Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky Adload Trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 JediAndi

JediAndi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 03 September 2010 - 01:30 PM

I usually run a tight ship, this is my first security problem on my PC. I run AVG anti-virus and Comodo Firewall Pro with Proactive Defence.
This trojan appears to have slipped through inside a bittorrent download (yeah, stupid, I know) and I have tried to remove it with MalwareBytes' Anti Malware software as well as Spybot Search & Destroy, but AVG is still finding it in explorer.exe and svchost.exe and I really don't know what else to try!
Any help is really appreciated, the only other recourse I have is to wipe the system drive and reinstall everything, but that's a massive PITA.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 9:55:32.28 on 03/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1125 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Andi\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Andi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\andi\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\andi\application

data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monaco~2.lnk - c:\program files\monaco systems\monacooptix

2.0\MonacoGamma.exe
IE: Append Link Target to Existing PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: C

Attached File  Attach.txt   3.66KB   2 downloads


Made attachment show. ~ OB

Edited by Orange Blossom, 03 September 2010 - 08:15 PM.


BC AdBot (Login to Remove)

 


#2 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 04 September 2010 - 03:00 AM

I am trying to clear up an Adload trojan on my pc, but have been getting a server connection reset error when trying to post my logs to the site. I am reliably informed (after reporting the error) that this indicates the extra trouble of a TDSS infection and I really need some help here!

Edited by Pandy, 04 September 2010 - 09:30 AM.
Merged topics ~Pandy


#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:41 PM

Posted 12 September 2010 - 05:44 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 16 September 2010 - 12:10 AM

Nothing new since first post.
Thank you for taking the time to help me.
Updated logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 17:23:06.82 on 15/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1337 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet S

Nothing new since first post.
Thank you for taking the time to help me.
Updated logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 17:23:06.82 on 15/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1337 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet S

Nothing new since first post.
Thank you for taking the time to help me.
Updated logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 17:23:06.82 on 15/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1337 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

Nothing new since first post.
Thank you for taking the time to help me.
Updated logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 17:23:06.82 on 15/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1337 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\CO

Nothing new since first post.
Thank you for taking the time to help me.
Updated logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andi at 17:23:06.82 on 15/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1337 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\CO

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:41 PM

Posted 26 September 2010 - 05:42 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run TDSSKiller and let's see if it's here
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#6 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 26 September 2010 - 06:29 AM

Thanks m0le, I'll run that right now.

#7 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 26 September 2010 - 06:43 AM

2010/09/26 12:32:35.0234 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/26 12:32:35.0234 ================================================================================
2010/09/26 12:32:35.0234 SystemInfo:
2010/09/26 12:32:35.0234
2010/09/26 12:32:35.0234 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/26 12:32:35.0234 Product type: Workstation
2010/09/26 12:32:35.0234 ComputerName: GIBBS
2010/09/26 12:32:35.0250 UserName: Andi
2010/09/26 12:32:35.0250 Windows directory: C:\WINDOWS
2010/09/26 12:32:35.0250 System windows directory: C:\WINDOWS
2010/09/26 12:32:35.0250 Processor architecture: Intel x86
2010/09/26 12:32:35.0250 Number of processors: 1
2010/09/26 12:32:35.0250 Page size: 0x1000
2010/09/26 12:32:35.0250 Boot type: Normal boot
2010/09/26 12:32:35.0250 ================================================================================
2010/09/26 12:32:36.0578 Initialize success
2010/09/26 12:32:49.0171 ================================================================================
2010/09/26 12:32:49.0171 Scan started
2010/09/26 12:32:49.0171 Mode: Manual;
2010/09/26 12:32:49.0171 ================================================================================
2010/09/26 12:32:51.0046 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/26 12:32:51.0171 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/26 12:32:51.0328 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
2010/09/26 12:32:51.0531 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/26 12:32:51.0671 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/26 12:32:52.0203 ALCXWDM (7262f401de59bbbf24b03eefcb87263d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/09/26 12:32:52.0750 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/09/26 12:32:52.0968 AR5211 (e7610478fa20474e4a6411be56b7c0d0) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2010/09/26 12:32:53.0640 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/26 12:32:54.0046 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/26 12:32:54.0234 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/26 12:32:54.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/26 12:32:54.0781 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/09/26 12:32:54.0890 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/09/26 12:32:55.0046 AvgTdiX (79ff73c8a2cb7fbf1dd25437c179aeb5) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/09/26 12:32:55.0046 Suspicious file (Forged): C:\WINDOWS\System32\Drivers\avgtdix.sys. Real md5: 79ff73c8a2cb7fbf1dd25437c179aeb5, Fake md5: 22e3b793c3e61720f03d3a22351af410
2010/09/26 12:32:55.0078 AvgTdiX - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/26 12:32:55.0218 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/26 12:32:55.0406 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/09/26 12:32:55.0468 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/09/26 12:32:55.0593 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/26 12:32:55.0765 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/26 12:32:55.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/26 12:32:56.0093 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/26 12:32:56.0250 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/26 12:32:56.0546 cmdGuard (d7c17cc5038773aa717864a5555465de) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2010/09/26 12:32:56.0671 cmdHlp (81ceedf3501cd5ccae3dceb204af1634) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2010/09/26 12:32:56.0828 CoachUsb (577e2d85e908e5eb9311b54e8b56447b) C:\WINDOWS\system32\DRIVERS\CoachUsb.sys
2010/09/26 12:32:56.0984 CoachVid (f084c7b8e08d761040b708e65468ec2e) C:\WINDOWS\system32\DRIVERS\CoachVid.sys
2010/09/26 12:32:57.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/26 12:32:57.0625 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/26 12:32:58.0468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/26 12:32:58.0578 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/26 12:32:58.0687 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/26 12:32:58.0843 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/09/26 12:32:59.0015 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/09/26 12:32:59.0187 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/09/26 12:32:59.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/26 12:32:59.0718 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/26 12:32:59.0812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/26 12:32:59.0968 FETND5BV (47d9ee42ae1659b220df7b1bb2720df1) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2010/09/26 12:33:00.0109 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/09/26 12:33:00.0750 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/26 12:33:00.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/26 12:33:01.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/26 12:33:01.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/26 12:33:01.0453 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/26 12:33:01.0562 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/09/26 12:33:01.0734 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/26 12:33:01.0906 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/26 12:33:02.0250 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/09/26 12:33:02.0921 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/09/26 12:33:03.0078 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/09/26 12:33:03.0250 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/26 12:33:03.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/09/26 12:33:03.0718 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2010/09/26 12:33:03.0968 Inspect (bf141304f251563b63e64cb3c036de74) C:\WINDOWS\system32\DRIVERS\inspect.sys
2010/09/26 12:33:04.0218 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/26 12:33:04.0375 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/26 12:33:04.0531 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/26 12:33:04.0687 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/26 12:33:04.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/26 12:33:05.0000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/26 12:33:05.0218 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/26 12:33:05.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/26 12:33:05.0937 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/26 12:33:06.0093 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/26 12:33:06.0281 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/26 12:33:06.0500 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/09/26 12:33:06.0718 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/09/26 12:33:06.0984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/26 12:33:07.0156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/26 12:33:07.0875 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/26 12:33:08.0015 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/26 12:33:08.0171 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/26 12:33:08.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/26 12:33:08.0468 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/26 12:33:08.0671 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/26 12:33:08.0812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/26 12:33:08.0953 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/26 12:33:09.0109 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/26 12:33:09.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/26 12:33:09.0437 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/26 12:33:09.0625 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/26 12:33:10.0281 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/26 12:33:10.0500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/26 12:33:10.0625 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/26 12:33:10.0781 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/26 12:33:10.0937 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/26 12:33:11.0062 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/26 12:33:11.0234 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/26 12:33:11.0390 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/26 12:33:11.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/26 12:33:11.0765 nmwcd (357ddb51e03cae598c096d95497373d0) C:\WINDOWS\system32\drivers\ccdcmb.sys
2010/09/26 12:33:12.0437 nmwcdc (7cd443f9d36c80e152fadb274089577a) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2010/09/26 12:33:12.0562 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/26 12:33:12.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/26 12:33:12.0906 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/26 12:33:13.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/26 12:33:13.0250 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/26 12:33:13.0453 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/26 12:33:13.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/26 12:33:13.0718 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/26 12:33:13.0843 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/09/26 12:33:14.0031 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/26 12:33:14.0265 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/26 12:33:14.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/26 12:33:14.0984 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/26 12:33:15.0156 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/26 12:33:15.0906 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/26 12:33:16.0062 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/26 12:33:16.0500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/26 12:33:16.0656 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/26 12:33:16.0812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/26 12:33:16.0968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/26 12:33:17.0109 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/26 12:33:17.0750 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/26 12:33:17.0968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/26 12:33:18.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/26 12:33:18.0312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/26 12:33:18.0531 rt2870 (19a0b57164830df3c699e3cc93f68e37) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2010/09/26 12:33:18.0796 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/26 12:33:18.0843 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/09/26 12:33:19.0031 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/26 12:33:19.0203 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/26 12:33:19.0343 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/26 12:33:19.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/26 12:33:19.0796 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/26 12:33:20.0046 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/26 12:33:20.0218 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/26 12:33:20.0796 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/26 12:33:21.0031 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/26 12:33:21.0250 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/26 12:33:21.0375 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/26 12:33:21.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/26 12:33:21.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/26 12:33:22.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/26 12:33:22.0875 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/26 12:33:23.0031 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/26 12:33:23.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/26 12:33:23.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/26 12:33:23.0796 upperdev (15629e4d65f97ab5432d6d9597cf6a33) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2010/09/26 12:33:23.0937 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/26 12:33:24.0281 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/09/26 12:33:24.0453 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/26 12:33:24.0609 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/26 12:33:24.0828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/26 12:33:24.0984 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/26 12:33:25.0125 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/26 12:33:25.0843 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2010/09/26 12:33:26.0015 UsbserFilt (5c17e6a11aa8be53f79fd364ba19f0ce) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2010/09/26 12:33:26.0156 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/26 12:33:26.0312 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/26 12:33:26.0453 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/26 12:33:26.0609 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2010/09/26 12:33:26.0734 viagfx (950eadbb3b8fd3fcb1a7c035646f5652) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/09/26 12:33:26.0921 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
2010/09/26 12:33:27.0078 viamraid (0363e216e4eb5052969c96608934dbde) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2010/09/26 12:33:27.0203 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/26 12:33:27.0812 vulfnths (c0f55cc0903cfdc819f6d857402b697c) C:\WINDOWS\System32\Drivers\vulfnth.sys
2010/09/26 12:33:27.0953 vulfntrs (ae838addfc733455464c87be0697a810) C:\WINDOWS\System32\Drivers\vulfntr.sys
2010/09/26 12:33:28.0125 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/26 12:33:28.0312 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/09/26 12:33:28.0593 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/26 12:33:28.0953 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/26 12:33:29.0125 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/26 12:33:29.0796 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/26 12:33:29.0953 X-Rite (b9dff9491cabbd3d2e00a350fdb4f44e) C:\WINDOWS\system32\DRIVERS\XrUsb.sys
2010/09/26 12:33:30.0218 ================================================================================
2010/09/26 12:33:30.0218 Scan finished
2010/09/26 12:33:30.0218 ================================================================================
2010/09/26 12:33:30.0265 Detected object count: 1
2010/09/26 12:33:51.0562 AvgTdiX (79ff73c8a2cb7fbf1dd25437c179aeb5) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/09/26 12:33:51.0562 Suspicious file (Forged): C:\WINDOWS\System32\Drivers\avgtdix.sys. Real md5: 79ff73c8a2cb7fbf1dd25437c179aeb5, Fake md5: 22e3b793c3e61720f03d3a22351af410
2010/09/26 12:34:03.0015 Backup copy found, using it..
2010/09/26 12:34:03.0109 C:\WINDOWS\System32\Drivers\avgtdix.sys - will be cured after reboot
2010/09/26 12:34:03.0109 Rootkit.Win32.TDSS.tdl3(AvgTdiX) - User select action: Cure
2010/09/26 12:34:26.0609 Deinitialize success


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:41 PM

Posted 26 September 2010 - 01:30 PM

Now please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 27 September 2010 - 01:19 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75F7000 klmdb.sys
0xF7508000 ACPI.sys
0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF74F7000 pci.sys
0xF7607000 isapnp.sys
0xF798B000 viaidexp.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7617000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7627000 VolSnap.sys
0xF749A000 atapi.sys
0xF7637000 viamraid.sys
0xF7482000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xF7647000 disk.sys
0xF7657000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7462000 fltmgr.sys
0xF7450000 sr.sys
0xF7667000 Lbd.sys
0xF7677000 PxHelp20.sys
0xF7870000 KSecDD.sys
0xF785D000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7849000 inspect.sys
0xF795A000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF7717000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF771F000 viaagp1.sys
0xF782F000 Mup.sys
0xF76A7000 \SystemRoot\System32\DRIVERS\amdk7.sys
0xB9ED3000 \SystemRoot\System32\DRIVERS\vtmini.sys
0xB9EBF000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xBA744000 \SystemRoot\System32\Drivers\Imapi.SYS
0xBA734000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA724000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9E9C000 \SystemRoot\System32\DRIVERS\ks.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF77DF000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB9E78000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF79AB000 \SystemRoot\System32\Drivers\vulfnth.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9AA2000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB9A7E000 \SystemRoot\system32\drivers\portcls.sys
0xBA714000 \SystemRoot\system32\drivers\drmk.sys
0xBA704000 \SystemRoot\System32\DRIVERS\fetnd5bv.sys
0xF77EF000 \SystemRoot\System32\DRIVERS\fdc.sys
0xBA6F4000 \SystemRoot\System32\DRIVERS\serial.sys
0xBA7E8000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB9A6A000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7A8D000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA6E4000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xBA7E4000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9A53000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA6D4000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA6C4000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB9A42000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA6B4000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF77F7000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF77FF000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB9A12000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF76B7000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7807000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF780F000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79AF000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB99B4000 \SystemRoot\System32\DRIVERS\update.sys
0xBA7CC000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF76C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA600000 \SystemRoot\System32\Drivers\vulfntr.sys
0xF76D7000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79B1000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB865A000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xF7817000 \SystemRoot\System32\DRIVERS\dot4usb.sys
0xB8627000 \SystemRoot\System32\DRIVERS\Dot4.sys
0xF79B3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA2D7000 \SystemRoot\System32\Drivers\Null.SYS
0xF79B5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7747000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xBA211000 \SystemRoot\System32\drivers\vga.sys
0xF79B7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA209000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA201000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7933000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB85F4000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB859B000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xBA1F9000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xB8561000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB8539000 \SystemRoot\System32\DRIVERS\netbt.sys
0xB8517000 \SystemRoot\System32\drivers\afd.sys
0xF75C6000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB84F5000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA1F1000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB84CA000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB8432000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF75A6000 \SystemRoot\System32\Drivers\Fips.SYS
0xB840C000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xBA1E9000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF7596000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBA1E1000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA1D9000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xB86E2000 \SystemRoot\System32\DRIVERS\Dot4Prt.sys
0xB86DE000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7586000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xB86D6000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xBA1D1000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB8388000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB86D2000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7546000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB8348000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB86CE000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77AF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA13F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\vtdisp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB58D0000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB555B000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF79CF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB554A000 \SystemRoot\System32\Drivers\adfs.SYS
0xB5313000 \SystemRoot\System32\DRIVERS\srv.sys
0xB83CC000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB4DA0000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB4D8B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4DC3000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4BF8000 \SystemRoot\System32\Drivers\HTTP.sys
0xB49F0000 \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
696 csrss.exe
720 C:\WINDOWS\system32\winlogon.exe
764 C:\WINDOWS\system32\services.exe
776 C:\WINDOWS\system32\lsass.exe
940 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1100 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1144 C:\WINDOWS\system32\svchost.exe
1344 C:\WINDOWS\system32\svchost.exe
1432 C:\Program Files\AVG\AVG9\avgchsvx.exe
1440 C:\Program Files\AVG\AVG9\avgrsx.exe
1492 svchost.exe
1624 svchost.exe
1700 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1712 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1788 C:\WINDOWS\system32\spoolsv.exe
280 svchost.exe
348 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
292 C:\WINDOWS\system32\ASTSRV.EXE
440 C:\Program Files\AVG\AVG9\avgwdsvc.exe
456 C:\Program Files\Bonjour\mDNSResponder.exe
548 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
688 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
1092 C:\Program Files\Java\jre6\bin\jqs.exe
1452 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1404 C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
1636 sqlservr.exe
2124 C:\WINDOWS\system32\tcpsvcs.exe
2304 sqlbrowser.exe
2352 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2384 C:\Program Files\AVG\AVG9\avgnsx.exe
2420 C:\WINDOWS\system32\svchost.exe
3264 unsecapp.exe
3316 alg.exe
3376 wmiprvse.exe
3956 C:\WINDOWS\explorer.exe
2668 C:\WINDOWS\soundman.exe
1328 C:\WINDOWS\system32\svchost.exe
3084 C:\Program Files\VIA\RAID\raid_tool.exe
3212 C:\WINDOWS\system32\VTTimer.exe
3308 C:\PROGRA~1\AVG\AVG9\avgtray.exe
3588 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2756 C:\Program Files\iTunes\iTunesHelper.exe
3768 C:\WINDOWS\system32\ctfmon.exe
3976 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
4000 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
520 C:\Documents and Settings\Andi\Application Data\Dropbox\bin\Dropbox.exe
2764 C:\Program Files\iPod\bin\iPodService.exe
3700 C:\Program Files\SpywareGuard\sgmain.exe
3840 C:\Program Files\SpywareGuard\sgbhp.exe
2312 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
3684 C:\WINDOWS\system32\wuauclt.exe
2316 C:\Documents and Settings\Andi\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y060L0, Rev: YAR41VW0
PhysicalDrive1 Model Number: WDCWD2000JD-00HBB0, Rev: 08.02D08
PhysicalDrive2 Model Number: WDCWD2000JD-00HBB0, Rev: 08.02D08

Size Device Name MBR Status
--------------------------------------------
57 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
186 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive2 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:41 PM

Posted 27 September 2010 - 04:45 AM

Okay, no problems in the MBR so let's see what we've got

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 27 September 2010 - 08:37 AM

ComboFix 10-09-26.04 - Andi 27/09/2010 13:08:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1257 [GMT 1:00]
Running from: c:\documents and settings\Andi\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

.
((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-23 08:14 . 2010-09-23 08:14 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 08:14 . 2010-09-23 08:14 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 08:14 . 2010-09-23 08:14 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 08:14 . 2010-09-23 08:14 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 08:14 . 2010-09-23 08:14 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 08:14 . 2010-09-23 08:14 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 08:14 . 2010-09-23 08:14 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 08:14 . 2010-09-23 08:14 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 08:14 . 2010-09-23 08:14 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 08:12 . 2010-09-23 08:12 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-16 17:04 . 2010-09-16 17:05 -------- d-----w- c:\program files\QuickTime
2010-09-16 16:59 . 2010-09-16 16:59 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-10 11:32 . 2010-09-23 14:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-09-05 18:29 . 2010-09-05 18:29 -------- d-----w- c:\program files\SpywareBlaster
2010-09-05 16:26 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-04 16:38 . 2010-09-04 16:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-04 16:03 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-04 08:55 . 2010-09-04 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VOWSoft
2010-09-04 08:54 . 2010-09-04 08:54 -------- d-----w- c:\program files\iPodRobot
2010-09-02 15:05 . 2010-09-02 15:05 -------- d-----w- c:\program files\iPod
2010-09-02 15:05 . 2010-09-02 15:07 -------- d-----w- c:\program files\iTunes
2010-09-02 14:47 . 2010-09-02 14:47 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Regensoft
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Red Kawa
2010-09-02 09:27 . 2010-09-02 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-02 09:27 . 2010-09-02 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-01 20:32 . 2010-09-01 20:32 -------- d-----w- c:\documents and settings\Andi\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 20:31 . 2010-09-01 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 20:31 . 2010-09-01 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 10:28 . 2010-09-01 10:28 -------- d-----w- c:\program files\Apple Software Update
2010-08-31 05:58 . 2010-08-31 05:58 -------- d-----w- c:\documents and settings\Andi\Application Data\Yahoo!
2010-08-31 05:58 . 2010-08-31 07:11 -------- d-----w- c:\program files\Yahoo!
2010-08-31 05:43 . 2010-08-31 05:43 -------- d-----w- c:\documents and settings\Andi\Application Data\AVG9
2010-08-30 19:00 . 2010-09-02 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 15:10 . 2010-05-15 15:10 0 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\prvlcl.dat
2010-09-26 11:40 . 2010-05-10 20:02 -------- d-----w- c:\documents and settings\Andi\Application Data\Dropbox
2010-09-26 11:36 . 2010-05-10 17:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-16 17:00 . 2010-07-20 22:03 -------- d-----w- c:\program files\Safari
2010-09-16 05:05 . 2010-09-04 15:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-04 16:03 . 2010-09-04 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 16:03 . 2010-09-04 16:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-04 15:55 . 2010-09-04 15:42 -------- d-----w- c:\program files\SpywareGuard
2010-09-04 15:49 . 2010-09-04 15:49 63488 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-04 15:49 . 2010-09-04 15:49 52224 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-04 15:48 . 2010-09-04 15:48 117760 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-04 15:05 . 2010-09-04 15:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-04 15:05 . 2010-09-04 15:05 -------- d-----w- c:\program files\Lavasoft
2010-09-02 15:05 . 2009-11-20 11:28 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 06:01 . 2010-05-11 14:39 -------- d-----w- c:\documents and settings\Andi\Application Data\BitTorrent
2010-08-31 12:47 . 2010-06-16 10:01 -------- d-----w- c:\documents and settings\Andi\Application Data\PTGui
2010-08-30 09:02 . 2009-11-20 11:38 -------- d-----w- c:\documents and settings\Andi\Application Data\Apple Computer
2010-08-26 11:35 . 2010-08-26 11:26 -------- d-----w- c:\program files\Google
2010-08-26 10:34 . 2010-08-25 15:41 -------- d-----w- c:\documents and settings\Andi\Application Data\onOne Software
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\program files\Common Files\onOne Software Shared
2010-08-25 15:44 . 2010-08-25 15:36 -------- d-----w- c:\program files\onOne Software
2010-08-25 15:43 . 2010-08-25 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software
2010-08-25 15:36 . 2009-11-12 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 17:21 . 2010-05-13 08:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\program files\Easy CD-DA Extractor 2010
2010-08-17 08:29 . 2010-08-17 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-17 07:53 . 2010-06-17 16:52 86892 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-15 08:56 . 2009-11-19 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 08:56 . 2010-08-14 09:35 1680064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-08-15 08:43 . 2010-08-14 09:35 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-08-15 08:35 . 2009-12-03 14:11 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-08-14 15:54 . 2009-11-16 17:24 117544 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-14 15:54 . 2009-11-18 14:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-14 12:31 . 2009-12-03 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2010-08-14 09:45 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Business Objects
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-08-14 09:44 . 2010-08-14 09:42 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-14 09:38 . 2009-12-03 14:11 -------- d-----w- c:\program files\Microsoft.NET
2010-08-14 09:10 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft SDKs
2010-08-14 09:08 . 2010-08-14 09:08 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-08-14 09:06 . 2010-08-14 09:06 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-08-12 12:16 . 2010-09-04 15:05 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-11 07:33 . 2010-08-11 07:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-07-20 21:45 . 2010-07-20 21:45 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-07-17 08:11 . 2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:10 . 2010-05-10 17:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-16 2039240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\Andi\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Andi\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2009-11-17 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 11:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 18:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-05-11 06:13 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 14:08 2289664 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 05:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-11 18:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2009-10-26 16:26 753664 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Andi\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/09/2010 17:03 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/05/2010 18:12 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/05/2010 18:12 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [23/03/2010 18:40 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [03/03/2010 17:54 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [25/02/2010 23:20 45344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 14:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 07:58]

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.developingperceptions.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://developingperceptions.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101056100&s=
FF - component: c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Andi\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101056100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
SafeBoot-klmdb.sys
SafeBoot-Wdf01000.sys
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1390067357-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll
.
Completion time: 2010-09-27 13:57:48
ComboFix-quarantined-files.txt 2010-09-27 12:57

Pre-Run: 13,615,013,888 bytes free
Post-Run: 13,659,111,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 265630B2E278B949068158A0E45E04FC


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:41 PM

Posted 27 September 2010 - 12:02 PM

Please run Combofix again, as follows

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_USERS\S-1-5-21-1343024091-1390067357-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#13 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 28 September 2010 - 01:08 AM

ComboFix 10-09-27.01 - Andi 27/09/2010 20:35:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1335 [GMT 1:00]
Running from: c:\documents and settings\Andi\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Andi\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-23 08:14 . 2010-09-23 08:14 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 08:14 . 2010-09-23 08:14 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 08:14 . 2010-09-23 08:14 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 08:14 . 2010-09-23 08:14 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 08:14 . 2010-09-23 08:14 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 08:14 . 2010-09-23 08:14 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 08:14 . 2010-09-23 08:14 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 08:14 . 2010-09-23 08:14 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 08:14 . 2010-09-23 08:14 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 08:12 . 2010-09-23 08:12 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-16 17:04 . 2010-09-16 17:05 -------- d-----w- c:\program files\QuickTime
2010-09-16 16:59 . 2010-09-16 16:59 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-10 11:32 . 2010-09-23 14:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-09-05 18:29 . 2010-09-05 18:29 -------- d-----w- c:\program files\SpywareBlaster
2010-09-05 16:26 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-04 16:38 . 2010-09-04 16:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-04 16:03 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-04 08:55 . 2010-09-04 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VOWSoft
2010-09-04 08:54 . 2010-09-04 08:54 -------- d-----w- c:\program files\iPodRobot
2010-09-02 15:05 . 2010-09-02 15:05 -------- d-----w- c:\program files\iPod
2010-09-02 15:05 . 2010-09-02 15:07 -------- d-----w- c:\program files\iTunes
2010-09-02 14:47 . 2010-09-02 14:47 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Regensoft
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Red Kawa
2010-09-02 09:27 . 2010-09-02 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-02 09:27 . 2010-09-02 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-01 20:32 . 2010-09-01 20:32 -------- d-----w- c:\documents and settings\Andi\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 20:31 . 2010-09-01 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 20:31 . 2010-09-01 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 10:28 . 2010-09-01 10:28 -------- d-----w- c:\program files\Apple Software Update
2010-08-31 05:58 . 2010-08-31 05:58 -------- d-----w- c:\documents and settings\Andi\Application Data\Yahoo!
2010-08-31 05:58 . 2010-08-31 07:11 -------- d-----w- c:\program files\Yahoo!
2010-08-31 05:43 . 2010-08-31 05:43 -------- d-----w- c:\documents and settings\Andi\Application Data\AVG9
2010-08-30 19:00 . 2010-09-02 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 15:10 . 2010-05-15 15:10 0 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\prvlcl.dat
2010-09-26 11:40 . 2010-05-10 20:02 -------- d-----w- c:\documents and settings\Andi\Application Data\Dropbox
2010-09-26 11:36 . 2010-05-10 17:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-16 17:00 . 2010-07-20 22:03 -------- d-----w- c:\program files\Safari
2010-09-16 05:05 . 2010-09-04 15:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-04 16:03 . 2010-09-04 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 16:03 . 2010-09-04 16:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-04 15:55 . 2010-09-04 15:42 -------- d-----w- c:\program files\SpywareGuard
2010-09-04 15:49 . 2010-09-04 15:49 63488 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-04 15:49 . 2010-09-04 15:49 52224 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-04 15:48 . 2010-09-04 15:48 117760 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-04 15:05 . 2010-09-04 15:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-04 15:05 . 2010-09-04 15:05 -------- d-----w- c:\program files\Lavasoft
2010-09-02 15:05 . 2009-11-20 11:28 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 06:01 . 2010-05-11 14:39 -------- d-----w- c:\documents and settings\Andi\Application Data\BitTorrent
2010-08-31 12:47 . 2010-06-16 10:01 -------- d-----w- c:\documents and settings\Andi\Application Data\PTGui
2010-08-30 09:02 . 2009-11-20 11:38 -------- d-----w- c:\documents and settings\Andi\Application Data\Apple Computer
2010-08-26 11:35 . 2010-08-26 11:26 -------- d-----w- c:\program files\Google
2010-08-26 10:34 . 2010-08-25 15:41 -------- d-----w- c:\documents and settings\Andi\Application Data\onOne Software
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\program files\Common Files\onOne Software Shared
2010-08-25 15:44 . 2010-08-25 15:36 -------- d-----w- c:\program files\onOne Software
2010-08-25 15:43 . 2010-08-25 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software
2010-08-25 15:36 . 2009-11-12 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 17:21 . 2010-05-13 08:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\program files\Easy CD-DA Extractor 2010
2010-08-17 08:29 . 2010-08-17 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-17 07:53 . 2010-06-17 16:52 86892 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-15 08:56 . 2009-11-19 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 08:56 . 2010-08-14 09:35 1680064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-08-15 08:43 . 2010-08-14 09:35 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-08-15 08:35 . 2009-12-03 14:11 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-08-14 15:54 . 2009-11-16 17:24 117544 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-14 15:54 . 2009-11-18 14:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-14 12:31 . 2009-12-03 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2010-08-14 09:45 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Business Objects
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-08-14 09:44 . 2010-08-14 09:42 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-14 09:38 . 2009-12-03 14:11 -------- d-----w- c:\program files\Microsoft.NET
2010-08-14 09:10 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft SDKs
2010-08-14 09:08 . 2010-08-14 09:08 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-08-14 09:06 . 2010-08-14 09:06 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-08-12 12:16 . 2010-09-04 15:05 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-11 07:33 . 2010-08-11 07:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-07-20 21:45 . 2010-07-20 21:45 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-07-17 08:11 . 2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:10 . 2010-05-10 17:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-16 2039240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\Andi\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Andi\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2009-11-17 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 11:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 18:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-05-11 06:13 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 14:08 2289664 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 05:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-11 18:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2009-10-26 16:26 753664 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Andi\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/09/2010 17:03 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/05/2010 18:12 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/05/2010 18:12 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [23/03/2010 18:40 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [03/03/2010 17:54 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:11 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/08/2010 12:27 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1355928]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [25/02/2010 23:20 45344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23/08/2001 13:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [17/11/2009 16:30 14936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 14:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 07:58]

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.developingperceptions.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://developingperceptions.co.uk/
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101056100&s=
FF - component: c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101056100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 21:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1390067357-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\WININET.dll
c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-09-27 21:27:08
ComboFix-quarantined-files.txt 2010-09-27 20:26

Pre-Run: 13,664,604,160 bytes free
Post-Run: 13,654,646,784 bytes free

- - End Of File - - 0C63C1F8DD1274AA8BC757C75F6D6894





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/09/2010 01:51:32
mbam-log-2010-09-28 (01-51-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 411855
Time elapsed: 4 hour(s), 12 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:41 PM

Posted 28 September 2010 - 04:03 PM

Please run Combofix again as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Firefox::
FF - ProfilePath - c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101056100&s=


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 JediAndi

JediAndi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 29 September 2010 - 04:49 AM

ComboFix 10-09-28.03 - Andi 29/09/2010 9:09.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2015.1128 [GMT 1:00]
Running from: c:\documents and settings\Andi\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Andi\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-28 17:48 . 2010-09-29 07:57 20042 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3165u3164uq.bin
2010-09-28 06:41 . 2010-09-28 17:41 22904 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3164u3163iv.bin
2010-09-28 05:02 . 2010-09-28 17:41 317 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_242d241gl.bin
2010-09-27 18:02 . 2010-09-28 07:57 21421 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3163u3162jb.bin
2010-09-27 06:42 . 2010-09-27 17:42 29062 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3162u3161cm.bin
2010-09-27 05:04 . 2010-09-27 17:42 609 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_355d354cm.bin
2010-09-26 18:48 . 2010-09-27 08:25 45706 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3161u3160ua.bin
2010-09-26 07:08 . 2010-09-26 16:21 7623 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3160u3159hx.bin
2010-09-26 05:29 . 2010-09-26 16:21 1131 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_354d3539a.bin
2010-09-25 17:52 . 2010-09-26 07:49 38435 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3159u3158jm.bin
2010-09-25 06:42 . 2010-09-25 16:12 28393 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3158u3157iu.bin
2010-09-24 17:23 . 2010-09-25 07:49 26575 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3157u3156dz.bin
2010-09-24 06:43 . 2010-09-24 16:13 21127 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3156u3155sy.bin
2010-09-24 05:00 . 2010-09-24 16:13 837 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_353d352f.bin
2010-09-23 18:43 . 2010-09-24 07:49 47342 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3155u3154uz.bin
2010-09-23 08:14 . 2010-09-23 08:14 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 08:14 . 2010-09-23 08:14 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 08:14 . 2010-09-23 08:14 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 08:14 . 2010-09-23 08:14 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 08:14 . 2010-09-23 08:14 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 08:14 . 2010-09-23 08:14 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 08:14 . 2010-09-23 08:14 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 08:14 . 2010-09-23 08:14 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 08:14 . 2010-09-23 08:14 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 08:12 . 2010-09-23 08:12 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-23 06:43 . 2010-09-23 16:17 23965 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3154u3153ey.bin
2010-09-23 05:02 . 2010-09-24 07:49 595 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_352d351wf.bin
2010-09-22 18:49 . 2010-09-23 08:12 36812 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3153u3152xm.bin
2010-09-22 17:52 . 2010-09-23 08:12 731 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_351d349dt.bin
2010-09-22 13:57 . 2010-09-23 08:12 317 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_241d2407a.bin
2010-09-22 06:44 . 2010-09-22 17:35 11271 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3152u3151ew.bin
2010-09-22 05:01 . 2010-09-22 17:35 887 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_349d348sd.bin
2010-09-22 05:00 . 2010-09-22 17:35 7542 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_240d239sc.bin
2010-09-21 22:23 . 2010-09-22 08:11 50409 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3151u3149en.bin
2010-09-21 06:43 . 2010-09-21 17:27 47252 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3149u3147ol.bin
2010-09-21 05:00 . 2010-09-21 17:27 797 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_348d347ob.bin
2010-09-21 05:00 . 2010-09-21 17:27 4296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_239d238ob.bin
2010-09-20 06:42 . 2010-09-20 17:53 71646 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3147u3145pp.bin
2010-09-20 05:01 . 2010-09-20 17:53 1906 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_347d346kb.bin
2010-09-20 05:00 . 2010-09-20 17:53 24577 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_238d237ka.bin
2010-09-19 06:43 . 2010-09-19 16:49 353776 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3145u3135jp.bin
2010-09-18 11:36 . 2010-09-23 08:12 42387 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lng855df.bin
2010-09-17 05:00 . 2010-09-19 16:49 875 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_346d34387.bin
2010-09-16 17:04 . 2010-09-16 17:05 -------- d-----w- c:\program files\QuickTime
2010-09-16 16:59 . 2010-09-16 16:59 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-16 06:41 . 2010-09-16 17:44 26193 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3138u3137ej.bin
2010-09-16 05:00 . 2010-09-19 16:49 7824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_237d23646.bin
2010-09-15 18:42 . 2010-09-16 04:48 53577 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3137u3135sx.bin
2010-09-15 05:01 . 2010-09-16 04:48 773 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_343d3426.bin
2010-09-15 05:00 . 2010-09-16 04:48 374771 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_236d2355.bin
2010-09-14 18:41 . 2010-09-15 07:48 27657 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3135u3134yi.bin
2010-09-14 06:42 . 2010-09-14 13:12 33104 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3134u3132iu.bin
2010-09-14 05:00 . 2010-09-14 13:12 940 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_342d341w3.bin
2010-09-13 06:42 . 2010-09-13 17:17 12858 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3132u3131pi.bin
2010-09-13 05:00 . 2010-09-13 17:17 868 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_341d339s2.bin
2010-09-12 18:40 . 2010-09-13 08:26 17494 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3131u3130bd.bin
2010-09-12 06:43 . 2010-09-12 10:16 88674 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3130u3125om.bin
2010-09-10 11:32 . 2010-09-23 14:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-09-10 07:14 . 2010-09-10 16:11 38359 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3126u3125zc.bin
2010-09-10 05:00 . 2010-09-13 17:17 9056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_235d234fz.bin
2010-09-09 18:39 . 2010-09-10 08:19 20825 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3125u3124lw.bin
2010-09-09 15:00 . 2010-09-23 08:12 400 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsimg855b847ga.bin
2010-09-09 15:00 . 2010-09-23 08:12 129578 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsie856b845pu.bin
2010-09-09 15:00 . 2010-09-23 08:12 111242 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lsff855b847dg.bin
2010-09-09 15:00 . 2010-09-23 08:12 4562 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9lngus855b851cy.bin
2010-09-09 15:00 . 2010-09-23 08:12 157572 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9krnl855b847ny.bin
2010-09-09 15:00 . 2010-09-23 08:12 263053 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9core856b846dn.bin
2010-09-09 15:00 . 2010-09-23 08:12 207612 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9ui856b832zm.bin
2010-09-09 15:00 . 2010-09-23 08:12 140187 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9upd855b839vh.bin
2010-09-09 15:00 . 2010-09-23 08:12 326598 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9setup855b832me.bin
2010-09-09 15:00 . 2010-09-23 08:12 62192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9nsx855b832dt.bin
2010-09-09 14:59 . 2010-09-23 08:12 27706 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\f9chjc855b832ur.bin
2010-09-09 06:45 . 2010-09-09 17:47 213829 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3124u3113ib.bin
2010-09-09 05:00 . 2010-09-09 17:47 232601 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_339by.bin
2010-09-09 05:00 . 2010-09-09 17:47 425468 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_234d232by.bin
2010-09-08 06:16 . 2010-09-08 21:00 202041 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3121u3111sr.bin
2010-09-08 05:00 . 2010-09-08 21:00 1219 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_338d3347x.bin
2010-09-05 18:29 . 2010-09-05 18:29 -------- d-----w- c:\program files\SpywareBlaster
2010-09-05 16:26 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-05 05:20 . 2010-09-08 21:00 413430 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_233d232wd.bin
2010-09-04 18:41 . 2010-09-05 07:23 39740 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3114u3113cp.bin
2010-09-04 16:38 . 2010-09-04 16:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-04 16:03 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-04 16:03 . 2010-09-04 16:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-04 15:49 . 2010-09-04 15:49 63488 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-04 15:49 . 2010-09-04 15:49 52224 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-04 15:48 . 2010-09-04 15:48 117760 ----a-w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\Andi\Application Data\SUPERAntiSpyware.com
2010-09-04 15:47 . 2010-09-04 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-04 15:46 . 2010-09-16 05:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-04 15:42 . 2010-09-04 15:55 -------- d-----w- c:\program files\SpywareGuard
2010-09-04 15:07 . 2010-09-04 15:07 -------- d-----w- c:\documents and settings\Andi\Local Settings\Application Data\Sunbelt Software
2010-09-04 15:05 . 2010-08-12 12:16 574219 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\mia.lib
2010-09-04 15:05 . 2010-09-04 15:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-04 15:05 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-04 15:05 . 2010-09-04 15:05 -------- d-----w- c:\program files\Lavasoft
2010-09-04 15:05 . 2010-09-04 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 08:55 . 2010-09-04 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\VOWSoft
2010-09-04 08:54 . 2010-09-04 08:54 -------- d-----w- c:\program files\iPodRobot
2010-09-04 06:42 . 2010-09-04 16:50 13470 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3113u3112bp.bin
2010-09-04 05:18 . 2010-09-04 16:50 581 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_334d333sa.bin
2010-09-03 18:41 . 2010-09-04 07:23 43244 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3112u3111zm.bin
2010-09-03 06:41 . 2010-09-03 20:56 20112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3111u3110xi.bin
2010-09-03 05:00 . 2010-09-03 20:56 1136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_333d332nr.bin
2010-09-02 18:56 . 2010-09-03 07:25 35984 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3110u3108dv.bin
2010-09-02 15:05 . 2010-09-02 15:05 -------- d-----w- c:\program files\iPod
2010-09-02 15:05 . 2010-09-02 15:07 -------- d-----w- c:\program files\iTunes
2010-09-02 14:47 . 2010-09-02 14:47 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Regensoft
2010-09-02 13:51 . 2010-09-02 13:51 -------- d-----w- c:\program files\Red Kawa
2010-09-02 09:27 . 2010-09-02 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-02 09:27 . 2010-09-02 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-02 06:41 . 2010-09-02 17:04 31029 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3108u3107iu.bin
2010-09-02 05:53 . 2010-09-02 17:04 768 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_332d331l7.bin
2010-09-02 05:53 . 2010-09-02 17:04 8986 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsb_232d231l7.bin
2010-09-01 20:32 . 2010-09-01 20:32 -------- d-----w- c:\documents and settings\Andi\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 20:31 . 2010-09-01 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 20:31 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 20:31 . 2010-09-27 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 18:41 . 2010-09-02 08:07 51872 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3107u3106uz.bin
2010-09-01 10:28 . 2010-09-01 10:28 -------- d-----w- c:\program files\Apple Software Update
2010-09-01 06:42 . 2010-09-01 17:24 15966 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3106u3105uk.bin
2010-09-01 05:00 . 2010-09-01 17:24 557 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_331d330fp.bin
2010-08-31 18:41 . 2010-09-01 06:08 49568 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3105u3103xg.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 15:10 . 2010-05-15 15:10 0 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\prvlcl.dat
2010-09-26 11:40 . 2010-05-10 20:02 -------- d-----w- c:\documents and settings\Andi\Application Data\Dropbox
2010-09-26 11:36 . 2010-05-10 17:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-16 17:00 . 2010-07-20 22:03 -------- d-----w- c:\program files\Safari
2010-09-02 15:05 . 2009-11-20 11:28 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 06:01 . 2010-05-11 14:39 -------- d-----w- c:\documents and settings\Andi\Application Data\BitTorrent
2010-08-31 12:47 . 2010-06-16 10:01 -------- d-----w- c:\documents and settings\Andi\Application Data\PTGui
2010-08-30 17:52 . 2010-08-30 06:41 24320 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3102u3101lh.bin
2010-08-30 17:52 . 2010-08-30 05:00 550 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\x8xplsc_328d327ol.bin
2010-08-30 09:02 . 2009-11-20 11:38 -------- d-----w- c:\documents and settings\Andi\Application Data\Apple Computer
2010-08-30 08:02 . 2010-08-29 18:41 29869 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\download\u9iavi3101u3100qu.bin
2010-08-26 11:35 . 2010-08-26 11:26 -------- d-----w- c:\program files\Google
2010-08-26 10:34 . 2010-08-25 15:41 -------- d-----w- c:\documents and settings\Andi\Application Data\onOne Software
2010-08-25 15:44 . 2010-08-25 15:44 -------- d-----w- c:\program files\Common Files\onOne Software Shared
2010-08-25 15:44 . 2010-08-25 15:36 -------- d-----w- c:\program files\onOne Software
2010-08-25 15:43 . 2010-08-25 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\onOne Software
2010-08-25 15:36 . 2009-11-12 21:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 17:21 . 2010-05-13 08:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-08-20 15:36 . 2010-05-13 08:59 -------- d-----w- c:\program files\Easy CD-DA Extractor 2010
2010-08-17 08:29 . 2010-08-17 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-17 07:53 . 2010-06-17 16:52 86892 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-15 08:56 . 2009-11-19 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 08:56 . 2010-08-14 09:35 1680064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-08-15 08:43 . 2010-08-14 09:35 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-08-15 08:35 . 2009-12-03 14:11 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-08-14 15:54 . 2009-11-16 17:24 117544 ----a-w- c:\documents and settings\Andi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-14 15:54 . 2009-11-18 14:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-14 12:31 . 2009-12-03 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2010-08-14 09:45 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Business Objects
2010-08-14 09:45 . 2010-08-14 09:45 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-08-14 09:44 . 2010-08-14 09:42 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-08-14 09:41 . 2010-08-14 09:41 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-14 09:38 . 2009-12-03 14:11 -------- d-----w- c:\program files\Microsoft.NET
2010-08-14 09:10 . 2010-08-14 09:10 -------- d-----w- c:\program files\Microsoft SDKs
2010-08-14 09:08 . 2010-08-14 09:08 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-08-14 09:06 . 2010-08-14 09:06 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-08-11 07:33 . 2010-08-11 07:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-07-20 21:45 . 2010-07-20 21:45 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-07-17 08:11 . 2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 08:10 . 2010-05-10 17:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-16 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-17 2065760]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-16 2039240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\Andi\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Andi\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe [2009-11-17 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 08:11 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 11:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 18:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-05-11 06:13 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 14:08 2289664 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 05:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-11 18:25 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2009-10-26 16:26 753664 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 09:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"odserv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Documents and Settings\\Andi\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/09/2010 17:03 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/05/2010 18:12 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/05/2010 18:12 243024]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [23/03/2010 18:40 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [03/03/2010 17:54 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 09:11 308136]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 13:15 15008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/08/2010 12:27 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1356952]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [25/02/2010 23:20 45344]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23/08/2001 13:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [17/11/2009 16:30 14936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*NewlyCreated* - LAVASOFT_KERNEXPLORER
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 14:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 16:12]

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 11:26]

2010-09-26 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.developingperceptions.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://developingperceptions.co.uk/
FF - component: c:\documents and settings\Andi\Application Data\Mozilla\Firefox\Profiles\su9jtr2g.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1390067357-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
c:\documents and settings\Andi\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-09-29 10:04:07
ComboFix-quarantined-files.txt 2010-09-29 09:03

Pre-Run: 13,614,141,440 bytes free
Post-Run: 13,598,658,560 bytes free

- - End Of File - - 100C22AC8860A34BBE915BD7CDBCE139





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users