Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some type of Malware / Virus


  • Please log in to reply
88 replies to this topic

#1 beccamillott

beccamillott

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 14 August 2010 - 07:36 AM

I've been trying for about 4 or 5 days now to get rid of some type of malware / virus on my computer. I've read through different things, but I'm not sure what this is called.

1) Frequent redirect when searching a google link

2) Can not open any new program - the "open" is grayed out

3) Get a "Win32.exe" error when trying to open a program

4) Frequent new windows open with spam

5) Had something called "Antivir" a couple of weeks ago and used Malwarebytes and I thought it was gone, but more and more keeps popping up

6) Could not make a post to this website on the infected computer. It keeps saying the connection to the server was reset (when there is no problem posting from another computer.)


Here are the logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Becca at 22:02:24.23 on Fri 08/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2652 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\DOCUME~1\Becca\LOCALS~1\Temp\explorer.exe
C:\WINDOWS\explorer.exe
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Screenshot Studio\sstudio.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Becca\Local Settings\Apps\2.0\8VV17N65.Q72\893KAJQH.T5Q\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe
C:\DOCUME~1\Becca\LOCALS~1\Temp\ov8gec9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
I:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hometab.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [Screenshot Studio] "c:\program files\screenshot studio\sstudio.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [UIUCU] c:\docume~1\becca\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Udonati] rundll32.exe "c:\windows\erebajoganisap.dll",Startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mExplorerRun: [q3mr2] c:\docume~1\becca\locals~1\temp\ov8gec9.exe
StartupFolder: c:\docume~1\becca\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\becca\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205886710328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205886935171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 173.192.153.178 www.123.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\becca\applic~1\mozilla\firefox\profiles\747s45nz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\becca\application

data\mozilla\firefox\profiles\747s45nz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\becca\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {CC2EE78B-0846-4D16-829B-E6A7E782803B} - c:\documents and settings\becca\local settings\application

data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-8-10 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-8-10 112592]
R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-9-10 271856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-12-15 22016]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-8-8 20480]
S0 idbczne;idbczne;c:\windows\system32\drivers\idbczne.sys [2010-7-25 0]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\becca\locals~1\temp\alsysio.sys --> c:\docume~1\becca\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-15 1684736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-7 30192]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-9-10 218608]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-12-15 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-12-15 17536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-8-10 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-8-10 1142224]

=============== Created Last 30 ================

2010-08-13 17:25:09 0 d-----w- c:\program files\CCleaner
2010-08-13 04:11:29 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-13 04:11:26 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-13 04:11:22 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-13 04:11:19 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-13 04:11:16 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-13 04:11:09 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-13 04:11:05 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-13 04:11:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-13 04:11:01 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-13 04:11:00 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-13 04:11:00 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-13 04:09:59 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2010-08-13 04:08:59 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2010-08-13 04:07:57 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-08-13 04:06:56 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-08-13 04:05:58 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-08-13 04:04:49 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-08-13 04:03:58 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2010-08-13 04:02:57 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-08-13 04:01:58 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-08-13 04:00:52 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-08-13 03:59:59 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-08-13 03:58:58 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-08-13 03:57:58 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-08-13 03:57:56 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-13 03:57:54 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2010-08-13 03:57:48 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-08-13 03:55:58 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-08-13 03:54:56 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-08-13 03:54:55 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-08-13 03:54:50 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-08-13 03:54:45 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-08-13 03:54:40 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-08-13 03:54:37 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-08-13 03:54:31 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-08-13 03:54:28 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-08-13 03:54:26 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-08-13 03:54:23 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-08-13 03:54:19 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2010-08-13 03:50:58 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2010-08-13 03:49:57 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2010-08-13 03:48:58 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2010-08-13 03:47:59 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-08-13 03:46:58 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-08-13 03:45:00 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-08-13 03:43:59 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-08-13 03:42:59 20928 -c--a-w- c:\windows\system32\dllcache\defpa.sys
2010-08-13 03:41:58 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-08-13 03:40:59 17279 -c--a-w- c:\windows\system32\dllcache\atv10nt5.dll
2010-08-13 03:38:00 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-08-13 03:36:28 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-08-13 03:35:54 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-08-13 00:13:28 0 d-----w- C:\VundoFix Backups
2010-08-12 19:06:37 0 d-----w- c:\docume~1\becca\applic~1\PC Tools
2010-08-11 01:45:41 882 ----a-w- c:\windows\RegSDImport.xml
2010-08-11 01:45:41 879 ----a-w- c:\windows\RegISSImport.xml
2010-08-11 01:45:41 767952 ----a-w- c:\windows\BDTSupport.dll
2010-08-11 01:45:41 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-08-11 01:45:41 131 ----a-w- c:\windows\IDB.zip
2010-08-11 01:45:40 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-08-11 01:45:40 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-08-11 01:45:40 1152444 ----a-w- c:\windows\UDB.zip
2010-08-11 01:40:58 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-08-11 01:40:58 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-08-11 01:40:56 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-08-11 01:40:56 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-08-11 01:40:55 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-08-11 01:40:46 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-08-11 01:40:46 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-11 01:40:24 0 d-----w- c:\program files\Spyware Doctor
2010-08-11 01:40:24 0 d-----w- c:\program files\common files\PC Tools
2010-08-10 23:35:23 0 d-----w- c:\docume~1\becca\applic~1\MSNInstaller
2010-08-10 23:15:56 54016 ----a-w- c:\windows\system32\drivers\mglet.sys
2010-08-10 23:02:08 0 d-----w- c:\program files\iPod
2010-08-10 22:57:16 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-08-10 22:56:39 0 d-----w- c:\program files\Bonjour
2010-08-10 22:48:04 32000 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-08-10 21:12:09 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-08-09 23:56:04 2848 ----a-w- c:\windows\uvasivolupuf.dll
2010-08-09 23:19:22 782848 ----a-w- c:\windows\system32\drivers\aiurnjl.sys
2010-08-09 22:38:24 0 d-----w- C:\MTV_OUTPUT
2010-08-09 21:31:05 54016 ----a-w- c:\windows\system32\drivers\avgqfug.sys
2010-08-09 21:18:00 2848 ----a-w- c:\windows\igetokara.dll
2010-08-09 09:18:48 782848 ----a-w- c:\windows\system32\drivers\upgrs.sys
2010-08-09 07:41:44 58 --sh--w- c:\windows\system32\User.ini
2010-08-08 21:35:25 0 d-----w- c:\program files\iConcepts Music Express
2010-08-08 21:18:09 2858 ----a-w- c:\windows\upevurov.dll
2010-08-08 20:08:11 2858 ----a-w- c:\windows\uqizohecewew.dll
2010-08-08 16:55:45 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-04 21:17:10 2858 ----a-w- c:\windows\uxasexas.dll
2010-07-25 23:59:10 1890 ----a-w- c:\windows\lsrslt.ini
2010-07-25 23:41:49 2774 ----a-w- c:\windows\iridicuvuhoxuq.dll
2010-07-25 23:33:33 120 ----a-w- c:\windows\Bganaza.dat
2010-07-25 23:33:33 0 ----a-w- c:\windows\Jvequvubo.bin
2010-07-25 23:32:04 0 ----a-w- c:\windows\system32\drivers\idbczne.sys
2010-07-25 23:31:58 5 ----a-w- C:\zrpt.xml
2010-07-25 23:31:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-25 23:31:37 0 d-----w- c:\docume~1\becca\applic~1\8232EE04165E4F943AA5AC09A2A0E051
2010-07-24 23:05:46 766 ----a-w- c:\windows\attwns.ico
2010-07-24 23:05:40 4398 ----a-w- c:\windows\caesar3.ico
2010-07-24 22:59:13 0 d-----w- C:\SIERRA
2010-07-24 22:59:13 0 d-----w- c:\program files\Sierra On-Line
2010-07-24 22:58:54 351 ----a-w- c:\windows\SIERRA.INI

==================== Find3M ====================

2010-08-13 01:45:58 4020 ----a-w- c:\windows\system32\tmp.reg
2010-06-16 20:24:07 169984 ----a-w- c:\windows\hpoins44.dat
2010-06-16 20:17:18 123630128 ----a-w- c:\program files\DJ_AIO_06_F2400_NonNet_Full_Win_enu_140_175.exe
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-23 19:29:06 9203547 ----a-w- c:\program files\dcloner.exe
2009-02-01 12:55:36 1969086 ----a-w- c:\program files\dl36colorsetup.exe
2008-11-27 16:17:51 1123696 ----a-w- c:\program files\ActiveSetupN.exe
2008-09-12 01:38:50 3108 ----a-w- c:\program files\readme.txt
2008-09-12 01:38:50 2319568 ----a-w- c:\program files\d3dx9_27.dll
2008-09-01 13:27:31 1020112 ----a-w- c:\program files\Google Updater.exe
2008-08-11 04:08:58 978396 ----a-w- c:\program files\BDAXP.cab
2008-08-07 23:26:58 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe
2008-08-02 21:36:50 606168 ----a-w- c:\program files\AmazonMP3Installer.exe
2008-06-18 20:06:18 382352 ----a-w- c:\program files\jxpiinstall.exe
2008-06-16 04:31:45 1495112 ----a-w- c:\program files\install_flash_player.exe
2008-06-05 00:08:44 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2008-04-27 23:16:35 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-27 23:10:01 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-04-17 02:11:11 449784 ----a-w- c:\program files\msgr8us.exe
2008-04-03 17:13:24 45942912 ----a-w- c:\program files\169.21_forceware_winxp_32bit_english_whql.exe
2008-03-21 01:20:50 2732032 ----a-w- c:\program files\ventrilo-3.0.1-Windows-i386.exe

============= FINISH: 22:03:16.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 14 August 2010 - 09:34 AM

Hello beccamillott

Welcome to BleepingComputer smile.gif
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 14 August 2010 - 12:01 PM

Thank you for the help. I have ran both and the logs are below.

After running Combofix, however, my Internet is not working. I have tried to reboot and then to "repair" the connection, but when I click "repair" it says "Windows could not finish repairing - failed to query TCP/IP settings of the connection could not proceed"

TDSS Log:

2010/08/14 10:45:54.0375 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/14 10:45:54.0375 ================================================================================
2010/08/14 10:45:54.0375 SystemInfo:
2010/08/14 10:45:54.0375
2010/08/14 10:45:54.0375 OS Version: 5.1.2600 ServicePack: 2.0
2010/08/14 10:45:54.0375 Product type: Workstation
2010/08/14 10:45:54.0375 ComputerName: BECCASCOMPUTER
2010/08/14 10:45:54.0375 UserName: Becca
2010/08/14 10:45:54.0375 Windows directory: C:\WINDOWS
2010/08/14 10:45:54.0375 System windows directory: C:\WINDOWS
2010/08/14 10:45:54.0375 Processor architecture: Intel x86
2010/08/14 10:45:54.0375 Number of processors: 4
2010/08/14 10:45:54.0375 Page size: 0x1000
2010/08/14 10:45:54.0375 Boot type: Normal boot
2010/08/14 10:45:54.0375 ================================================================================
2010/08/14 10:45:54.0609 Initialize success
2010/08/14 10:46:02.0281 ================================================================================
2010/08/14 10:46:02.0281 Scan started
2010/08/14 10:46:02.0281 Mode: Manual;
2010/08/14 10:46:02.0281 ================================================================================
2010/08/14 10:46:02.0718 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/14 10:46:02.0781 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/14 10:46:02.0875 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/08/14 10:46:02.0921 AFD (d7e578eca59910df899abb50e5455e38) C:\WINDOWS\System32\drivers\afd.sys
2010/08/14 10:46:02.0921 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d7e578eca59910df899abb50e5455e38, Fake md5: 55e6e1c51b6d30e54335750955453702
2010/08/14 10:46:02.0921 AFD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/14 10:46:03.0265 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2010/08/14 10:46:03.0406 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/08/14 10:46:03.0500 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/14 10:46:03.0640 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/14 10:46:03.0781 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/14 10:46:03.0859 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/14 10:46:03.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/14 10:46:03.0968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/14 10:46:04.0046 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/14 10:46:04.0109 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/14 10:46:04.0140 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/14 10:46:04.0203 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/14 10:46:04.0406 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/14 10:46:04.0515 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/14 10:46:04.0609 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/14 10:46:04.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/14 10:46:04.0734 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/14 10:46:04.0796 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/14 10:46:04.0843 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/14 10:46:04.0890 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/14 10:46:04.0921 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/14 10:46:04.0968 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/14 10:46:05.0062 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/14 10:46:05.0109 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/14 10:46:05.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/14 10:46:05.0187 gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
2010/08/14 10:46:06.0281 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/14 10:46:06.0359 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/14 10:46:06.0406 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/14 10:46:06.0468 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/14 10:46:06.0562 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/14 10:46:06.0593 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/14 10:46:06.0625 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/14 10:46:06.0718 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/14 10:46:06.0859 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/14 10:46:06.0968 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/14 10:46:07.0296 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/14 10:46:07.0453 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/14 10:46:07.0531 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/14 10:46:07.0593 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/14 10:46:07.0640 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/14 10:46:07.0718 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/14 10:46:07.0750 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/14 10:46:07.0796 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/14 10:46:07.0843 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/14 10:46:07.0875 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/14 10:46:07.0921 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/14 10:46:08.0000 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/14 10:46:08.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/14 10:46:08.0156 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/14 10:46:08.0281 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2010/08/14 10:46:08.0421 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/14 10:46:08.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/14 10:46:08.0531 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/14 10:46:08.0625 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/14 10:46:08.0734 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/14 10:46:08.0796 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/14 10:46:08.0843 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/14 10:46:08.0875 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/14 10:46:08.0906 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/14 10:46:08.0984 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/14 10:46:09.0015 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/14 10:46:09.0062 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/14 10:46:09.0125 ndisrd (1359b200974395679b092f1d5f63cfa9) C:\WINDOWS\system32\DRIVERS\ndisrd.sys
2010/08/14 10:46:09.0156 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/14 10:46:09.0203 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/14 10:46:09.0234 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/14 10:46:09.0265 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/14 10:46:09.0296 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/14 10:46:09.0343 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/14 10:46:09.0406 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/14 10:46:09.0437 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/14 10:46:09.0515 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/14 10:46:09.0593 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/14 10:46:09.0968 nv (ce34061a298bfb4ebd1a0bb8592dc977) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/14 10:46:10.0359 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/08/14 10:46:10.0437 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/08/14 10:46:10.0500 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/08/14 10:46:10.0562 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/14 10:46:10.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/14 10:46:10.0640 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/14 10:46:10.0703 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/14 10:46:10.0734 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/14 10:46:10.0781 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/14 10:46:10.0828 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/14 10:46:10.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/14 10:46:10.0953 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/14 10:46:11.0015 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/08/14 10:46:11.0265 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/14 10:46:11.0328 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/14 10:46:11.0359 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/14 10:46:11.0390 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/14 10:46:11.0437 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/14 10:46:11.0656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/14 10:46:11.0703 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/14 10:46:11.0750 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/14 10:46:11.0781 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/14 10:46:11.0812 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/14 10:46:11.0859 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/14 10:46:11.0921 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/14 10:46:11.0968 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/14 10:46:12.0046 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/08/14 10:46:12.0156 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/08/14 10:46:12.0218 RTLTEAMING (376218d4209b1e749953f9edef0cef2e) C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
2010/08/14 10:46:12.0281 RTLVLAN (6ec43dc18746bb9b6ddec4c99b15b6fc) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
2010/08/14 10:46:12.0328 RtNdPt5x (5ffd2aaf467b80fab34929afb7702060) C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
2010/08/14 10:46:12.0406 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/14 10:46:12.0468 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/14 10:46:12.0531 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/14 10:46:12.0578 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/14 10:46:12.0718 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/14 10:46:12.0750 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/14 10:46:12.0843 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/14 10:46:12.0937 StMp3Rec (833ac40f6e7be17951d6d9a956829547) C:\WINDOWS\system32\Drivers\StMp3Rec.sys
2010/08/14 10:46:12.0984 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/14 10:46:13.0031 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/14 10:46:13.0187 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/14 10:46:13.0250 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/14 10:46:13.0328 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/14 10:46:13.0375 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/14 10:46:13.0406 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/14 10:46:13.0500 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/14 10:46:13.0578 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/14 10:46:13.0671 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/08/14 10:46:13.0734 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/14 10:46:13.0781 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/14 10:46:13.0843 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/14 10:46:13.0875 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/14 10:46:13.0921 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/14 10:46:13.0953 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/14 10:46:13.0984 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/14 10:46:14.0031 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/14 10:46:14.0078 USB_RNDIS_XP (af090265ec388bab320f1ff7e7a7d5ea) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2010/08/14 10:46:14.0125 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/08/14 10:46:14.0187 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/14 10:46:14.0234 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/14 10:46:14.0296 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/14 10:46:14.0375 WinDriver6 (94e4312d546048bf31604a8b2ad13fc0) C:\WINDOWS\system32\drivers\windrvr6.sys
2010/08/14 10:46:14.0468 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/08/14 10:46:14.0531 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/08/14 10:46:14.0625 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/08/14 10:46:14.0703 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/14 10:46:14.0750 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/14 10:46:14.0781 ================================================================================
2010/08/14 10:46:14.0781 Scan finished
2010/08/14 10:46:14.0781 ================================================================================
2010/08/14 10:46:14.0781 Detected object count: 1
2010/08/14 10:46:21.0812 AFD (d7e578eca59910df899abb50e5455e38) C:\WINDOWS\System32\drivers\afd.sys
2010/08/14 10:46:21.0812 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d7e578eca59910df899abb50e5455e38, Fake md5: 55e6e1c51b6d30e54335750955453702
2010/08/14 10:46:22.0015 Backup copy found, using it..
2010/08/14 10:46:22.0062 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
2010/08/14 10:46:22.0062 Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure
2010/08/14 10:46:34.0390 Deinitialize success


Combofix Log:

ComboFix 10-08-12.03 - Becca 08/14/2010 11:05:08.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2708 [GMT -4:00]
Running from: c:\documents and settings\Becca\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Becca\Application Data\8232EE04165E4F943AA5AC09A2A0E051
c:\documents and settings\Becca\Application Data\8232EE04165E4F943AA5AC09A2A0E051\enemies-names.txt
c:\documents and settings\Becca\Application Data\8232EE04165E4F943AA5AC09A2A0E051\local.ini
c:\documents and settings\Becca\Application Data\8232EE04165E4F943AA5AC09A2A0E051\lsrslt.ini
c:\documents and settings\Becca\Local Settings\Application Data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}
c:\documents and settings\Becca\Local Settings\Application Data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}\chrome.manifest
c:\documents and settings\Becca\Local Settings\Application Data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}\chrome\content\_cfg.js
c:\documents and settings\Becca\Local Settings\Application Data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}\chrome\content\overlay.xul
c:\documents and settings\Becca\Local Settings\Application Data\{CC2EE78B-0846-4D16-829B-E6A7E782803B}\install.rdf
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\{2C3AF69C-EE95-4D39-A240-80750BDEC1B9}
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\{2C3AF69C-EE95-4D39-A240-80750BDEC1B9}\chrome.manifest
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\{2C3AF69C-EE95-4D39-A240-80750BDEC1B9}\chrome\content\_cfg.js
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\{2C3AF69C-EE95-4D39-A240-80750BDEC1B9}\chrome\content\overlay.xul
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\{2C3AF69C-EE95-4D39-A240-80750BDEC1B9}\install.rdf
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\erebajoganisap.dll
c:\windows\Fonts\mlog
c:\windows\igetokara.dll
c:\windows\iridicuvuhoxuq.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\aiurnjl.sys
c:\windows\system32\driVERs\idbczne.sys
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\szetyj67v.txt
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\upevurov.dll
c:\windows\uqizohecewew.dll
c:\windows\uvasivolupuf.dll
c:\windows\uxasexas.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_ndisrd
-------\Legacy_idbczne
-------\Service_idbczne


((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-13 17:25 . 2010-08-13 17:25 -------- d-----w- c:\program files\CCleaner
2010-08-13 04:11 . 2004-08-04 04:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-13 04:11 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-13 04:11 . 2001-08-18 02:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-13 04:11 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-13 04:11 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-13 04:11 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-13 04:11 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-13 04:11 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-13 04:11 . 2004-08-04 03:10 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-13 04:11 . 2004-08-04 04:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-13 04:11 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-13 04:09 . 2004-08-04 02:29 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2010-08-13 04:08 . 2001-08-17 17:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2010-08-13 04:07 . 2001-08-18 02:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-08-13 04:06 . 2001-08-17 17:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-08-13 04:05 . 2001-08-17 17:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-08-13 04:04 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-08-13 04:03 . 2001-08-18 02:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2010-08-13 04:02 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-08-13 04:01 . 2001-08-17 18:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-08-13 04:00 . 2004-08-04 02:41 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-08-13 03:59 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-08-13 03:58 . 2001-08-17 16:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-08-13 03:57 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-08-13 03:57 . 2001-08-18 02:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-13 03:57 . 2004-08-04 02:41 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2010-08-13 03:57 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-08-13 03:55 . 2001-08-17 16:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-08-13 03:54 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-08-13 03:54 . 2004-08-04 03:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-08-13 03:54 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-08-13 03:54 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-08-13 03:54 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-08-13 03:54 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-08-13 03:54 . 2004-08-04 03:00 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-08-13 03:54 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-08-13 03:54 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-08-13 03:54 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-08-13 03:54 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2010-08-13 03:50 . 2001-08-17 17:51 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2010-08-13 03:49 . 2001-08-17 16:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2010-08-13 03:48 . 2001-08-17 16:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2010-08-13 03:47 . 2001-08-17 17:28 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-08-13 03:46 . 2004-08-04 03:08 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-08-13 03:45 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-08-13 03:43 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-08-13 03:42 . 2001-08-17 16:11 20928 -c--a-w- c:\windows\system32\dllcache\defpa.sys
2010-08-13 03:41 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-08-13 03:40 . 2004-08-04 04:56 17279 -c--a-w- c:\windows\system32\dllcache\atv10nt5.dll
2010-08-13 03:38 . 2001-08-17 17:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-08-13 03:36 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-08-13 03:35 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-08-13 00:13 . 2010-08-13 00:13 -------- d-----w- C:\VundoFix Backups
2010-08-12 19:06 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\Threat Expert
2010-08-10 23:35 . 2010-08-10 23:35 -------- d-----w- c:\documents and settings\Becca\Application Data\MSNInstaller
2010-08-10 23:15 . 2010-08-10 23:15 54016 ----a-w- c:\windows\system32\drivers\mglet.sys
2010-08-10 23:02 . 2010-08-12 19:06 -------- d-----w- c:\program files\iPod
2010-08-10 22:57 . 2010-04-16 12:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-08-10 22:56 . 2010-08-12 19:05 -------- d-----w- c:\program files\Bonjour
2010-08-10 22:48 . 2008-10-01 17:01 32000 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-08-10 21:12 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-09 22:38 . 2010-08-09 23:09 -------- d-----w- C:\MTV_OUTPUT
2010-08-09 21:31 . 2010-08-09 21:31 54016 ----a-w- c:\windows\system32\drivers\avgqfug.sys
2010-08-09 09:18 . 2010-08-12 19:05 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\lmcxprwth
2010-08-09 09:18 . 2010-08-09 21:15 782848 ----a-w- c:\windows\system32\drivers\upgrs.sys
2010-08-08 21:35 . 2010-08-12 19:05 -------- d-----w- c:\program files\iConcepts Music Express
2010-08-08 16:56 . 2010-08-08 21:30 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\lwhcicsgh
2010-08-05 00:39 . 2010-08-06 15:35 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HPAppData
2010-08-04 18:09 . 2010-08-04 21:29 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\wjkdsyoib
2010-07-28 18:05 . 2010-08-09 14:16 0 ----a-w- c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Jvequvubo.bin
2010-07-28 18:05 . 2010-08-08 19:45 120 ----a-w- c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Bganaza.dat
2010-07-26 23:56 . 2010-07-27 01:49 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\benblfdwp
2010-07-26 01:33 . 2010-07-26 03:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\wjbtdqxhg
2010-07-25 23:33 . 2010-08-14 14:42 120 ----a-w- c:\windows\Bganaza.dat
2010-07-25 23:33 . 2010-08-14 14:42 0 ----a-w- c:\windows\Jvequvubo.bin
2010-07-25 23:32 . 2010-07-26 00:00 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\tacribuvd
2010-07-25 23:31 . 2010-08-12 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- C:\SIERRA
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- c:\program files\Sierra On-Line
2010-07-22 22:08 . 2010-07-22 22:08 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 15:18 . 2008-09-07 14:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-14 15:17 . 2009-09-20 19:44 -------- d-----w- c:\program files\Screenshot Studio
2010-08-14 15:17 . 2010-06-23 12:14 -------- d-----w- c:\documents and settings\Becca\Application Data\HPAppData
2010-08-14 15:16 . 2009-01-01 21:29 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-14 14:48 . 2006-02-28 12:00 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-13 04:20 . 2010-08-13 04:20 388096 ----a-r- c:\documents and settings\Becca\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-12 19:06 . 2010-08-11 01:40 -------- d-----w- c:\program files\Spyware Doctor
2010-08-12 19:06 . 2010-08-11 01:40 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-12 19:06 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\Becca\Application Data\PC Tools
2010-08-12 19:06 . 2010-06-27 21:33 -------- d-----w- c:\program files\wxkpg
2010-08-12 19:06 . 2010-02-15 23:13 -------- d-----w- c:\program files\PCStitch 7
2010-08-12 19:06 . 2009-01-11 22:48 -------- d-----w- c:\documents and settings\Becca\Application Data\Research In Motion
2010-08-12 19:06 . 2009-01-11 22:24 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-08-12 19:06 . 2010-05-16 17:48 -------- d-----w- c:\program files\iTunes
2010-08-12 19:05 . 2008-10-11 13:31 -------- d-----w- c:\program files\Common Files\Apple
2010-08-12 19:05 . 2008-03-19 03:18 -------- d-----w- c:\program files\World of Warcraft
2010-08-12 19:02 . 2009-01-11 22:24 -------- d-----w- c:\program files\Research In Motion
2010-08-12 19:02 . 2008-04-27 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-12 19:01 . 2010-06-23 07:18 338480 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-11 01:21 . 2008-04-27 23:17 43808 ----a-w- c:\documents and settings\Becca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-10 22:52 . 2010-08-10 22:52 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-10 02:40 . 2009-07-14 04:05 54 ---h--w- c:\windows\popcreg.dat
2010-08-10 02:40 . 2009-07-14 04:05 16 ----a-w- c:\windows\popcinfot.dat
2010-07-13 19:48 . 2009-03-13 16:05 -------- d-----w- c:\program files\TuxPaint
2010-06-19 20:44 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-06-18 13:31 . 2009-08-26 00:56 44624 ----a-w- c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 20:28 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\Becca\Application Data\HpUpdate
2010-06-16 20:35 . 2010-06-16 20:24 -------- d-----w- c:\documents and settings\Becca\Application Data\HP
2010-06-16 20:31 . 2010-06-16 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan
2010-06-16 20:29 . 2010-06-16 20:29 1095152 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RocketEngine.dll
2010-06-16 20:29 . 2010-06-16 20:29 321008 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductCore.exe
2010-06-16 20:29 . 2010-06-16 20:29 210416 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\ContentMan.dll
2010-06-16 20:29 . 2010-06-16 20:29 145760 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductReg.exe
2010-06-16 20:29 . 2010-06-16 20:29 140784 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RLPNUpload.dll
2010-06-16 20:26 . 2010-06-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-06-16 20:24 . 2010-06-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-16 20:24 . 2010-06-16 20:18 169984 ----a-w- c:\windows\hpoins44.dat
2010-06-16 20:22 . 2010-06-16 20:22 -------- d-----w- c:\program files\HP Photo Creations
2010-06-16 20:22 . 2010-06-16 20:19 -------- d-----w- c:\program files\HP
2010-06-16 20:21 . 2010-06-16 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\HP
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-06-16 20:17 . 2010-06-16 20:11 123630128 ----a-w- c:\program files\DJ_AIO_06_F2400_NonNet_Full_Win_enu_140_175.exe
2010-06-14 14:30 . 2008-03-18 23:36 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-21 18:14 . 2009-11-13 22:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-23 19:29 . 2010-01-23 19:28 9203547 ----a-w- c:\program files\dcloner.exe
2009-02-01 12:55 . 2009-02-01 12:55 1969086 ----a-w- c:\program files\dl36colorsetup.exe
2008-11-27 16:17 . 2008-11-27 16:17 1123696 ----a-w- c:\program files\ActiveSetupN.exe
2008-09-12 01:38 . 2005-07-22 23:59 2319568 ----a-w- c:\program files\d3dx9_27.dll
2008-09-12 01:38 . 2004-06-12 21:28 3108 ----a-w- c:\program files\readme.txt
2008-09-01 13:27 . 2008-09-01 13:27 1020112 ----a-w- c:\program files\Google Updater.exe
2008-08-11 04:08 . 2008-08-11 04:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-08-07 23:26 . 2008-08-07 23:26 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe
2008-08-02 21:36 . 2008-08-02 21:37 606168 ----a-w- c:\program files\AmazonMP3Installer.exe
2008-06-18 20:06 . 2008-06-18 20:06 382352 ----a-w- c:\program files\jxpiinstall.exe
2008-06-16 04:31 . 2008-06-16 04:31 1495112 ----a-w- c:\program files\install_flash_player.exe
2008-06-05 00:08 . 2008-06-05 00:08 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2008-04-27 23:16 . 2008-04-27 23:15 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-27 23:10 . 2008-04-27 23:10 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-04-17 02:11 . 2008-04-17 02:11 449784 ----a-w- c:\program files\msgr8us.exe
2008-04-03 17:13 . 2008-04-03 17:11 45942912 ----a-w- c:\program files\169.21_forceware_winxp_32bit_english_whql.exe
2008-03-21 01:20 . 2008-03-21 01:20 2732032 ----a-w- c:\program files\ventrilo-3.0.1-Windows-i386.exe
2009-11-29 07:02 . 2008-09-07 14:16 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[7] 2006-02-28 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2006-02-28 12:00 . C79F5FBD9DD981A77DC149B7DA686398 . 24576 . . [------] . . c:\windows\system32\userinit.exe
[7] 2006-02-28 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"Screenshot Studio"="c:\program files\Screenshot Studio\sstudio.exe" [2009-03-10 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-25 13680640]
"nwiz"="nwiz.exe" [2008-12-25 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-25 86016]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-29 30192]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2010-02-04 472568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\Becca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
CurseClientStartup.ccip [2010-3-27 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Becca^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Becca\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-01 13:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Becca\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Chessmaster 10th Edition\\game.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\Becca\\Local Settings\\Apps\\2.0\\8VV17N65.Q72\\893KAJQH.T5Q\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/10/2010 9:40 PM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [8/10/2010 9:45 PM 112592]
R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/10/2009 4:42 PM 271856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [12/15/2009 10:18 AM 22016]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:56 PM 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/15/2009 10:20 AM 1684736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/7/2008 10:16 AM 30192]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/10/2009 4:42 PM 218608]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [12/15/2009 10:18 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [12/15/2009 10:18 AM 17536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/10/2010 9:40 PM 366840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-12-25 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-07-26 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Becca\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Udonati - c:\windows\erebajoganisap.dll
SafeBoot-klmdb.sys
MSConfigStartUp-BarbieGirlsTray - c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
MSConfigStartUp-bipro - cfscp.dll
MSConfigStartUp-SpywareTerminatorUpdate - c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(500)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-08-14 11:28:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-14 15:28

Pre-Run: 122,340,737,024 bytes free
Post-Run: 126,940,585,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 81A1FF35AA7BF423BCF077899AE3FD11

Edited by beccamillott, 14 August 2010 - 12:03 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 14 August 2010 - 01:29 PM

See if the below fix get's you back online.

1. Open notepad and copy/paste the text in the codebox below into it:



CODE
http://www.bleepingcomputer.com/forums/t/339692/infected-with-some-type-of-malware-virus/?p=1886891

Collect::
c:\windows\system32\drivers\avgqfug.sys
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Jvequvubo.bin
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Bganaza.dat
C:\windows\Bganaza.dat
c:\windows\Jvequvubo.bin

Folder::
c:\documents and settings\Becca\Local Settings\Application Data\lmcxprwth
c:\documents and settings\Becca\Local Settings\Application Data\lwhcicsgh
c:\documents and settings\Becca\Local Settings\Application Data\wjkdsyoib
c:\documents and settings\Becca\Local Settings\Application Data\benblfdwp
c:\documents and settings\NetworkService\Local Settings\Application Data\wjbtdqxhg
c:\documents and settings\Becca\Local Settings\Application Data\tacribuvd

FCopy::
c:\windows\system32\dllcache\userinit.exe|c:\windows\system32\userinit.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = ;*.local


2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 14 August 2010 - 05:14 PM

I think it uploaded, but I'm not sure.

It did reboot and the log follows:

ComboFix 10-08-12.03 - Becca 08/14/2010 17:06:36.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2804 [GMT -4:00]
Running from: c:\documents and settings\Becca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becca\Desktop\CFScript.txt

file zipped: c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Bganaza.dat
file zipped: c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Jvequvubo.bin
file zipped: c:\windows\Bganaza.dat
file zipped: c:\windows\Jvequvubo.bin
file zipped: c:\windows\system32\drivers\avgqfug.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Becca\Local Settings\Application Data\benblfdwp
c:\documents and settings\Becca\Local Settings\Application Data\lmcxprwth
c:\documents and settings\Becca\Local Settings\Application Data\lwhcicsgh
c:\documents and settings\Becca\Local Settings\Application Data\tacribuvd
c:\documents and settings\Becca\Local Settings\Application Data\wjkdsyoib
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Bganaza.dat
c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\Jvequvubo.bin
c:\documents and settings\NetworkService\Local Settings\Application Data\wjbtdqxhg
c:\windows\Bganaza.dat
c:\windows\Jvequvubo.bin
c:\windows\system32\drivers\avgqfug.sys

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd


((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-14 17:26 . 2010-08-14 17:26 -------- d--h--w- c:\windows\PIF
2010-08-13 17:25 . 2010-08-13 17:25 -------- d-----w- c:\program files\CCleaner
2010-08-13 04:11 . 2004-08-04 04:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-08-13 04:11 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-13 04:11 . 2001-08-18 02:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-08-13 04:11 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-13 04:11 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-13 04:11 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-13 04:11 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-13 04:11 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-13 04:11 . 2004-08-04 03:10 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-13 04:11 . 2004-08-04 04:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-08-13 04:11 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-13 04:09 . 2004-08-04 02:29 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2010-08-13 04:08 . 2001-08-17 17:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2010-08-13 04:07 . 2001-08-18 02:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-08-13 04:06 . 2001-08-17 17:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-08-13 04:05 . 2001-08-17 17:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-08-13 04:04 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-08-13 04:03 . 2001-08-18 02:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2010-08-13 04:02 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-08-13 04:01 . 2001-08-17 18:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-08-13 04:00 . 2004-08-04 02:41 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-08-13 03:59 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-08-13 03:58 . 2001-08-17 16:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-08-13 03:57 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-08-13 03:57 . 2001-08-18 02:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-13 03:57 . 2004-08-04 02:41 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2010-08-13 03:57 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-08-13 03:55 . 2001-08-17 16:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-08-13 03:54 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-08-13 03:54 . 2004-08-04 03:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-08-13 03:54 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-08-13 03:54 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-08-13 03:54 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-08-13 03:54 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-08-13 03:54 . 2004-08-04 03:00 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2010-08-13 03:54 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-08-13 03:54 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-08-13 03:54 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-08-13 03:54 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2010-08-13 03:50 . 2001-08-17 17:51 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2010-08-13 03:49 . 2001-08-17 16:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2010-08-13 03:48 . 2001-08-17 16:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2010-08-13 03:47 . 2001-08-17 17:28 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-08-13 03:46 . 2004-08-04 03:08 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-08-13 03:45 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-08-13 03:43 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-08-13 03:42 . 2001-08-17 16:11 20928 -c--a-w- c:\windows\system32\dllcache\defpa.sys
2010-08-13 03:41 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-08-13 03:40 . 2004-08-04 04:56 17279 -c--a-w- c:\windows\system32\dllcache\atv10nt5.dll
2010-08-13 03:38 . 2001-08-17 17:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-08-13 03:36 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-08-13 03:35 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-08-13 00:13 . 2010-08-13 00:13 -------- d-----w- C:\VundoFix Backups
2010-08-12 19:06 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\Threat Expert
2010-08-10 23:35 . 2010-08-10 23:35 -------- d-----w- c:\documents and settings\Becca\Application Data\MSNInstaller
2010-08-10 23:15 . 2010-08-10 23:15 54016 ----a-w- c:\windows\system32\drivers\mglet.sys
2010-08-10 23:02 . 2010-08-12 19:06 -------- d-----w- c:\program files\iPod
2010-08-10 22:57 . 2010-04-16 12:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-08-10 22:56 . 2010-08-12 19:05 -------- d-----w- c:\program files\Bonjour
2010-08-10 22:48 . 2008-10-01 17:01 32000 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-08-10 21:12 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-09 22:38 . 2010-08-09 23:09 -------- d-----w- C:\MTV_OUTPUT
2010-08-09 09:18 . 2010-08-09 21:15 782848 ----a-w- c:\windows\system32\drivers\upgrs.sys
2010-08-08 21:35 . 2010-08-12 19:05 -------- d-----w- c:\program files\iConcepts Music Express
2010-08-05 00:39 . 2010-08-06 15:35 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HPAppData
2010-07-25 23:31 . 2010-08-12 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- C:\SIERRA
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- c:\program files\Sierra On-Line
2010-07-22 22:08 . 2010-07-22 22:08 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 21:28 . 2008-09-07 14:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-14 21:27 . 2009-09-20 19:44 -------- d-----w- c:\program files\Screenshot Studio
2010-08-14 21:26 . 2010-06-23 12:14 -------- d-----w- c:\documents and settings\Becca\Application Data\HPAppData
2010-08-14 21:20 . 2009-01-01 21:29 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-14 14:48 . 2006-02-28 12:00 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-13 04:20 . 2010-08-13 04:20 388096 ----a-r- c:\documents and settings\Becca\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-12 19:06 . 2010-08-11 01:40 -------- d-----w- c:\program files\Spyware Doctor
2010-08-12 19:06 . 2010-08-11 01:40 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-12 19:06 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\Becca\Application Data\PC Tools
2010-08-12 19:06 . 2010-06-27 21:33 -------- d-----w- c:\program files\wxkpg
2010-08-12 19:06 . 2010-02-15 23:13 -------- d-----w- c:\program files\PCStitch 7
2010-08-12 19:06 . 2009-01-11 22:48 -------- d-----w- c:\documents and settings\Becca\Application Data\Research In Motion
2010-08-12 19:06 . 2009-01-11 22:24 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-08-12 19:06 . 2010-05-16 17:48 -------- d-----w- c:\program files\iTunes
2010-08-12 19:05 . 2008-10-11 13:31 -------- d-----w- c:\program files\Common Files\Apple
2010-08-12 19:05 . 2008-03-19 03:18 -------- d-----w- c:\program files\World of Warcraft
2010-08-12 19:02 . 2009-01-11 22:24 -------- d-----w- c:\program files\Research In Motion
2010-08-12 19:02 . 2008-04-27 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-12 19:01 . 2010-06-23 07:18 338480 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-11 01:21 . 2008-04-27 23:17 43808 ----a-w- c:\documents and settings\Becca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-10 22:52 . 2010-08-10 22:52 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-10 02:40 . 2009-07-14 04:05 54 ---h--w- c:\windows\popcreg.dat
2010-08-10 02:40 . 2009-07-14 04:05 16 ----a-w- c:\windows\popcinfot.dat
2010-07-13 19:48 . 2009-03-13 16:05 -------- d-----w- c:\program files\TuxPaint
2010-06-19 20:44 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-06-18 13:31 . 2009-08-26 00:56 44624 ----a-w- c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 20:28 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\Becca\Application Data\HpUpdate
2010-06-16 20:35 . 2010-06-16 20:24 -------- d-----w- c:\documents and settings\Becca\Application Data\HP
2010-06-16 20:31 . 2010-06-16 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan
2010-06-16 20:29 . 2010-06-16 20:29 1095152 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RocketEngine.dll
2010-06-16 20:29 . 2010-06-16 20:29 321008 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductCore.exe
2010-06-16 20:29 . 2010-06-16 20:29 210416 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\ContentMan.dll
2010-06-16 20:29 . 2010-06-16 20:29 145760 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductReg.exe
2010-06-16 20:29 . 2010-06-16 20:29 140784 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RLPNUpload.dll
2010-06-16 20:26 . 2010-06-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-06-16 20:24 . 2010-06-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-16 20:24 . 2010-06-16 20:18 169984 ----a-w- c:\windows\hpoins44.dat
2010-06-16 20:22 . 2010-06-16 20:22 -------- d-----w- c:\program files\HP Photo Creations
2010-06-16 20:22 . 2010-06-16 20:19 -------- d-----w- c:\program files\HP
2010-06-16 20:21 . 2010-06-16 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\HP
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-06-16 20:17 . 2010-06-16 20:11 123630128 ----a-w- c:\program files\DJ_AIO_06_F2400_NonNet_Full_Win_enu_140_175.exe
2010-06-14 14:30 . 2008-03-18 23:36 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-21 18:14 . 2009-11-13 22:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-23 19:29 . 2010-01-23 19:28 9203547 ----a-w- c:\program files\dcloner.exe
2009-02-01 12:55 . 2009-02-01 12:55 1969086 ----a-w- c:\program files\dl36colorsetup.exe
2008-11-27 16:17 . 2008-11-27 16:17 1123696 ----a-w- c:\program files\ActiveSetupN.exe
2008-09-12 01:38 . 2005-07-22 23:59 2319568 ----a-w- c:\program files\d3dx9_27.dll
2008-09-12 01:38 . 2004-06-12 21:28 3108 ----a-w- c:\program files\readme.txt
2008-09-01 13:27 . 2008-09-01 13:27 1020112 ----a-w- c:\program files\Google Updater.exe
2008-08-11 04:08 . 2008-08-11 04:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-08-07 23:26 . 2008-08-07 23:26 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe
2008-08-02 21:36 . 2008-08-02 21:37 606168 ----a-w- c:\program files\AmazonMP3Installer.exe
2008-06-18 20:06 . 2008-06-18 20:06 382352 ----a-w- c:\program files\jxpiinstall.exe
2008-06-16 04:31 . 2008-06-16 04:31 1495112 ----a-w- c:\program files\install_flash_player.exe
2008-06-05 00:08 . 2008-06-05 00:08 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2008-04-27 23:16 . 2008-04-27 23:15 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-27 23:10 . 2008-04-27 23:10 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-04-17 02:11 . 2008-04-17 02:11 449784 ----a-w- c:\program files\msgr8us.exe
2008-04-03 17:13 . 2008-04-03 17:11 45942912 ----a-w- c:\program files\169.21_forceware_winxp_32bit_english_whql.exe
2008-03-21 01:20 . 2008-03-21 01:20 2732032 ----a-w- c:\program files\ventrilo-3.0.1-Windows-i386.exe
2009-11-29 07:02 . 2008-09-07 14:16 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[7] 2006-02-28 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2006-02-28 12:00 . C79F5FBD9DD981A77DC149B7DA686398 . 24576 . . [------] . . c:\windows\system32\userinit.exe
[7] 2006-02-28 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"Screenshot Studio"="c:\program files\Screenshot Studio\sstudio.exe" [2009-03-10 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-25 13680640]
"nwiz"="nwiz.exe" [2008-12-25 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-25 86016]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-29 30192]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2010-02-04 472568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\Becca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
CurseClientStartup.ccip [2010-3-27 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Becca^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Becca\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-01 13:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Becca\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Chessmaster 10th Edition\\game.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\Becca\\Local Settings\\Apps\\2.0\\8VV17N65.Q72\\893KAJQH.T5Q\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/10/2010 9:40 PM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [8/10/2010 9:45 PM 112592]
R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/10/2009 4:42 PM 271856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [12/15/2009 10:18 AM 22016]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:56 PM 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/15/2009 10:20 AM 1684736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/7/2008 10:16 AM 30192]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/10/2009 4:42 PM 218608]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [12/15/2009 10:18 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [12/15/2009 10:18 AM 17536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/10/2010 9:40 PM 366840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Becca\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'lsass.exe'(532)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3204)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-08-14 17:34:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-14 21:34
ComboFix2.txt 2010-08-14 15:28

Pre-Run: 126,973,251,584 bytes free
Post-Run: 126,952,443,904 bytes free

- - End Of File - - 52B6C41754E0FED5016C363297B91660


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 14 August 2010 - 05:25 PM

Are you able to get online now?
If so please Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.
=========

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 14 August 2010 - 05:30 PM

No, I am not able to get online. I just submitted the file using the link provided.



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 14 August 2010 - 06:44 PM

Ok thank you.
Please do the following:

Go to Start > Run > type in CMD to open a command prompt.
Type in the following command in the command prompt and press Enter.
netsh int ip reset reset.log

Then also type the following command and hit enter.
netsh winsock reset catalog

Once that completes then restart the system and see then if you are able to get online.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 14 August 2010 - 06:52 PM

Yes, after reboot I was able to get online!

Is there anything else I need to do at this point?

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 15 August 2010 - 06:58 AM

Great yes there is more to do you had a badly infected machine.
If you are not paying for Spyware Doctor I would remove it.
It is a major resource hog and can slow down the system considerably.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==========
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 15 August 2010 - 12:33 PM

Here are the logs (Malwarebytes first, Kasperky second)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4415

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

8/13/2010 1:53:36 PM
mbam-log-2010-08-13 (13-53-36).txt

Scan type: Quick scan
Objects scanned: 159764
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\Becca\Local Settings\Temp\ov8gec9.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\q3mr2 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Becca\Local Settings\Temp\ov8gec9.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\MAYH11CM\0625[1].gif (Extension.Mismatch) -> No action taken.
C:\Documents and Settings\Becca\Local Settings\Temp\explorer.exe (Trojan.Agent) -> No action taken.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 15, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 15, 2010 09:22:02
Records in database: 4131200
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 150696
Threats found: 12
Infected objects found: 27
Suspicious objects found: 0
Scan duration: 03:03:59


File name / Threat / Threats count
ov8gec9.exe\ov8gec9.exe/ov8gec9.exe\ov8gec9.exe Infected: Backdoor.Win32.VB.lvn 1
C:\DOCUME~1\Becca\LOCALS~1\Temp\ov8gec9.exe//UPX/C:\DOCUME~1\Becca\LOCALS~1\Temp\ov8gec9.exe//UPX Infected: Backdoor.Win32.VB.lvn 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158 Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158 Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158 Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0 Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0 Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0 Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe Infected: Backdoor.Win32.VB.lvn 1
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\5ZRZT9GE\0625[1].gif Infected: Backdoor.Win32.VB.lvn 1
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\7BTX1XHI\u[1].asx Infected: Exploit.JS.Agent.bbu 1
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul Infected: Trojan-Spy.JS.Agent.a 1
C:\Program Files\World of Warcraft\msvcr70.dll Infected: Trojan-GameThief.Win32.OnLineGames.wyzg 1
C:\Program Files\World of Warcraft\Wow.exe Infected: Trojan.Win32.Patched.al 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1
C:\Qoobox\Quarantine\C\WINDOWS\erebajoganisap.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.aafz 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP959\A0158781.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP959\A0158791.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP960\A0158818.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP962\A0158930.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP966\A0159471.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP967\A0163150.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP969\A0163686.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP970\A0163729.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP970\A0163746.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\System Volume Information\_restore{8F823ACA-3409-4452-BD6A-3A87061A83F6}\RP970\A0163760.exe Infected: Trojan.Win32.Swisyn.agnq 1
C:\WINDOWS\system32\drivers\upgrs.sys Infected: Rootkit.Win32.Bubnix.mj 1

Selected area has been scanned.


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 15 August 2010 - 12:43 PM

Please click here to download Kaspersky Virus Removal Tool.
  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 15 August 2010 - 02:05 PM

Here is the report:

Autoscan: stopped 18 minutes ago (events: 4, objects: 421, time: 00:18:23)
8/15/2010 1:54:43 PM Task started
8/15/2010 1:54:48 PM Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\userinit.exe
8/15/2010 2:03:01 PM Detected: Backdoor.Win32.VB.lvn C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe/UPX
8/15/2010 2:13:06 PM Task stopped
Disinfect active threats: completed 10 minutes ago (events: 7, objects: 4079, time: 00:08:01)
8/15/2010 2:13:06 PM Task started
8/15/2010 2:13:06 PM Detected: Backdoor.Win32.VB.lvn C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe/UPX
8/15/2010 2:13:15 PM Will be deleted on system restart: Backdoor.Win32.VB.lvn C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe
8/15/2010 2:13:42 PM Detected: Backdoor.Win32.VB.lvn C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe/UPX
8/15/2010 2:13:48 PM Will be deleted on system restart: Backdoor.Win32.VB.lvn C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe
8/15/2010 2:13:57 PM Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\userinit.exe
8/15/2010 2:21:07 PM Task completed


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:01 AM

Posted 15 August 2010 - 02:24 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
http://www.bleepingcomputer.com/forums/t/339692/infected-with-some-type-of-malware-virus/?p=1888755

KILLALL::

Fcopy::
c:\windows\$NtServicePackUninstall$\userinit.exe|c:\windows\system32\userinit.exe

Collect::
C:\WINDOWS\system32\drivers\upgrs.sys
C:\Documents and Settings\Becca\Local Settings\temp\ov8gec9.exe

File::
C:\Documents and Settings\Becca\Local Settings\Temp\ov8gec9.exe
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\MAYH11CM\0625[1].gif
C:\Documents and Settings\Becca\Local Settings\Temp\explorer.exe
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158
C:\Documents and Settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\5ZRZT9GE\0625[1].gif
C:\Documents and Settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\7BTX1XHI\u[1].asx
C:\Program Files\World of Warcraft\msvcr70.dll
C:\Program Files\World of Warcraft\Wow.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"q3mr2"=-


2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 beccamillott

beccamillott
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 15 August 2010 - 03:01 PM

I have submitted the upload requested. Here is the log from Combofix:

ComboFix 10-08-14.06 - Becca 08/15/2010 15:36:34.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2756 [GMT -4:00]
Running from: c:\documents and settings\Becca\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becca\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158"
"c:\documents and settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0"
"c:\documents and settings\Becca\Local Settings\Temp\explorer.exe"
"c:\documents and settings\Becca\Local Settings\Temp\ov8gec9.exe"
"c:\documents and settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\5ZRZT9GE\0625[1].gif"
"c:\documents and settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\7BTX1XHI\u[1].asx"
"c:\documents and settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\MAYH11CM\0625[1].gif"
"c:\program files\World of Warcraft\msvcr70.dll"
"c:\program files\World of Warcraft\Wow.exe"

file zipped: c:\documents and settings\Becca\Local Settings\temp\ov8gec9.exe
file zipped: c:\windows\system32\drivers\upgrs.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\12\4f76de0c-4d10d158
c:\documents and settings\Becca\Application Data\Sun\Java\Deployment\cache\6.0\47\6cce12f-5f44c9a0
c:\documents and settings\Becca\Local Settings\temp\ov8gec9.exe
c:\documents and settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\5ZRZT9GE\0625[1].gif
c:\documents and settings\Becca\Local Settings\Temporary Internet Files\Content.IE5\7BTX1XHI\u[1].asx
c:\program files\World of Warcraft\msvcr70.dll
c:\program files\World of Warcraft\Wow.exe
c:\windows\system32\drivers\upgrs.sys

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 03:41 . 2010-08-15 03:41 -------- d-----w- c:\program files\iPod
2010-08-15 03:41 . 2010-08-15 03:41 -------- d-----w- c:\program files\iTunes
2010-08-15 02:54 . 2010-08-15 02:54 -------- d-----w- c:\windows\system32\en
2010-08-15 02:54 . 2010-08-15 02:54 -------- d-----w- c:\windows\system32\bits
2010-08-15 02:48 . 2010-08-15 02:48 -------- d-----w- c:\windows\EHome
2010-08-14 17:26 . 2010-08-14 17:26 -------- d--h--w- c:\windows\PIF
2010-08-13 17:25 . 2010-08-13 17:25 -------- d-----w- c:\program files\CCleaner
2010-08-13 04:11 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-08-13 04:11 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-08-13 04:11 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-08-13 04:11 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-08-13 04:11 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-08-13 04:11 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-08-13 04:11 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-08-13 04:09 . 2004-08-04 02:29 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys
2010-08-13 04:08 . 2001-08-17 17:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2010-08-13 04:07 . 2001-08-18 02:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-08-13 04:06 . 2001-08-17 17:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-08-13 04:05 . 2001-08-17 17:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-08-13 04:05 . 2001-08-17 16:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-08-13 04:05 . 2001-08-18 02:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-08-13 04:05 . 2001-08-18 02:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-08-13 04:05 . 2001-08-17 17:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-08-13 04:05 . 2001-08-18 02:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-08-13 04:05 . 2001-08-17 18:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-08-13 04:05 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-08-13 04:05 . 2001-08-17 16:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-08-13 04:05 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-08-13 04:05 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-08-13 04:05 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-08-13 04:05 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-08-13 04:03 . 2001-08-18 02:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2010-08-13 04:03 . 2001-08-17 16:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2010-08-13 04:03 . 2001-08-17 18:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2010-08-13 04:03 . 2001-08-17 16:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-08-13 04:03 . 2001-08-17 18:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2010-08-13 04:03 . 2001-08-17 16:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2010-08-13 04:03 . 2001-07-21 18:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-08-13 04:03 . 2001-07-21 18:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2010-08-13 04:03 . 2001-08-17 16:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2010-08-13 04:03 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-08-13 04:03 . 2001-08-17 16:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-08-13 04:03 . 2001-08-17 17:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-08-13 04:03 . 2001-08-17 17:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-08-13 04:02 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-08-13 04:02 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-08-13 04:02 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-08-13 04:02 . 2001-08-17 17:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-08-13 04:02 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-08-13 04:02 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-08-13 04:02 . 2001-08-18 02:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-08-13 04:02 . 2001-08-17 16:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-08-13 04:02 . 2001-08-17 18:56 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2010-08-13 04:02 . 2001-08-17 16:50 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-08-13 04:02 . 2001-08-17 18:56 198400 -c--a-w- c:\windows\system32\dllcache\s3sav4.dll
2010-08-13 04:02 . 2001-08-17 16:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-08-13 04:00 . 2004-08-04 02:41 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-08-13 03:59 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-08-13 03:58 . 2001-08-17 16:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-08-13 03:57 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-08-13 03:57 . 2001-08-18 02:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-13 03:57 . 2004-08-04 02:41 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2010-08-13 03:57 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-08-13 03:55 . 2001-08-17 16:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-08-13 03:54 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-08-13 03:54 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-08-13 03:54 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-08-13 03:54 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-08-13 03:54 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-08-13 03:54 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2010-08-13 03:54 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2010-08-13 03:54 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-08-13 03:54 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2010-08-13 03:50 . 2001-08-17 17:51 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2010-08-13 03:50 . 2001-08-17 16:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-08-13 03:50 . 2001-08-17 16:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2010-08-13 03:50 . 2001-08-18 02:36 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2010-08-13 03:50 . 2001-08-18 02:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-13 03:50 . 2001-08-18 02:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-08-13 03:50 . 2001-08-17 18:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-08-13 03:50 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-08-13 03:50 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-08-13 03:50 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-08-13 03:50 . 2001-08-17 17:51 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-08-13 03:50 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2010-08-13 03:48 . 2001-08-17 16:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2010-08-13 03:47 . 2001-08-17 17:28 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-08-13 03:46 . 2001-08-17 16:49 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2010-08-13 03:45 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-08-13 03:43 . 2001-08-17 16:11 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-08-13 03:42 . 2001-08-17 16:11 20928 -c--a-w- c:\windows\system32\dllcache\defpa.sys
2010-08-13 03:41 . 2001-08-17 16:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2010-08-13 03:40 . 2001-08-17 16:49 26624 -c--a-w- c:\windows\system32\dllcache\ativxbar.sys
2010-08-13 03:38 . 2001-08-17 17:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-08-13 03:37 . 2004-08-04 02:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2010-08-13 03:37 . 2001-08-17 17:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2010-08-13 03:37 . 2001-08-17 16:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2010-08-13 03:37 . 2001-08-17 17:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2010-08-13 03:37 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2010-08-13 03:37 . 2001-08-17 18:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2010-08-13 03:37 . 2001-08-17 18:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2010-08-13 03:37 . 2001-08-17 17:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2010-08-13 03:37 . 2001-08-17 16:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2010-08-13 03:35 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-08-13 00:13 . 2010-08-13 00:13 -------- d-----w- C:\VundoFix Backups
2010-08-12 19:06 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\Threat Expert
2010-08-12 19:05 . 2010-08-12 19:05 -------- d-----w- c:\documents and settings\Becca\Local Settings\Application Data\fvvhkurwr
2010-08-10 23:35 . 2010-08-10 23:35 -------- d-----w- c:\documents and settings\Becca\Application Data\MSNInstaller
2010-08-10 23:15 . 2010-08-10 23:15 54016 ----a-w- c:\windows\system32\drivers\mglet.sys
2010-08-10 22:57 . 2010-04-16 12:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-08-10 22:56 . 2010-08-12 19:05 -------- d-----w- c:\program files\Bonjour
2010-08-10 22:48 . 2008-10-01 17:01 32000 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-08-10 21:12 . 2010-08-12 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-09 22:38 . 2010-08-09 23:09 -------- d-----w- C:\MTV_OUTPUT
2010-08-08 21:35 . 2010-08-12 19:05 -------- d-----w- c:\program files\iConcepts Music Express
2010-08-05 00:39 . 2010-08-06 15:35 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HPAppData
2010-07-25 23:31 . 2010-08-12 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- C:\SIERRA
2010-07-24 22:59 . 2010-07-24 22:59 -------- d-----w- c:\program files\Sierra On-Line
2010-07-22 22:08 . 2010-07-22 22:08 -------- d-----w- c:\documents and settings\Joshua and Brooklyn\Application Data\HpUpdate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 19:46 . 2009-09-20 19:44 -------- d-----w- c:\program files\Screenshot Studio
2010-08-15 19:45 . 2009-01-01 21:29 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-15 19:43 . 2008-03-19 03:18 -------- d-----w- c:\program files\World of Warcraft
2010-08-15 18:41 . 2010-06-23 12:14 -------- d-----w- c:\documents and settings\Becca\Application Data\HPAppData
2010-08-15 03:06 . 2008-04-27 23:17 43808 ----a-w- c:\documents and settings\Becca\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 02:47 . 2010-08-15 02:47 0 ----atw- c:\windows\006047_.tmp
2010-08-15 01:50 . 2008-10-11 13:31 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 01:49 . 2008-10-11 13:31 -------- d-----w- c:\program files\QuickTime
2010-08-15 01:41 . 2009-06-16 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Fisher-Price
2010-08-15 01:33 . 2008-09-07 14:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-12 19:06 . 2010-06-27 21:33 -------- d-----w- c:\program files\wxkpg
2010-08-12 19:06 . 2010-02-15 23:13 -------- d-----w- c:\program files\PCStitch 7
2010-08-12 19:06 . 2009-01-11 22:48 -------- d-----w- c:\documents and settings\Becca\Application Data\Research In Motion
2010-08-12 19:06 . 2009-01-11 22:24 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-08-12 19:02 . 2009-01-11 22:24 -------- d-----w- c:\program files\Research In Motion
2010-08-12 19:02 . 2008-04-27 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-12 19:01 . 2010-06-23 07:18 338480 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-10 02:40 . 2009-07-14 04:05 54 ---h--w- c:\windows\popcreg.dat
2010-08-10 02:40 . 2009-07-14 04:05 16 ----a-w- c:\windows\popcinfot.dat
2010-07-21 20:30 . 2010-07-21 20:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-13 19:48 . 2009-03-13 16:05 -------- d-----w- c:\program files\TuxPaint
2010-06-19 20:44 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-06-18 13:31 . 2009-08-26 00:56 44624 ----a-w- c:\documents and settings\Joshua and Brooklyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 20:28 . 2010-06-16 20:22 -------- d-----w- c:\documents and settings\Becca\Application Data\HpUpdate
2010-06-16 20:35 . 2010-06-16 20:24 -------- d-----w- c:\documents and settings\Becca\Application Data\HP
2010-06-16 20:31 . 2010-06-16 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan
2010-06-16 20:29 . 2010-06-16 20:29 1095152 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RocketEngine.dll
2010-06-16 20:29 . 2010-06-16 20:29 321008 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductCore.exe
2010-06-16 20:29 . 2010-06-16 20:29 210416 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\ContentMan.dll
2010-06-16 20:29 . 2010-06-16 20:29 145760 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\PhotoProductReg.exe
2010-06-16 20:29 . 2010-06-16 20:29 140784 ----a-w- c:\documents and settings\All Users\Application Data\HP Photo Creations\RLPNUpload.dll
2010-06-16 20:26 . 2010-06-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-06-16 20:24 . 2010-06-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-06-16 20:24 . 2010-06-16 20:18 169984 ----a-w- c:\windows\hpoins44.dat
2010-06-16 20:22 . 2010-06-16 20:22 -------- d-----w- c:\program files\HP Photo Creations
2010-06-16 20:22 . 2010-06-16 20:19 -------- d-----w- c:\program files\HP
2010-06-16 20:21 . 2010-06-16 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\HP
2010-06-16 20:20 . 2010-06-16 20:20 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-06-16 20:17 . 2010-06-16 20:11 123630128 ----a-w- c:\program files\DJ_AIO_06_F2400_NonNet_Full_Win_enu_140_175.exe
2010-06-14 14:31 . 2008-03-18 23:36 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-21 18:14 . 2009-11-13 22:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-23 19:29 . 2010-01-23 19:28 9203547 ----a-w- c:\program files\dcloner.exe
2009-02-01 12:55 . 2009-02-01 12:55 1969086 ----a-w- c:\program files\dl36colorsetup.exe
2008-11-27 16:17 . 2008-11-27 16:17 1123696 ----a-w- c:\program files\ActiveSetupN.exe
2008-09-12 01:38 . 2005-07-22 23:59 2319568 ----a-w- c:\program files\d3dx9_27.dll
2008-09-12 01:38 . 2004-06-12 21:28 3108 ----a-w- c:\program files\readme.txt
2008-09-01 13:27 . 2008-09-01 13:27 1020112 ----a-w- c:\program files\Google Updater.exe
2008-08-11 04:08 . 2008-08-11 04:08 978396 ----a-w- c:\program files\BDAXP.cab
2008-08-07 23:26 . 2008-08-07 23:26 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe
2008-08-02 21:36 . 2008-08-02 21:37 606168 ----a-w- c:\program files\AmazonMP3Installer.exe
2008-06-18 20:06 . 2008-06-18 20:06 382352 ----a-w- c:\program files\jxpiinstall.exe
2008-06-16 04:31 . 2008-06-16 04:31 1495112 ----a-w- c:\program files\install_flash_player.exe
2008-06-05 00:08 . 2008-06-05 00:08 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2008-04-27 23:16 . 2008-04-27 23:15 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-27 23:10 . 2008-04-27 23:10 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-04-17 02:11 . 2008-04-17 02:11 449784 ----a-w- c:\program files\msgr8us.exe
2008-04-03 17:13 . 2008-04-03 17:11 45942912 ----a-w- c:\program files\169.21_forceware_winxp_32bit_english_whql.exe
2008-03-21 01:20 . 2008-03-21 01:20 2732032 ----a-w- c:\program files\ventrilo-3.0.1-Windows-i386.exe
2009-11-29 07:02 . 2008-09-07 14:16 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2008-04-14 00:12 . DD20243A12C4E28D2D3EB0797BC2EE8C . 26112 . . [------] . . c:\windows\system32\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
[-] 2006-02-28 12:00 . C79F5FBD9DD981A77DC149B7DA686398 . 24576 . . [------] . . c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"Screenshot Studio"="c:\program files\Screenshot Studio\sstudio.exe" [2009-03-10 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-25 13680640]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe" [2010-02-04 472568]

c:\documents and settings\Becca\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
CurseClientStartup.ccip [2010-3-27 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Becca^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Becca\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-01 13:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Becca\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Chessmaster 10th Edition\\game.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\Becca\\Local Settings\\Apps\\2.0\\8VV17N65.Q72\\893KAJQH.T5Q\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [9/10/2009 4:42 PM 271856]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [12/15/2009 10:18 AM 22016]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 12:56 PM 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Becca\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/15/2009 10:20 AM 1684736]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/7/2008 10:16 AM 30192]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [9/10/2009 4:42 PM 218608]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [12/15/2009 10:18 AM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [12/15/2009 10:18 AM 17536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 16:56]

2010-08-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Becca\Application Data\Mozilla\Firefox\Profiles\747s45nz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Becca\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1972)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Becca\LOCALS~1\Temp\ov8gec9.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-08-15 15:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 19:57
ComboFix2.txt 2010-08-14 21:34
ComboFix3.txt 2010-08-14 15:28

Pre-Run: 124,966,453,248 bytes free
Post-Run: 125,046,898,688 bytes free

- - End Of File - - 964DDDD1171185371B48BB1D27C45A25

Edited by beccamillott, 15 August 2010 - 03:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users