!

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\netlogon.dll . . . is infected!!

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\srsvc.dll . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\lpk.dll . . . is infected!!

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd


((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-07 04:20 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-04 21:23 . 2010-07-04 21:23 125056 ----a-w- c:\windows\system32\drivers\fxkmurtg.sys
2010-07-03 15:23 . 2010-07-07 04:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-02 03:39 . 2010-07-02 03:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 03:31 . 2010-07-02 03:31 -------- d-----w- C:\9fd6a574282a642426e14f92e57ea3c6
2010-07-01 04:34 . 2010-07-02 19:44 -------- d-----w- c:\documents and settings\Jon\Application Data\QuickScan
2010-07-01 04:34 . 2010-05-31 21:34 702120 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-07-01 04:34 . 2010-05-31 21:34 868456 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-07-01 03:48 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-30 05:14 . 2010-06-30 05:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\program files\NOS
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\program files\Common Files\Skype
2010-06-28 23:21 . 2010-06-29 23:47 361 ----a-w- c:\windows\system32\aclecitr.dat
2010-06-28 23:21 . 2010-06-29 23:47 307 ----a-w- c:\windows\system32\kbdbgshe.dat
2010-06-28 23:21 . 2010-06-29 21:33 0 ----a-w- c:\windows\system32\wpdmtpui.dat
2010-06-28 20:55 . 2010-06-30 05:12 2884 ----a-w- c:\windows\system32\dpnhpcst.dat
2010-06-28 20:55 . 2010-06-30 05:12 1282 ----a-w- c:\windows\system32\LCWizaDd.dat
2010-06-28 20:55 . 2010-06-30 04:45 0 ----a-w- c:\windows\system32\MPG4DPCD.dat
2010-06-28 20:55 . 2010-06-30 03:13 320 ----a-w- c:\windows\system32\nethc.dat
2010-06-26 00:27 . 2010-06-26 00:48 -------- d-----w- c:\documents and settings\Jon\Application Data\TeamViewer
2010-06-26 00:26 . 2010-06-26 00:26 -------- d-----w- c:\program files\TeamViewer
2010-06-25 12:11 . 2010-03-29 13:53 32576 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-06-25 12:11 . 2010-03-29 13:53 29984 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-06-25 00:09 . 2010-06-25 00:09 -------- d-----w- c:\program files\VideoLAN
2010-06-23 19:36 . 2010-06-23 19:36 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\PCHealth
2010-06-23 12:12 . 2010-06-23 12:14 -------- d-----w- C:\f4d24b9414a216826ad7d49881
2010-06-17 20:30 . 2010-06-17 20:47 -------- d-----w- C:\Prey
2010-06-11 23:25 . 2010-06-11 23:25 -------- d-----w- C:\371674f8e85b8dc7e861abc524f03750
2010-06-11 03:33 . 2010-06-11 03:33 -------- d-----w- C:\c140f01d80ad9ad96ce7
2010-06-10 04:22 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 11:46 . 2010-05-15 18:06 -------- d-----w- c:\program files\ClamAV for Windows
2010-07-07 03:29 . 2001-08-17 13:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-07-02 19:44 . 2007-12-25 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 04:08 . 2007-08-07 19:48 25160 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-06-30 05:13 . 2008-04-25 03:05 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2010-06-30 05:13 . 2008-12-23 00:36 -------- d-----w- c:\program files\Skype
2010-06-30 05:13 . 2008-12-23 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-30 00:19 . 2008-12-23 00:36 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2010-06-29 21:03 . 2008-12-23 00:47 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2010-06-29 03:31 . 2010-02-17 01:38 -------- d-----w- c:\documents and settings\Jon\Application Data\Nitro PDF
2010-06-25 21:11 . 2006-12-26 02:28 -------- d-----w- c:\documents and settings\Jon\Application Data\LimeWire
2010-06-23 12:13 . 2007-01-20 03:46 -------- d-----w- c:\program files\Microsoft.NET
2010-06-17 04:56 . 2009-09-16 06:26 59880 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-06-11 04:22 . 2009-08-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-06 22:00 . 2007-08-15 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-05 23:32 . 2009-09-08 00:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 23:28 . 2006-12-25 01:21 74440 -c--a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-03 05:10 . 2006-03-23 00:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 04:15 . 2010-02-17 00:53 -------- d-----w- c:\program files\HRBlock2009
2010-06-03 04:07 . 2010-02-17 00:55 -------- d-----w- c:\program files\PDF995
2010-06-03 04:06 . 2006-12-25 02:01 -------- d-----w- c:\program files\AIM
2010-06-03 04:06 . 2006-12-25 02:02 -------- d-----w- c:\documents and settings\Jon\Application Data\Aim
2010-06-03 04:02 . 2009-06-11 00:55 -------- d-----w- c:\program files\Common Files\Acronis
2010-06-03 04:00 . 2007-01-12 01:05 -------- d-----w- c:\program files\Zune
2010-05-31 02:47 . 2010-05-31 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_81E0D198B036D887FBB476.exe
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_6FEFF9B68218417F98F549.exe
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_68FB011795C0989845F64A.exe
2010-05-31 02:46 . 2010-05-31 02:46 -------- d-----w- c:\program files\Napster
2010-05-22 03:32 . 2010-05-22 03:32 348160 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\msvcr71.dll
2010-05-22 03:32 . 2010-05-22 03:32 503808 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\msvcp71.dll
2010-05-22 03:32 . 2010-05-22 03:32 499712 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\jmc.dll
2010-05-15 20:04 . 2006-12-26 03:39 -------- d-----w- c:\program files\Kaspersky Lab
2010-05-15 20:04 . 2006-12-26 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-07 17:55 . 2010-05-07 17:55 255472 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 10:41 . 2006-03-22 21:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-03-22 21:24 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-03-22 21:23 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-12-25 19:28 . 2006-12-25 19:28 102912 ----a-w- c:\program files\mozilla firefox\components\pwd_fir.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 -c--a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
2008-07-08 04:32 . 2007-07-31 20:04 48 --sh--w- c:\windows\SC6517345.tmp
2009-02-12 02:49 . 2006-12-26 00:48 4130 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-01-06 503296]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-01-26 212992]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-08 7557120]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Prey Laptop Tracker"="c:\prey\platform\windows\cron.exe" [2010-03-30 216648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-10-14 21:07 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-08-12 00:09 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-09-13 17:12 139264 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- c:\progra~1\MI3AA1~1\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCULauncher]
2006-02-08 04:28 73728 ----a-w- c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Jeyo\\JMC_WindowsMobile\\JMC_WM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26631:TCP"= 26631:TCP:BitComet 26631 TCP
"26631:UDP"= 26631:UDP:BitComet 26631 UDP
"7372:TCP"= 7372:TCP:BitComet 7372 TCP
"7372:UDP"= 7372:UDP:BitComet 7372 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [3/22/2006 4:24 PM 9216]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [4/18/2010 1:26 PM 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [4/18/2010 1:26 PM 41680]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 9:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 9:13 PM 33024]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 11:20 AM 188736]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/22/2006 4:24 PM 29184]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/22/2006 4:24 PM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/22/2006 4:24 PM 226304]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [3/25/2010 8:06 PM 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [3/25/2010 8:06 PM 110608]
S1 abumjfgp;abumjfgp;\??\c:\windows\system32\drivers\abumjfgp.sys --> c:\windows\system32\drivers\abumjfgp.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/7/2009 6:26 PM 133104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/22/2006 4:24 PM 36352]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [3/22/2006 8:11 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [3/22/2006 8:11 PM 53248]
S3 vaxscsi;vaxscsi;c:\windows\system32\Drivers\vaxscsi.sys --> c:\windows\system32\Drivers\vaxscsi.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2006 7:31 PM 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 18:34]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 23:26]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 23:26]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4150140326-1811316804-2443063896-1006Core.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-06 18:19]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4150140326-1811316804-2443063896-1006UA.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-06 18:19]

2010-07-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VAIO Recovery - c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
HKLM-Run-PartSeal - c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
SafeBoot-klmdb.sys
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 07:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc22.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4150140326-1811316804-2443063896-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:37,31,3f,c7,06,a1,d5,b7,10,1a,12,23,d1,4f,e6,57,48,25,f8,ee,7c,68,32,
38,97,4a,ef,6a,b9,9e,d9,07,7f,96,3b,f0,0b,3c,85,51,e7,ff,6b,c0,db,0e,81,89,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Protector Suite QL\mysafe.dll
.
Completion time: 2010-07-07 07:16:38
ComboFix-quarantined-files.txt 2010-07-07 12:16
ComboFix2.txt 2009-04-10 15:57
ComboFix3.txt 2009-04-10 15:13
ComboFix4.txt 2009-04-09 18:11
ComboFix5.txt 2010-07-07 03:34

Pre-Run: 13,154,476,032 bytes free
Post-Run: 13,126,819,840 bytes free

- - End Of File - - CDE0495CE17DEFB3B216A67709B133B0


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 07 July 2010 - 05:38 PM

It doesn't work at all tongue.gif nah just kidding.
No really it is basically just an on demand scanner that isn't that great at detection in the first place.
Just the system should run a bit better without it.

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\drivers\fxkmurtg.sys
c:\windows\system32\drivers\aec.sys
c:\windows\system32\hid.dll


This will produce a report after the scan is complete, please copy and paste those results in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 07 July 2010 - 10:20 PM

Antivirus;Version;Last Update;Result
a-squared;5.0.0.31;2010.07.07;-
AhnLab-V3;2010.07.07.01;2010.07.07;-
AntiVir;8.2.4.10;2010.07.07;-
Antiy-AVL;2.0.3.7;2010.07.07;-
Authentium;5.2.0.5;2010.07.07;-
Avast;4.8.1351.0;2010.07.07;-
Avast5;5.0.332.0;2010.07.07;-
AVG;9.0.0.836;2010.07.07;-
BitDefender;7.2;2010.07.07;-
CAT-QuickHeal;11.00;2010.07.07;-
ClamAV;0.96.0.3-git;2010.07.07;-
Comodo;5351;2010.07.07;-
DrWeb;5.0.2.03300;2010.07.07;-
eSafe;7.0.17.0;2010.07.07;-
eTrust-Vet;36.1.7690;2010.07.07;-
F-Prot;4.6.1.107;2010.07.07;-
F-Secure;9.0.15370.0;2010.07.07;-
Fortinet;4.1.133.0;2010.07.07;-
GData;21;2010.07.07;-
Ikarus;T3.1.1.84.0;2010.07.07;-
Jiangmin;13.0.900;2010.07.07;-
Kaspersky;7.0.0.125;2010.07.07;-
McAfee;5.400.0.1158;2010.07.07;-
McAfee-GW-Edition;2010.1;2010.07.05;Heuristic.LooksLike.Trojan.Patched.I
Microsoft;1.5902;2010.07.07;-
NOD32;5260;2010.07.07;-
Norman;6.05.11;2010.07.07;-
nProtect;2010-07-07.02;2010.07.07;-
Panda;10.0.2.7;2010.07.07;-
PCTools;7.0.3.5;2010.07.07;-
Prevx;3.0;2010.07.07;-
Rising;22.55.02.04;2010.07.07;-
Sophos;4.54.0;2010.07.07;-
Sunbelt;6556;2010.07.07;-
Symantec;20101.1.0.89;2010.07.07;-
TheHacker;6.5.2.1.309;2010.07.07;-
TrendMicro;9.120.0.1004;2010.07.07;-
TrendMicro-HouseCall;9.120.0.1004;2010.07.07;-
VBA32;3.12.12.6;2010.07.07;-
ViRobot;2010.6.29.3912;2010.07.07;-
VirusBuster;5.0.27.0;2010.07.06;-

The other two files had no positive results.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 08 July 2010 - 06:27 AM

1. Open notepad and copy/paste the text in the codebox below into it:



CODE
http://www.bleepingcomputer.com/forums/t/328625/infected-possibly-with-pe-tdssmtr/?p=1832427

Collect::
c:\windows\system32\aclecitr.dat
c:\windows\system32\kbdbgshe.dat
c:\windows\system32\wpdmtpui.dat
c:\windows\system32\dpnhpcst.dat
c:\windows\system32\LCWizaDd.dat
c:\windows\system32\MPG4DPCD.dat
c:\windows\system32\nethc.dat
c:\windows\system32\drivers\fxkmurtg.sys

Save this as CFScript.txt


Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 08 July 2010 - 01:34 PM

ComboFix 10-07-06.03 - Jon 07/08/2010 7:05.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.481 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\windows\system32\aclecitr.dat
file zipped: c:\windows\system32\dpnhpcst.dat
file zipped: c:\windows\system32\drivers\fxkmurtg.sys
file zipped: c:\windows\system32\kbdbgshe.dat
file zipped: c:\windows\system32\LCWizaDd.dat
file zipped: c:\windows\system32\MPG4DPCD.dat
file zipped: c:\windows\system32\nethc.dat
file zipped: c:\windows\system32\wpdmtpui.dat
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aclecitr.dat
c:\windows\system32\dpnhpcst.dat
c:\windows\system32\drivers\fxkmurtg.sys
c:\windows\system32\kbdbgshe.dat
c:\windows\system32\LCWizaDd.dat
c:\windows\system32\MPG4DPCD.dat
c:\windows\system32\nethc.dat
c:\windows\system32\wpdmtpui.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-07 04:20 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-03 15:23 . 2010-07-07 04:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-02 03:39 . 2010-07-02 03:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 03:31 . 2010-07-02 03:31 -------- d-----w- C:\9fd6a574282a642426e14f92e57ea3c6
2010-07-01 04:34 . 2010-07-08 03:54 -------- d-----w- c:\documents and settings\Jon\Application Data\QuickScan
2010-07-01 03:48 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-30 05:14 . 2010-06-30 05:14 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\program files\NOS
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-06-30 05:13 . 2010-06-30 05:13 -------- d-----w- c:\program files\Common Files\Skype
2010-06-26 00:27 . 2010-06-26 00:48 -------- d-----w- c:\documents and settings\Jon\Application Data\TeamViewer
2010-06-26 00:26 . 2010-06-26 00:26 -------- d-----w- c:\program files\TeamViewer
2010-06-25 12:11 . 2010-03-29 13:53 32576 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-06-25 12:11 . 2010-03-29 13:53 29984 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-06-25 00:09 . 2010-06-25 00:09 -------- d-----w- c:\program files\VideoLAN
2010-06-23 19:36 . 2010-06-23 19:36 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\PCHealth
2010-06-23 12:12 . 2010-06-23 12:14 -------- d-----w- C:\f4d24b9414a216826ad7d49881
2010-06-17 20:30 . 2010-06-17 20:47 -------- d-----w- C:\Prey
2010-06-11 23:25 . 2010-06-11 23:25 -------- d-----w- C:\371674f8e85b8dc7e861abc524f03750
2010-06-11 03:33 . 2010-06-11 03:33 -------- d-----w- C:\c140f01d80ad9ad96ce7
2010-06-10 04:22 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 11:46 . 2010-05-15 18:06 -------- d-----w- c:\program files\ClamAV for Windows
2010-07-07 03:29 . 2001-08-17 13:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-07-02 19:44 . 2007-12-25 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 04:08 . 2007-08-07 19:48 25160 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-06-30 05:13 . 2008-04-25 03:05 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2010-06-30 05:13 . 2008-12-23 00:36 -------- d-----w- c:\program files\Skype
2010-06-30 05:13 . 2008-12-23 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-30 00:19 . 2008-12-23 00:36 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2010-06-29 21:03 . 2008-12-23 00:47 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2010-06-29 03:31 . 2010-02-17 01:38 -------- d-----w- c:\documents and settings\Jon\Application Data\Nitro PDF
2010-06-25 21:11 . 2006-12-26 02:28 -------- d-----w- c:\documents and settings\Jon\Application Data\LimeWire
2010-06-23 12:13 . 2007-01-20 03:46 -------- d-----w- c:\program files\Microsoft.NET
2010-06-17 04:56 . 2009-09-16 06:26 59880 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-06-11 04:22 . 2009-08-29 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-06 22:00 . 2007-08-15 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-05 23:32 . 2009-09-08 00:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 23:28 . 2006-12-25 01:21 74440 -c--a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-03 05:10 . 2006-03-23 00:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 04:15 . 2010-02-17 00:53 -------- d-----w- c:\program files\HRBlock2009
2010-06-03 04:07 . 2010-02-17 00:55 -------- d-----w- c:\program files\PDF995
2010-06-03 04:06 . 2006-12-25 02:01 -------- d-----w- c:\program files\AIM
2010-06-03 04:06 . 2006-12-25 02:02 -------- d-----w- c:\documents and settings\Jon\Application Data\Aim
2010-06-03 04:02 . 2009-06-11 00:55 -------- d-----w- c:\program files\Common Files\Acronis
2010-06-03 04:00 . 2007-01-12 01:05 -------- d-----w- c:\program files\Zune
2010-05-31 02:47 . 2010-05-31 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_81E0D198B036D887FBB476.exe
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_6FEFF9B68218417F98F549.exe
2010-05-31 02:46 . 2010-05-31 02:46 33982 ----a-r- c:\documents and settings\Jon\Application Data\Microsoft\Installer\{3CB4A7B0-007D-4722-AF1D-891B53E04606}\_68FB011795C0989845F64A.exe
2010-05-31 02:46 . 2010-05-31 02:46 -------- d-----w- c:\program files\Napster
2010-05-22 03:32 . 2010-05-22 03:32 348160 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\msvcr71.dll
2010-05-22 03:32 . 2010-05-22 03:32 503808 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\msvcp71.dll
2010-05-22 03:32 . 2010-05-22 03:32 499712 ----a-w- c:\documents and settings\Jon\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31375818-n\jmc.dll
2010-05-15 20:04 . 2006-12-26 03:39 -------- d-----w- c:\program files\Kaspersky Lab
2010-05-15 20:04 . 2006-12-26 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-07 17:55 . 2010-05-07 17:55 255472 ----a-w- c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 10:41 . 2006-03-22 21:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-03-22 21:24 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-03-22 21:23 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-12-25 19:28 . 2006-12-25 19:28 102912 ----a-w- c:\program files\mozilla firefox\components\pwd_fir.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 -c--a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
2008-07-08 04:32 . 2007-07-31 20:04 48 --sh--w- c:\windows\SC6517345.tmp
2009-02-12 02:49 . 2006-12-26 00:48 4130 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-07_12.08.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-08 11:50 . 2010-07-08 11:50 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-01-06 503296]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-01-26 212992]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-08 7557120]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Prey Laptop Tracker"="c:\prey\platform\windows\cron.exe" [2010-03-30 216648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-10-14 21:07 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 02:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-08-12 00:09 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-09-13 17:12 139264 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- c:\progra~1\MI3AA1~1\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCULauncher]
2006-02-08 04:28 73728 ----a-w- c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Jeyo\\JMC_WindowsMobile\\JMC_WM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26631:TCP"= 26631:TCP:BitComet 26631 TCP
"26631:UDP"= 26631:UDP:BitComet 26631 UDP
"7372:TCP"= 7372:TCP:BitComet 7372 TCP
"7372:UDP"= 7372:UDP:BitComet 7372 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [3/22/2006 4:24 PM 9216]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [4/18/2010 1:26 PM 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [4/18/2010 1:26 PM 41680]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 9:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 9:13 PM 33024]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 11:20 AM 188736]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/22/2006 4:24 PM 29184]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/22/2006 4:24 PM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/22/2006 4:24 PM 226304]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [3/25/2010 8:06 PM 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [3/25/2010 8:06 PM 110608]
S1 abumjfgp;abumjfgp;\??\c:\windows\system32\drivers\abumjfgp.sys --> c:\windows\system32\drivers\abumjfgp.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/7/2009 6:26 PM 133104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/22/2006 4:24 PM 36352]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [3/22/2006 8:11 PM 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [3/22/2006 8:11 PM 53248]
S3 vaxscsi;vaxscsi;c:\windows\system32\Drivers\vaxscsi.sys --> c:\windows\system32\Drivers\vaxscsi.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2006 7:31 PM 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 18:34]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 23:26]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 23:26]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4150140326-1811316804-2443063896-1006Core.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-06 18:19]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4150140326-1811316804-2443063896-1006UA.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-06 18:19]

2010-07-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\grjiobr7.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 07:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc22.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4150140326-1811316804-2443063896-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:37,31,3f,c7,06,a1,d5,b7,10,1a,12,23,d1,4f,e6,57,48,25,f8,ee,7c,68,32,
38,97,4a,ef,6a,b9,9e,d9,07,7f,96,3b,f0,0b,3c,85,51,e7,ff,6b,c0,db,0e,81,89,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Protector Suite QL\mysafe.dll
.
Completion time: 2010-07-08 07:24:38
ComboFix-quarantined-files.txt 2010-07-08 12:24
ComboFix2.txt 2010-07-07 12:16
ComboFix3.txt 2009-04-10 15:57
ComboFix4.txt 2009-04-10 15:13
ComboFix5.txt 2010-07-08 12:04

Pre-Run: 13,106,659,328 bytes free
Post-Run: 13,090,807,808 bytes free

- - End Of File - - FB8BBDDA7918A8290828A004B82EF813
Upload was successful


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 09 July 2010 - 07:09 AM

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==========
As a final check - Please perform the following online scan:

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 09 July 2010 - 05:45 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4297

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/9/2010 3:36:00 PM
mbam-log-2010-07-09 (15-36-00).txt

Scan type: Quick scan
Objects scanned: 147664
Time elapsed: 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\BitGrabber (Trojan.Swizzor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\updater\explorer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=52648ec31dd31b4aa91ebf206a73d86e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-09 10:44:03
# local_time=2010-07-09 05:44:03 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777215 100 0 4668361 4668361 0 0
# compatibility_mode=5891 16776869 100 100 0 8216384 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=182748
# found=3
# cleaned=3
# scan_time=6837
C:\Qoobox\Quarantine\C\Program Files\adc_w32.dll.vir a variant of Win32/Kryptik.FHR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\alggui.exe.vir a variant of Win32/Kryptik.FHR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\svchost.exe.vir a variant of Win32/Kryptik.FHR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 10 July 2010 - 08:31 AM

Looks good how are things running and let me know of any remaining problems:
Please also run dds once more and post it's dds.txt that opens.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 10 July 2010 - 06:22 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jon at 18:16:23.54 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.404 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Prey\platform\windows\cron.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Jon\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [AnyDVD] "c:\program files\slysoft\anydvd\AnyDVD.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\jon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Prey Laptop Tracker] c:\prey\platform\windows\cron.exe --log
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\jon\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\grjiobr7.default\
FF - prefs.js: browser.search.selectedEngine - Urban Dictionary
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jon\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2006-3-22 9216]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2010-4-18 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2010-4-18 41680]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-22 29184]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-3-22 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-22 226304]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-3-25 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-3-25 110608]
S1 abumjfgp;abumjfgp;\??\c:\windows\system32\drivers\abumjfgp.sys --> c:\windows\system32\drivers\abumjfgp.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-7 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-3-22 36352]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2006-3-22 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2006-3-22 53248]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys --> c:\windows\system32\drivers\vaxscsi.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-07-09 20:22:56 0 d-----w- c:\docume~1\jon\applic~1\Malwarebytes
2010-07-09 20:22:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 20:22:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-09 20:22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-09 20:22:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 20:22:31 0 d-----w- c:\program files\ESET
2010-07-07 04:20:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-07 03:33:54 77312 ----a-w- c:\windows\MBR.exe
2010-07-07 03:33:43 256512 ----a-w- c:\windows\PEV.exe
2010-07-03 15:23:28 0 d-----w- c:\program files\Microsoft Security Essentials
2010-07-02 03:31:31 0 d-----w- C:\9fd6a574282a642426e14f92e57ea3c6
2010-07-01 04:34:11 0 d-----w- c:\docume~1\jon\applic~1\QuickScan
2010-07-01 03:48:45 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-30 05:14:09 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-30 05:13:21 0 d-----w- c:\docume~1\alluse~1\applic~1\NOS(2)
2010-06-26 00:27:26 0 d-----w- c:\docume~1\jon\applic~1\TeamViewer
2010-06-26 00:26:46 0 d-----w- c:\program files\TeamViewer
2010-06-25 00:09:41 0 d-----w- c:\program files\VideoLAN
2010-06-23 12:12:23 0 d-----w- C:\f4d24b9414a216826ad7d49881
2010-06-17 20:30:06 0 d-----w- C:\Prey
2010-06-11 23:25:02 0 d-----w- C:\371674f8e85b8dc7e861abc524f03750
2010-06-11 03:33:31 0 d-----w- C:\c140f01d80ad9ad96ce7

==================== Find3M ====================

2010-07-07 03:29:05 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-07-01 04:08:15 25160 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-06-17 04:56:39 59880 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2004-09-02 18:50:28 73728 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\RA38PSUI.dll
2004-03-03 00:47:12 9116 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\RA38PSRE.dll
2004-03-03 00:47:12 9116 -c--a-w- c:\windows\inf\printwise\ld135\disk1\RA45PSRE.DLL
2003-09-09 15:18:58 73728 -c--a-w- c:\windows\inf\printwise\ld135\disk1\RA45PSUI.DLL
2002-10-03 10:49:08 262144 -c--a-w- c:\windows\inf\printwise\ld232c\disk1\SETUP.EXE
2001-08-25 17:18:40 258048 -c--a-w- c:\windows\inf\printwise\ld135\disk1\SETUP.EXE
2009-02-12 02:49:12 4130 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-18 05:34:00 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 18:21:36.54 ===============


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:53 AM

Posted 10 July 2010 - 07:09 PM

=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 jonwetzul023

jonwetzul023
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 10 July 2010 - 08:53 PM

Thanks very much. Its working great.

You sir are a gentleman.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users