Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 diggers41

diggers41

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 25 October 2010 - 03:24 PM

When I try to search on google or any search engine I get directed to different sites and usually I get a warning message that this site is dangerous
When I run spybot it lists: 2 trojans c02 virtumonde.sdn and 1 trojan CN.wAQdN but will not clear them, also it will not let avg do a scan
Any help would be great !

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:49:51, on 25/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/m/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {025C48C1-D7D3-4DFA-8C20-2E9F3BCB4B18} - C:\WINDOWS\system32\atmpvcno32.dll
O2 - BHO: (no name) - {03AA6538-0717-4012-8C54-4BA3D9FC1E3a} - C:\WINDOWS\system32\atmpvcno32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: 7ceb6de8 - {BDB98824-30DB-EB95-4749-77FD2A98E1FC} - C:\WINDOWS\system32\kbdit32.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Pat\Application Data\SysWin\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-861567501-2139871995-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-21-861567501-2139871995-725345543-500\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adorons.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://rimmel.ai-media.com/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101659472046
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B07856-2F7F-4727-BD8A-4A5AB8DCA5BD}: NameServer = 82.195.137.70,82.195.137.71
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdit32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Volume Shadow Copy (VSS32) - Unknown owner - C:\WINDOWS\system32\tcpmonui32.exe (file missing)

--
End of file - 12894 bytes

Edited by boopme, 25 October 2010 - 03:28 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 25 October 2010 - 03:55 PM

Hello diggers41 ,

Posted Image

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Please also post a new HijackThis log so I can see what's left to remove. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 diggers41

diggers41
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 26 October 2010 - 05:33 PM

Hi tea, so far so good, thanks for the help,

diggers from planet Dublin




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4955

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

26/10/2010 23:21:01
mbam-log-2010-10-26 (23-21-01).txt

Scan type: Quick scan
Objects scanned: 172320
Time elapsed: 13 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Pat\Application Data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\170.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\27.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pat\Local Settings\Temporary Internet Files\Content.IE5\RM7BL45P\smile[1].gif (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1455581159v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1455581159v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1455581159v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1455581159v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1455581159v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1455581159v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1455581159v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1455581159v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1455581159v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GnuHashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:29:22, on 26/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/m/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {025C48C1-D7D3-4DFA-8C20-2E9F3BCB4B18} - C:\WINDOWS\system32\atmpvcno32.dll
O2 - BHO: (no name) - {03AA6538-0717-4012-8C54-4BA3D9FC1E3a} - C:\WINDOWS\system32\atmpvcno32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: 7ceb6de8 - {BDB98824-30DB-EB95-4749-77FD2A98E1FC} - C:\WINDOWS\system32\kbdit32.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Norton GoBack.lnk.disabled
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adorons.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://rimmel.ai-media.com/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101659472046
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B07856-2F7F-4727-BD8A-4A5AB8DCA5BD}: NameServer = 82.195.137.70,82.195.137.71
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdit32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Volume Shadow Copy (VSS32) - Unknown owner - C:\WINDOWS\system32\tcpmonui32.exe (file missing)

--
End of file - 12254 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 26 October 2010 - 05:51 PM

Hello,

You're welcome. :)

Not totally happy with that, but it does look better. Can AVG get through a scan now?


Please visit the online Jotti Virus Scanner Posted Image<--link
  • Copy and paste the following filepath in the box:

    C:\WINDOWS\system32\kbdit32.dll
  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 diggers41

diggers41
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 26 October 2010 - 07:29 PM

Hi, avg won't scan
When I downloaded the Jotti Virus scanner, copied the C:\WINDOWS\system32\kbdit32.dll and tried to paste it as you said, it wont let me, it just goes to browse each time I try, can't even type it in manually :busy: sorry !

diggers

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 26 October 2010 - 07:34 PM

Okay, thank you for trying.....like I said, I wasn't happy with those logs, even though you said it was better. Let's do something stronger and see what it finds :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to diggers.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 diggers41

diggers41
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 27 October 2010 - 06:06 AM

Hi Tea, did that ok here is the log,

Thanks,





ComboFix 10-10-26.03 - Pat 27/10/2010 10:31:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.644 [GMT 1:00]
Running from: c:\documents and settings\Pat\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\LocalService\Application Data\02000000d9c009d51053C.manifest
c:\documents and settings\LocalService\Application Data\02000000d9c009d51053O.manifest
c:\documents and settings\LocalService\Application Data\02000000d9c009d51053P.manifest
c:\documents and settings\LocalService\Application Data\02000000d9c009d51053S.manifest
c:\documents and settings\Pat\Application Data\inst.exe
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\chrome.manifest
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\chrome\xulcache.jar
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\defaults\preferences\xulcache.js
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\install.rdf
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\chrome.manifest
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\chrome\xulcache.jar
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\defaults\preferences\xulcache.js
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\install.rdf
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\chrome.manifest
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\chrome\xulcache.jar
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\defaults\preferences\xulcache.js
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{6219d01f-7bae-4db4-af4c-fe8026a39b8b}\install.rdf
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\chrome.manifest
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\chrome\xulcache.jar
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\defaults\preferences\xulcache.js
c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\i3bze2ew.default\extensions\{7f72f394-879d-4893-aa37-9ebe1fa1d3e8}\install.rdf
c:\documents and settings\Pat\My Documents\DPE.DUS
c:\documents and settings\PhotoDVD\azid.dll
c:\documents and settings\PhotoDVD\imagemagick.dll
c:\documents and settings\PhotoDVD\ogg.dll
c:\documents and settings\PhotoDVD\ogg_tag.dll
c:\documents and settings\PhotoDVD\PhotoPlayer.exe
c:\documents and settings\PhotoDVD\vorbis.dll
c:\documents and settings\PhotoDVD\vorbisfile.dll
c:\documents and settings\PhotoDVD\wm9stub.dll
c:\program files\\setup.exe
c:\program files\Common Files\sembly~1
c:\program files\Setup.exe
c:\windows\curity~1
c:\windows\curity~1\??curity\ctxad-428.0001
c:\windows\curity~1\??curity\ctxad-428.0002
c:\windows\curity~1\??curity\ctxad-428.0003
c:\windows\curity~1\??curity\ctxad-428.0004
c:\windows\curity~1\??curity\ctxad-428.0005
c:\windows\system32\1051351770
c:\windows\system32\atmpvcno32.dll
c:\windows\system32\STEC3.sys
c:\windows\system32\unrar.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Legacy_STEC3
-------\Service_STEC3


((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-27 09:19 . 2010-10-27 09:19 -------- d-----w- C:\AVGTemp
2010-10-26 21:39 . 2010-10-26 21:39 -------- d-----w- c:\documents and settings\Pat\Application Data\Malwarebytes
2010-10-26 21:28 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 21:28 . 2010-10-26 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 21:28 . 2010-10-26 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 21:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-25 19:48 . 2010-10-25 19:48 388096 ----a-r- c:\documents and settings\Pat\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-25 19:48 . 2010-10-25 19:48 -------- d-----w- c:\program files\Trend Micro
2010-10-25 14:13 . 2010-10-25 14:13 -------- d-----w- c:\documents and settings\Pat\Application Data\SUPERAntiSpyware.com
2010-10-25 14:13 . 2010-10-25 14:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-25 14:12 . 2010-10-25 14:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-24 23:19 . 2010-10-24 23:19 1133056 --sha-w- c:\windows\system32\7F.tmp
2010-10-24 02:07 . 2010-10-24 02:07 180736 ----a-w- c:\windows\system32\kbdir32.exe
2010-10-23 00:13 . 2010-10-23 00:13 -------- d-----w- C:\VundoFix Backups
2010-10-21 19:17 . 2010-10-21 19:17 0 ---ha-w- c:\documents and settings\Pat\rfjnibwzja.tmp
2010-10-21 10:27 . 2010-10-21 10:27 250368 ----a-w- c:\windows\system32\kbdit32.dll
2010-10-18 21:53 . 2010-10-18 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-15 20:38 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-15 09:25 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 09:25 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 23:29 . 2010-10-23 12:44 -------- d-----w- c:\documents and settings\Pat\Application Data\Media Player Classic
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2010-10-13 23:08 . 2010-04-16 17:00 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2010-10-13 23:08 . 2010-03-17 20:53 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-10-13 23:08 . 2010-03-17 20:53 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-10-13 23:08 . 2010-03-17 20:53 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-10-13 23:07 . 2010-10-13 23:43 -------- d-----w- c:\program files\QuickTime Alternative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:23 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-07-16 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-07-16 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2003-07-16 20:30 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-11-28 16:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-11-28 16:49 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2003-07-16 20:24 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-07-16 20:51 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-07-16 20:46 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-07-16 20:46 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 10:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-07-16 20:25 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-19 20:58 . 2010-08-19 20:57 3420304 ----a-w- c:\program files\ccsetup234.exe
2010-08-17 13:17 . 2003-07-16 20:46 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2002-11-07 17:47 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-05-29 15:11 . 2010-05-29 15:10 3387040 ----a-w- c:\program files\ccsetup232.exe
2010-05-22 07:28 . 2010-05-22 07:27 3382520 ----a-w- c:\program files\ccsetup231.exe
2010-05-02 22:57 . 2010-05-02 22:54 8036352 ----a-w- c:\program files\irfanview_plugins_425_setup.exe
2010-05-02 22:48 . 2010-05-02 22:47 1359360 ----a-w- c:\program files\iview425_setup.exe
2010-04-05 16:39 . 2010-04-05 16:38 3376656 ----a-w- c:\program files\ccsetup230.exe
2010-03-27 10:47 . 2010-02-03 23:21 18119248 ----a-w- c:\program files\vsoConvertXtoDVD4_setup.exe
2010-03-23 00:08 . 2010-03-23 00:07 3396856 ----a-w- c:\program files\ccsetup229.exe
2010-03-19 23:33 . 2006-06-19 21:43 986904 ----a-w- c:\program files\DivXInstaller.exe
2010-03-02 23:32 . 2010-03-02 23:31 1022552 ----a-w- c:\program files\SetupOviPlayer.exe
2010-03-02 21:25 . 2010-03-02 21:09 98302544 ----a-w- c:\program files\Nokia_Ovi_Suite_webinstaller_ALL.exe
2010-02-20 11:40 . 2010-02-20 11:36 33767936 ----a-w- c:\program files\Express_HD_EN_1_1_127.exe
2010-02-12 10:41 . 2010-02-12 10:40 3351811 ----a-w- c:\program files\eMule0.49c-Installer2.exe
2009-12-01 23:08 . 2009-12-01 23:07 380725 ----a-w- c:\program files\LIVE TV Setup.exe
2009-12-01 23:06 . 2010-03-07 16:29 318904 ----a-w- c:\program files\wmpfirefoxplugin.exe
2009-12-01 22:21 . 2009-12-01 22:21 2467655 ----a-w- c:\program files\freez_online_tv.exe
2009-11-04 22:14 . 2009-11-04 22:13 891008 ----a-w- c:\program files\avg_free_stb_en_9_39_free.exe
2009-11-02 18:30 . 2009-11-02 18:29 13197997 ----a-w- c:\program files\acdseepro-2-5-363-en-update.exe
2009-10-03 09:18 . 2009-10-03 09:17 4998707 ----a-w- c:\program files\flvplayer_setup.exe
2009-09-13 15:14 . 2009-09-13 15:14 652794 ----a-w- c:\program files\Xvid-1.2.2-07062009.exe
2009-09-13 09:29 . 2009-09-13 09:29 2744087 ----a-w- c:\program files\flac-1.2.1b.exe
2009-09-11 20:22 . 2009-09-11 20:21 2796320 ----a-w- c:\program files\UseNeXTSetup_5.02.exe
2009-08-25 16:25 . 2009-08-25 16:22 7872680 ----a-w- c:\program files\Firefox Setup 3.5.2.exe
2009-08-18 18:37 . 2009-08-18 16:25 406903544 ----a-w- c:\program files\Nero-7.11.10.0_all_update.exe
2009-08-10 13:05 . 2007-11-14 21:37 1925024 ----a-w- c:\program files\install_flash_player.exe
2009-04-24 20:56 . 2009-04-24 20:16 63752952 ----a-w- c:\program files\avg_free_stf_en_85_287a1483.exe
2009-04-07 09:38 . 2009-04-07 09:36 7344888 ----a-w- c:\program files\Firefox Setup 3.0.8.exe
2008-12-31 09:45 . 2008-12-31 09:40 16980600 ----a-w- c:\program files\vsoConvertXtoDVD3_setup(2).exe
2008-12-13 21:42 . 2006-09-22 21:06 894504 ----a-w- c:\program files\WGAPluginInstall.exe
2008-10-24 23:35 . 2006-07-02 16:44 6249208 ----a-w- c:\program files\BlindWrite6_setup.exe
2008-10-24 22:46 . 2008-10-24 22:43 15975328 ----a-w- c:\program files\vsoConvertXtoDVD3_setup.exe
2008-10-19 11:42 . 2008-10-19 11:36 23776160 ----a-w- c:\program files\NokiaSoftwareUpdaterSetup_en.exe
2008-10-04 16:57 . 2008-10-04 16:57 23510720 ----a-w- c:\program files\dotnetfx.exe
2008-10-04 13:17 . 2008-10-04 13:15 2934168 ----a-w- c:\program files\ccsetup212.exe
2008-09-27 10:17 . 2008-09-27 10:12 7957165 ----a-w- c:\program files\acdseepro-2-5-335-en-update.exe
2008-09-20 14:06 . 2008-09-20 14:06 2928600 ----a-w- c:\program files\ccsetup211(2).exe
2008-09-09 17:35 . 2008-09-09 17:15 38167568 ----a-w- c:\program files\acdseepro-2-5-332-en.exe
2008-08-31 12:57 . 2008-08-31 12:56 2928600 ----a-w- c:\program files\ccsetup211.exe
2008-08-03 11:42 . 2008-08-03 11:41 2922072 ----a-w- c:\program files\ccsetup210.exe
2008-07-15 21:11 . 2008-07-15 21:11 19153264 ----a-w- c:\program files\aaw2008.exe
2008-07-15 21:00 . 2008-07-15 21:00 2919360 ----a-w- c:\program files\ccsetup209.exe
2008-03-15 17:03 . 2008-03-15 17:02 5829600 ----a-w- c:\program files\Firefox Setup 2.0.0.12.exe
2008-03-15 14:49 . 2008-03-15 14:29 125892318 ----a-w- c:\program files\OOo_2.3.1_Win32Intel_install_wJRE_en-US.exe
2008-02-21 22:21 . 2008-02-21 22:21 2733520 ----a-w- c:\program files\ccsetup205.exe
2008-02-19 19:18 . 2008-02-19 19:12 23454528 ----a-w- c:\program files\AdbeRdr812_en_US.exe
2008-02-17 11:58 . 2006-09-24 17:25 2855080 ----a-w- c:\program files\aawsepersonal.exe
2008-02-10 00:31 . 2008-02-10 00:31 2733928 ----a-w- c:\program files\ccsetup204.exe
2008-01-25 22:25 . 2006-12-16 17:31 7237952 ----a-w- c:\program files\vsoConvertXtoDVD2_setup.exe
2008-01-05 20:19 . 2008-01-05 20:19 13413048 ----a-w- c:\program files\Google_Earth_BZXV.exe
2008-01-02 22:06 . 2008-01-02 22:06 5828336 ----a-w- c:\program files\Firefox Setup 2.0.0.11.exe
2007-12-26 22:42 . 2007-12-26 22:42 2724328 ----a-w- c:\program files\ccsetup203.exe
2007-09-09 20:35 . 2007-09-09 20:35 983512 ----a-w- c:\program files\SonicStageInstaller.exe
2007-09-01 18:14 . 2007-09-01 17:23 182002016 ----a-w- c:\program files\Nero-7.10.1.0_eng_trial.exe
2007-08-30 20:40 . 2007-08-30 20:40 13416432 ----a-w- c:\program files\Google_Earth_BZXD.exe
2007-08-23 19:58 . 2007-08-23 19:59 2622600 ----a-w- c:\program files\ccsetup200.exe
2007-07-28 21:43 . 2007-07-28 21:40 18040176 ----a-w- c:\program files\Install_Messenger_nous.exe
2007-07-28 17:11 . 2007-07-28 17:08 14993976 ----a-w- c:\program files\GoogleEarthWin.exe
2007-07-16 18:06 . 2007-07-16 17:55 20743888 ----a-w- c:\program files\avg75free_446a991.exe
2007-07-13 20:38 . 2007-07-13 20:37 2720456 ----a-w- c:\program files\ccsetup141.exe
2007-07-13 20:33 . 2007-07-13 19:37 182131744 ----a-w- c:\program files\Nero-7.10.1.0_eng_trial_wch.exe
2007-05-14 19:02 . 2007-05-14 19:02 584851 ----a-w- c:\program files\mpeg2decoder.exe
2007-05-04 21:57 . 2007-05-04 21:56 2714784 ----a-w- c:\program files\ccsetup139(2).exe
2007-03-01 19:15 . 2007-03-01 19:02 19755560 ----a-w- c:\program files\avg75free_446a965.exe
2007-01-19 22:25 . 2007-01-19 22:20 9918872 ----a-w- c:\program files\wmencoder.exe
2007-01-16 22:22 . 2007-01-16 22:18 4839744 ----a-w- c:\program files\getright_setup.exe
2006-12-31 10:49 . 2006-12-31 10:33 36808256 ----a-w- c:\program files\iTunesSetup.exe
2006-12-31 02:00 . 2007-07-02 20:52 231712368 ----a-w- c:\program files\col6904mu1.exe
2006-12-30 23:20 . 2006-12-30 23:18 2599088 ----a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-12-10 09:01 . 2006-12-10 08:17 141606188 ----a-w- c:\program files\uvs10_tbyb_(e)_na(2).exe
2006-10-15 20:20 . 2006-10-15 20:20 643711 ----a-w- c:\program files\XviD-1.1.0-30122005.exe
2006-09-24 17:43 . 2006-09-24 17:42 17815448 ----a-w- c:\program files\avg71free_405a791.exe
2006-09-13 21:52 . 2006-09-13 21:45 7611517 ----a-w- c:\program files\copytodvd4_setup.exe
2006-09-09 22:42 . 2006-09-09 22:39 6020448 ----a-w- c:\program files\ewido-setup_4.0.0.172c.exe
2006-09-03 10:43 . 2006-09-03 10:32 33794048 ----a-w- c:\program files\F8T001_v2.exe
2006-07-10 19:53 . 2006-07-10 19:53 523679 ----a-w- c:\program files\iwu_install.exe
2006-05-21 13:20 . 2006-05-21 13:16 12662176 ----a-w- c:\program files\RealPlayer10-5GOLD.exe
2006-04-25 17:20 . 2006-04-25 17:20 57344 ----a-w- c:\program files\NPPGWrap.exe
2006-04-13 21:41 . 2006-04-13 21:40 4266736 ----a-w- c:\program files\WindowsXP-KB883939-x86-ENU.exe
2006-03-25 13:58 . 2006-03-25 13:23 126619130 ----a-w- c:\program files\j2eesdk-1_4_03-windows.exe
2006-01-08 19:16 . 2006-01-08 19:17 189920 ----a-w- c:\program files\msicuu2.exe
2006-01-01 12:43 . 2005-07-31 18:18 3904911 ----a-w- c:\program files\vsoDivxToDVD_setup.exe
2005-11-27 17:24 . 2005-11-27 17:25 1002760 -c--a-w- c:\program files\cc_demo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDB98824-30DB-EB95-4749-77FD2A98E1FC}]
2010-10-21 10:27 250368 ----a-w- c:\windows\system32\kbdit32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="c:\program files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-10 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-07 100056]
"MediaKey"="c:\progra~1\MediaKey\MediaKey.EXE" [2004-07-05 204800]
"PhiBtn"="c:\windows\System32\drivers\PhiBtn.exe" [2005-08-25 155648]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk.disabled [2007-9-28 631]
InterVideo WinCinema Manager.lnk.disabled [2004-12-27 1777]
Norton GoBack.lnk.disabled [2005-1-8 1836]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 07:57 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\kbdit32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-10-05 08:09 2067808 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-22 10:13 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-08-20 19:45 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 13:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 07:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2009-11-06 16:00 2090272 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 09:32 1479680 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-03-28 01:07 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-08 09:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMS"=c:\program files\Common Files\Logitech\PDDriver\LVCOMS.EXE
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"BTSETBOOTKEY"=BTSetBootKey.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD5\\WinDVD.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"=
"c:\\Program Files\\GetRight\\getright.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Pat\\Desktop\\SecureTunnel.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\UseNeXT\\UseNeXT.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [28/11/2004 18:33 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [28/11/2004 18:33 3904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/06/2009 20:53 133104]
S2 VSS32;Volume Shadow Copy ;c:\windows\system32\tcpmonui32.exe --> c:\windows\system32\tcpmonui32.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.sys [28/03/2006 20:05 25244]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys --> c:\windows\system32\drivers\Btcomm.sys [?]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys --> c:\windows\system32\DRIVERS\btkrnbdg.sys [?]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\drivers\camdrv41.sys [08/12/2006 19:56 1240576]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys --> c:\windows\system32\Drivers\csrbc01.sys [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [19/12/2004 16:46 11721]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys --> c:\windows\system32\drivers\vadmulti.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb6c9f94bd9184.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:53]

2010-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-2139871995-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-2139871995-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-2139871995-725345543-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-2139871995-725345543-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-861567501-2139871995-725345543-1012.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-2139871995-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-2139871995-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-2139871995-725345543-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-2139871995-725345543-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-861567501-2139871995-725345543-1012.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/m/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Download with &Shareaza - c:\program files\Shareaza\Plugins\RazaWebHook.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: adorons.com
TCP: {52B07856-2F7F-4727-BD8A-4A5AB8DCA5BD} = 82.195.137.70,82.195.137.71
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Pat\Application Data\Mozilla\Firefox\Profiles\fcrw5t94.Default User\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{025C48C1-D7D3-4DFA-8C20-2E9F3BCB4B18} - c:\windows\system32\atmpvcno32.dll
BHO-{03AA6538-0717-4012-8C54-4BA3D9FC1E3a} - c:\windows\system32\atmpvcno32.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2320)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Norton SystemWorks\Norton GoBack\GBPoll.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-27 11:13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-27 10:13

Pre-Run: 47,085,768,704 bytes free
Post-Run: 47,148,412,928 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - FCA257A0FC6AA61753CDBE7C1ED73ED9

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 27 October 2010 - 12:10 PM

Hello diggers from Dublin :)

Well well....that tells me a lot right there. So now I would like for you to run MBAM again, post the report, and also post up a new HijackThis log, please. How is it running now? :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 diggers41

diggers41
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 27 October 2010 - 06:16 PM

Hi tea, earlier I could not scan with avg, and I could not disable for the Combofix, so I tried to uninstall it, but it wouldn't uninstall fully for me, in the faq's it suggested downloading a tool from avg and eventually it went, I was planning on changing to another av and I downloaded the one you use, avari and it let me scan, I hope I do not confuse things for you by doing this.
I ran the 2 scans, hijack and mbam, also including the log from the avari scan,

Things are improving B)

Thanks
diggers



Avira AntiVir Personal
Report file date: 28 October 2010 00:07

Scanning for 2975825 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER1

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 12:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 12:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 18:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 11:39:37
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 11:40:16
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 11:41:37
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 11:42:35
VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 11:42:36
VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 11:42:36
VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 11:42:36
VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 11:42:36
VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 11:42:39
VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 11:42:41
VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 11:42:43
VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 11:42:45
VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 11:42:48
VBASE018.VDF : 7.10.12.64 133120 Bytes 9/29/2010 11:42:50
VBASE019.VDF : 7.10.12.99 134144 Bytes 10/1/2010 11:42:52
VBASE020.VDF : 7.10.12.122 131584 Bytes 10/5/2010 11:42:54
VBASE021.VDF : 7.10.12.148 119296 Bytes 10/7/2010 11:42:57
VBASE022.VDF : 7.10.12.175 142848 Bytes 10/11/2010 11:42:59
VBASE023.VDF : 7.10.12.198 131584 Bytes 10/13/2010 11:43:01
VBASE024.VDF : 7.10.12.216 133120 Bytes 10/14/2010 11:43:03
VBASE025.VDF : 7.10.12.238 137728 Bytes 10/18/2010 11:43:06
VBASE026.VDF : 7.10.12.254 129536 Bytes 10/20/2010 11:43:08
VBASE027.VDF : 7.10.13.22 137728 Bytes 10/22/2010 11:43:10
VBASE028.VDF : 7.10.13.39 124416 Bytes 10/26/2010 11:43:12
VBASE029.VDF : 7.10.13.40 2048 Bytes 10/26/2010 11:43:12
VBASE030.VDF : 7.10.13.41 2048 Bytes 10/26/2010 11:43:12
VBASE031.VDF : 7.10.13.49 73728 Bytes 10/27/2010 11:43:13
Engineversion : 8.2.4.84
AEVDF.DLL : 8.1.2.1 106868 Bytes 10/27/2010 11:44:07
AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 10/27/2010 11:44:07
AESCN.DLL : 8.1.6.1 127347 Bytes 10/27/2010 11:44:00
AESBX.DLL : 8.1.3.1 254324 Bytes 10/27/2010 11:44:09
AERDL.DLL : 8.1.9.2 635252 Bytes 10/27/2010 11:43:59
AEPACK.DLL : 8.2.3.11 471416 Bytes 10/27/2010 11:43:54
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 10/27/2010 11:43:49
AEHEUR.DLL : 8.1.2.36 2974072 Bytes 10/27/2010 11:43:48
AEHELP.DLL : 8.1.14.0 246134 Bytes 10/27/2010 11:43:27
AEGEN.DLL : 8.1.3.23 401779 Bytes 10/27/2010 11:43:25
AEEMU.DLL : 8.1.2.0 393588 Bytes 10/27/2010 11:43:22
AECORE.DLL : 8.1.17.0 196982 Bytes 10/27/2010 11:43:20
AEBB.DLL : 8.1.1.0 53618 Bytes 10/27/2010 11:43:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 12:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 16:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 12:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 12:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 12:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 09:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 13:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 14:14:29

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_ff2b99aa\guard_slideup.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high

Start of the scan: 28 October 2010 00:07

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ezSP_Px.exe' - '1' Module(s) have been scanned
Scan process 'PhiBtn.exe' - '1' Module(s) have been scanned
Scan process 'MediaKey.EXE' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SNDSrvc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'IoctlSvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'GBPoll.exe' - '1' Module(s) have been scanned
Scan process 'CTsvcCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{FAFFE53B-ED21-4328-91BC-558D86CDAAFF}\RP1515\A0288096.exe'
C:\System Volume Information\_restore{FAFFE53B-ED21-4328-91BC-558D86CDAAFF}\RP1515\A0288096.exe
[0] Archive type: HIDDEN
[DETECTION] Is the TR/Dldr.IstBar.BY.2 Trojan
--> FIL\\\?\C:\System Volume Information\_restore{FAFFE53B-ED21-4328-91BC-558D86CDAAFF}\RP1515\A0288096.exe
[DETECTION] Is the TR/Dldr.IstBar.BY.2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4eb11047.qua'.


End of the scan: 28 October 2010 00:08
Used time: 00:54 Minute(s)

The scan has been done completely.

0 Scanned directories
42 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
41 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes


The scan results will be transferred to the Guard.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:30:33, on 27/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/m/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDB98824-30DB-EB95-4749-77FD2A98E1FC} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Norton GoBack.lnk.disabled
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adorons.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://rimmel.ai-media.com/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101659472046
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B07856-2F7F-4727-BD8A-4A5AB8DCA5BD}: NameServer = 82.195.137.70,82.195.137.71
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Volume Shadow Copy (VSS32) - Unknown owner - C:\WINDOWS\system32\tcpmonui32.exe (file missing)

--
End of file - 11366 bytes






Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4955

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

27/10/2010 22:28:00
mbam-log-2010-10-27 (22-28-00).txt

Scan type: Quick scan
Objects scanned: 171202
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Pat\Desktop\avg2011remover_en.exe (Trojan.Dropper) -> No action taken.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 27 October 2010 - 07:20 PM

Hello,

No, it's fine. Thank you for telling me though. :thumbup2: What Avira found was in system restore and not a threat, so no problem there. :)

Open HijackThis and do a system scan only.

Put checks by the following and click the "fix checked button :

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDB98824-30DB-EB95-4749-77FD2A98E1FC} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O23 - Service: Volume Shadow Copy (VSS32) - Unknown owner - C:\WINDOWS\system32\tcpmonui32.exe (file missing)


Reboot your computer. In your reply, please let me know how it's running. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 diggers41

diggers41
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 28 October 2010 - 04:16 AM

Hi tea, everything is fine now, thanks for your easy to follow support and patience
Best regards
diggers from Dublin :whistle:

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 28 October 2010 - 11:37 AM

Hello one last time Diggers from Dublin :wink:

You're most welcome, and glad all is well. :) One last thing :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Take care, and thank you!! :inlove:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:21 AM

Posted 30 October 2010 - 01:14 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users