Cannot install MalwareBytes (WinPC problem)

Status
Not open for further replies.
S

stephen_g

New member
Hi,

I have a machine infected with WinPC Defender.
I am unable to install Malwarebytes (I get the egg timer briefly then nothing).
Similarly I cannot run Spybot Search and Destroy (I get the egg timer briefly then nothing).
Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13:49, on 14/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10792 bytes

Can anyone advise please.
Regards
Stephen
 
Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:


  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.


No Reply Within 5 Days Will Result In Your Topic Being Closed!!
 
STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

dds_scr.gif

Download DDS and save it to your desktop from:

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



STEP 2


RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.


  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program



Next Reply

Please reply with:

  • DDS.txt
  • Attach.txt
  • RootRepeal.txt
 
Hi,
Thanks fpr your help with this.
I was unable to run DDS, I got the first screen telling me that the scan should take no longer than three minutes etc, but then nothing happened and no reports were generated.
When I tried to run RootRepeal, I initially got an error "Invalid PE Image Found", I clicked on OK, the scan commenced, but part way through the process there was another error message "Attempt to read from address 0x00b43004" then the program terminated.
Regards
Stephen
 
Hi Again!,

After a couple of further attempts I have now managed to produce the logs, here they are.


DDS (Ver_09-05-14.01) - NTFSx86
Run by tom at 20:39:08.67 on 16/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.263 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
svchost.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\DOCUME~1\tom\LOCALS~1\Temp\Google Toolbar\gtb4.tmp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\tom\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: SFCDisable=4 (0x4)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [Loaris Trojan Remover] "c:\program files\loaris trojan remover\TrojanRemover.exe" 0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PrnSys Executable] c:\program files\hp\digital imaging\hp print screen\PrnSys.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [realteks] "c:\documents and settings\tom\application data\google\uqrke8412012.exe" 2
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Chess - hxxp://download2.games.yahoo.com/games/clients/y/ct5_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\vturr

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-11 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-11 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2006-10-11 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-11 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [1980-1-1 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2007-7-29 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-7 29744]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-06-16 20:11 359,893 ac------ C:\dds.scr
2009-06-16 20:11 359,893 ac------ C:\dds.pif
2009-06-16 20:11 359,893 ac------ C:\dds.com
2009-06-14 17:33 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-06-14 17:33 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-06-14 17:33 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-14 16:27 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-02 21:43 <DIR> --d----- c:\program files\Loaris Trojan Remover
2009-06-02 20:20 83,096 a------- c:\windows\system32\SSSensor.dll
2009-06-02 20:20 <DIR> --d----- c:\program files\Sygate

==================== Find3M ====================

2009-06-12 10:55 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-26 15:11 174 a------- c:\docume~1\tom\applic~1\asd.bat
2009-05-11 10:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-11 10:10 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 10:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 12:43 67 ac------ C:\New Project.dat
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2007-10-05 12:12 823,404 ---sh--- c:\windows\system32\bdeeg.bak1
2007-10-02 22:23 812,810 ---sh--- c:\windows\system32\knnmp.bak1
2007-10-04 22:32 819,429 ---sh--- c:\windows\system32\knnmp.bak2
2007-10-10 13:47 574,749 ---sh--- c:\windows\system32\rrutv.bak2
2008-10-31 11:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103120081101\index.dat

============= FINISH: 20:43:28.10 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 27/12/2005 14:11:54
System Uptime: 16/06/2009 20:21:19 (0 hours ago)
Processor: Intel(R) Celeron(R) CPU 2.66GHz | Socket 478 | 2680/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 70 GiB total, 51.476 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP571: 12/03/2009 15:12:43 - Software Distribution Service 3.0
RP572: 16/03/2009 18:57:19 - System Checkpoint
RP573: 17/03/2009 10:42:58 - Software Distribution Service 3.0
RP574: 18/03/2009 18:31:47 - Avg8 Update
RP575: 22/03/2009 11:33:01 - System Checkpoint
RP576: 27/03/2009 09:41:44 - Avg8 Update
RP577: 06/04/2009 16:54:11 - System Checkpoint
RP578: 09/04/2009 10:29:38 - System Checkpoint
RP579: 15/04/2009 12:21:17 - Software Distribution Service 3.0
RP580: 16/04/2009 12:24:33 - Avg8 Update
RP581: 25/04/2009 12:08:01 - Installed Java(TM) 6 Update 13
RP582: 29/04/2009 11:00:37 - Software Distribution Service 3.0
RP583: 01/05/2009 16:29:56 - System Checkpoint
RP584: 06/05/2009 18:46:45 - Installed Connect Service
RP585: 07/05/2009 18:51:38 - System Checkpoint
RP586: 08/05/2009 22:28:03 - System Checkpoint
RP587: 11/05/2009 10:08:08 - Avg8 Update
RP588: 11/05/2009 10:12:01 - Avg8 Update
RP589: 13/05/2009 15:59:07 - Software Distribution Service 3.0
RP590: 16/05/2009 11:30:35 - Restore Operation
RP591: 17/05/2009 10:40:39 - Avg8 Update
RP592: 17/05/2009 11:26:44 - Installed Microsoft AntiSpyware
RP593: 20/05/2009 09:25:37 - Avg8 Update
RP594: 20/05/2009 09:27:53 - Avg8 Update
RP595: 26/05/2009 17:30:10 - System Checkpoint
RP596: 09/06/2009 00:21:51 - System Checkpoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

16/06/2009 20:18:58, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip wpsdrvnt WS2IFSL
16/06/2009 20:18:57, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
14/06/2009 17:33:38, error: Service Control Manager [7000] - The Motorola SURFboard USB Cable Modem Windows Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:38, error: Service Control Manager [7000] - The Microsoft TV/Video Connection service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:37, error: Service Control Manager [7000] - The Bluetooth Device (Personal Area Network) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:37, error: Service Control Manager [7000] - The %ADM8511.Service.DispName% service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:20:40, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
14/06/2009 16:23:59, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:23:47, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:23:28, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/06/2009 16:22:49, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:22:20, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:22:14, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:01:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
14/06/2009 15:57:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
14/06/2009 15:56:45, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
14/06/2009 15:53:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/16 20:46
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1F17000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CDE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0909000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACxrmbpxeooqxmhwu.sys
Image Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys
Address: 0xF2EA2000 Size: 77824 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACbwaqcmxehatlrkc.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACcvamdrvnfdtkolq.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACcxcqecmkeicvmky.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACcxvtcratgetmscn.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdljiokilbkjbwwy.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdxuvmjgsblijjmw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdyqxhfrxcegxdyr.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACetgnmvbemharkkw.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACproc.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpxrnirdqurqfdsq.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqepxqidnskaccgt.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqioxxgvynbbiyuu.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtwhxurvivknpulk.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuihsyvmuwfjxgor.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuqvvvydslrvikal.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbexujxlspbytph.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvipioiefrwapcny.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwnoernthewrbrmh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxwewbbfbhqvvnip.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyabwemydktuwehq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACftpiqeymxfxjlnb.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfwowfkrxlllaylf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfwowxcmdvpvwauh.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjlkxqircqfigfjp.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmiiovmwcbvplwmy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmjyierxtneojoou.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACobqmnrbfgoivxer.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpbcrcvgxgxivppn.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC233d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5f90.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb621.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\perflib_perfdata_3b4.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\tom\Local Settings\Temp\UAC683b.tmp
Status: Invisible to the Windows API!

Processes
-------------------
Path: C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe
PID: 152 Status: Hidden from the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: winlogon.exe (PID: 508) Address: 0x00670000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: winlogon.exe (PID: 508) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: services.exe (PID: 556) Address: 0x00690000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: services.exe (PID: 556) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: lsass.exe (PID: 568) Address: 0x006c0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: lsass.exe (PID: 568) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 720) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UAC5f90.tmpfkrxlllaylf.dll]
Process: svchost.exe (PID: 720) Address: 0x00a90000 Size: 200704

Object: Hidden Module [Name: UACyabwemydktuwehq.dll]
Process: svchost.exe (PID: 720) Address: 0x00b80000 Size: 69632

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 720) Address: 0x00d20000 Size: 45056

Object: Hidden Module [Name: UACfwowfkrxlllaylf.dll]
Process: svchost.exe (PID: 720) Address: 0x02aa0000 Size: 200704

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 720) Address: 0x02c20000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 720) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACmiiovmwcbvplwmy.dll]
Process: svchost.exe (PID: 720) Address: 0x02cc0000 Size: 53248

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 796) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 796) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 912) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: smc.exe (PID: 964) Address: 0x00f90000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: smc.exe (PID: 964) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1068) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1068) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1196) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: spoolsv.exe (PID: 1320) Address: 0x00a20000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: spoolsv.exe (PID: 1320) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1400) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1400) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ACService.exe (PID: 1484) Address: 0x00820000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ACService.exe (PID: 1484) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: Explorer.EXE (PID: 1692) Address: 0x00ca0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: Explorer.EXE (PID: 1692) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: AOLacsd.exe (PID: 1724) Address: 0x00ac0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: AOLacsd.exe (PID: 1724) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: AppleMobileDeviceService.exe (PID: 1784) Address: 0x00700000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: AppleMobileDeviceService.exe (PID: 1784) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgwdsvc.exe (PID: 1860) Address: 0x00730000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgwdsvc.exe (PID: 1860) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: mDNSResponder.exe (PID: 1896) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: mDNSResponder.exe (PID: 1896) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ctfmon.exe (PID: 1912) Address: 0x00930000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ctfmon.exe (PID: 1912) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgtray.exe (PID: 1956) Address: 0x00d00000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgtray.exe (PID: 1956) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: QTTask.exe (PID: 1968) Address: 0x00b00000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: QTTask.exe (PID: 1968) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1976) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1976) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: PrnSys.exe (PID: 1984) Address: 0x00b30000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: PrnSys.exe (PID: 1984) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: rundll32.exe (PID: 1996) Address: 0x00a20000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: rundll32.exe (PID: 1996) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ACDaemon.exe (PID: 2004) Address: 0x00ce0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ACDaemon.exe (PID: 2004) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: iTunesHelper.exe (PID: 2020) Address: 0x00bd0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: iTunesHelper.exe (PID: 2020) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: realsched.exe (PID: 2036) Address: 0x00a90000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: realsched.exe (PID: 2036) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: jusched.exe (PID: 2044) Address: 0x00ce0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: jusched.exe (PID: 2044) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: GoogleToolbarNotifier.exe (PID: 204) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: GoogleToolbarNotifier.exe (PID: 204) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: TeaTimer.exe (PID: 188) Address: 0x011c0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: TeaTimer.exe (PID: 188) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: EasyShare.exe (PID: 232) Address: 0x009e0000 Size: 49152

Object: Hidden Module [Name: msvcm80.dll]
Process: EasyShare.exe (PID: 232) Address: 0x052f0000 Size: 507904

Object: Hidden Module [Name: ESCliWicMDRW.esx]
Process: EasyShare.exe (PID: 232) Address: 0x05030000 Size: 761856

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: EasyShare.exe (PID: 232) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: jqs.exe (PID: 948) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: jqs.exe (PID: 948) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1240) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1240) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgemc.exe (PID: 2136) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgemc.exe (PID: 2136) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgrsx.exe (PID: 2200) Address: 0x00760000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgrsx.exe (PID: 2200) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgnsx.exe (PID: 2208) Address: 0x00780000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgnsx.exe (PID: 2208) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgcsrvx.exe (PID: 2448) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgcsrvx.exe (PID: 2448) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: wmiprvse.exe (PID: 2924) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: wmiprvse.exe (PID: 2924) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: WLLoginProxy.exe (PID: 2292) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: WLLoginProxy.exe (PID: 2292) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: RootRepeal.exe (PID: 1212) Address: 0x00f10000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: RootRepeal.exe (PID: 1212) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: Iexplore.exe (PID: 3668) Address: 0x00b30000 Size: 49152

Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: Iexplore.exe (PID: 3668) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys

==EOF==

Thanks again
Stephen
 
Download and Run ComboFix


  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    CF_download_FF.gif



    CF_download_rename.gif


  • Double click on Combo-Fix.exe and follow the prompts.
  • When finished, it will produce a report for you (C:\ComboFix.txt )
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

    IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

    Next Reply

    Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
 
Hi,
Here is the Combo-Fix log and the new HijackThis log.
Thanks for your help.
ComboFix 09-06-19.01 - tom 20/06/2009 16:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.427 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\windows adstatus
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003
c:\windows\system32\drivers\UACxrmbpxeooqxmhwu.sys
c:\windows\system32\UACdkpxoarrphpxngs.log
c:\windows\system32\UACftpiqeymxfxjlnb.dat
c:\windows\system32\UACfwowfkrxlllaylf.dll
c:\windows\system32\UACkopwxvirgkcmjuv.log
c:\windows\system32\UACmiiovmwcbvplwmy.dll
c:\windows\system32\UACuqvvvydslrvikal.log
c:\windows\system32\UACwnoernthewrbrmh.dll
c:\windows\system32\UACxwewbbfbhqvvnip.dll
c:\windows\system32\UACyabwemydktuwehq.dll
C:\check_LSA7.txt
C:\dds.pif
c:\documents and settings\tom\Application Data\Google\Shell32.dll
c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003\desktop.ini
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003\INFO2
c:\windows\cookies.ini
c:\windows\system32\bdeeg.bak1
c:\windows\system32\bdeeg.tmp
c:\windows\system32\drivers\UACxrmbpxeooqxmhwu.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\ppuuhaal.ini
c:\windows\system32\regscan.exe
c:\windows\system32\rrutv.bak2
c:\windows\system32\rrutv.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\UACdkpxoarrphpxngs.log
c:\windows\system32\UACftpiqeymxfxjlnb.dat
c:\windows\system32\UACfwowfkrxlllaylf.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkopwxvirgkcmjuv.log
c:\windows\system32\UACmiiovmwcbvplwmy.dll
c:\windows\system32\UACuqvvvydslrvikal.log
c:\windows\system32\UACwnoernthewrbrmh.dll
c:\windows\system32\UACxwewbbfbhqvvnip.dll
c:\windows\system32\UACyabwemydktuwehq.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe
2009-06-02 20:43 . 2009-06-08 19:39 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-06-02 19:20 . 2004-10-15 17:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-30 17:25 . 2009-05-30 17:25 66560 ----a-w- c:\windows\system32\UACobqmnrbfgoivxer.dll
2009-05-30 17:22 . 2009-05-30 17:22 422 ----a-w- c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
2009-05-30 17:22 . 2009-05-30 17:22 16141 ----a-w- c:\documents and settings\tom\Application Data\CyberLink\lego.exe
2009-05-30 17:22 . 2009-05-30 17:22 145131 ----a-w- c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
2009-05-30 17:22 . 2009-05-30 17:22 13221 ----a-w- c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
2009-05-30 17:22 . 2009-05-30 17:22 11410 ----a-w- c:\documents and settings\tom\Application Data\Help\msgdi.dll
2009-05-30 17:22 . 2009-05-30 17:22 11232 ----a-w- c:\documents and settings\tom\Application Data\Adobe\shalom.exe
2009-05-30 17:22 . 2009-05-30 17:22 10121 ----a-w- c:\documents and settings\tom\Application Data\Identities\kern.dll
2009-05-26 20:54 . 2007-05-25 15:52 351232 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
2009-05-26 20:54 . 2007-05-25 15:52 139264 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 15:49 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-06-20 15:49 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-20 15:47 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-20 15:17 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-26 14:11 . 2009-05-15 08:59 174 ----a-w- c:\documents and settings\tom\Application Data\asd.bat
2009-05-26 14:11 . 2009-05-15 08:59 174 ----a-w- c:\documents and settings\tom\Application Data\asd.bat
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:11 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:40 . 2007-06-27 09:02 -------- d-----w- c:\program files\NCH Swift Sound
2009-04-25 11:08 . 2005-12-27 21:41 -------- d-----w- c:\program files\Java
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 11:43 . 2009-04-16 11:40 67 -c--a-w- C:\New Project.dat
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]

2009-06-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]

2009-06-20 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Loaris Trojan Remover - c:\program files\Loaris Trojan Remover\TrojanRemover.exe
HKCU-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe
HKLM-Run-realteks - c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 16:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-20 16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 15:54

Pre-Run: 55,219,998,720 bytes free
Post-Run: 55,466,569,728 bytes free

278 --- E O F --- 2009-06-14 12:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:47, on 20/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10911 bytes
 
Do you know what folder is this: C:\New Project.dat


Do you know about these open firewall ports. Do you play online games?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689
Click to expand...


Run CFScript


  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:


Code: 
http://forums.spybot.info/showthread.php?p=318712#post318712

Collect::
c:\windows\system32\UACobqmnrbfgoivxer.dll
c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
c:\documents and settings\tom\Application Data\CyberLink\lego.exe
c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
c:\documents and settings\tom\Application Data\Help\msgdi.dll
c:\documents and settings\tom\Application Data\Adobe\shalom.exe
c:\documents and settings\tom\Application Data\Identities\kern.dll
c:\documents and settings\tom\Application Data\asd.bat
c:\windows\system32\bdeeg.bak1
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\rrutv.bak2

Folder::
c:\program files\Loaris Trojan Remover

DDS::
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZSYYYYYYYYGB
FF - ProfilePath -

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[-HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    CFScriptExample.jpg
  • Refering to the picture below, drag CFScript into ComboFix.exe

    CFScriptB-4.gif
  • When finished, it shall produce a log for you at C:\ComboFix.txt


NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.


ATF-Cleaner

Please download ATF Cleaner by Atribune.


  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.



Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.





Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • Answer to My question
  • ComboFix log (found at C:\Combofix.txt)
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
Hello!

Thread reopened.

Please delete the excisting copy of Combofix and run it and post that log for me to see. DO NOT do anything else, disregard my last post. It is almost 5 days now so it is better start from the beginning again.
 
Hello,
Many thanks for reopening the thread, I really appreciate your help.
Here is the Combofix log that I produced yesterday.

ComboFix 09-06-24.05 - tom 25/06/2009 11:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.375 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point

file zipped: c:\documents and settings\tom\Application Data\Adobe\shalom.exe
file zipped: c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
file zipped: c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
file zipped: c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
file zipped: c:\documents and settings\tom\Application Data\asd.bat
file zipped: c:\documents and settings\tom\Application Data\CyberLink\lego.exe
file zipped: c:\documents and settings\tom\Application Data\Help\msgdi.dll
file zipped: c:\documents and settings\tom\Application Data\Identities\kern.dll
file zipped: c:\windows\system32\UACobqmnrbfgoivxer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Loaris Trojan Remover
c:\documents and settings\tom\Application Data\Adobe\shalom.exe
c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
c:\documents and settings\tom\Application Data\asd.bat
c:\documents and settings\tom\Application Data\CyberLink\lego.exe
c:\documents and settings\tom\Application Data\Help\msgdi.dll
c:\documents and settings\tom\Application Data\Identities\kern.dll
c:\program files\Loaris Trojan Remover\logs\scan-2009-06-02 [21-55-28].log
c:\program files\Loaris Trojan Remover\logs\scan-2009-06-03 [09-52-52].log
c:\program files\Loaris Trojan Remover\smd.c
c:\program files\Loaris Trojan Remover\vs.c
c:\windows\system32\UACobqmnrbfgoivxer.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe
2009-06-02 19:20 . 2004-10-15 17:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-26 20:54 . 2007-05-25 15:52 351232 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
2009-05-26 20:54 . 2007-05-25 15:52 139264 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 10:35 . 2006-11-23 13:18 -------- d-----w- c:\documents and settings\tom\Application Data\CyberLink
2009-06-25 10:35 . 2008-12-29 12:08 -------- d-----w- c:\documents and settings\tom\Application Data\ArcSoft
2009-06-25 10:35 . 2006-07-15 15:30 -------- d-----w- c:\documents and settings\tom\Application Data\Apple Computer
2009-06-25 10:35 . 2006-01-16 10:39 -------- d-----w- c:\documents and settings\tom\Application Data\AdobeUM
2009-06-25 10:26 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-06-25 10:12 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-24 18:01 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-20 15:17 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:11 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 11:43 . 2009-04-16 11:40 67 -c--a-w- C:\New Project.dat
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_15.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 10:12 . 2009-06-25 10:12 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Loaris Trojan Remover"="c:\program files\Loaris Trojan Remover\TrojanRemover.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"realteks"="c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe" [BU]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]

2009-06-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-06-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]

2009-06-24 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-25 11:41
ComboFix-quarantined-files.txt 2009-06-25 10:41
ComboFix2.txt 2009-06-20 15:54

Pre-Run: 55,651,725,312 bytes free
Post-Run: 55,640,756,224 bytes free

218 --- E O F --- 2009-06-14 12:23
Upload was successful

Also the Kapersky log that you requested. (Also run yesterday).


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 25, 2009 13:04:34
Records in database: 2388497
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 62048
Threat name: 6
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:09:31


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys.vir Infected: Trojan.Win32.Agent.chwd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\regscan.exe.vir Infected: Trojan-Downloader.Win32.Agent.hlp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwowfkrxlllaylf.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmiiovmwcbvplwmy.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwnoernthewrbrmh.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxwewbbfbhqvvnip.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyabwemydktuwehq.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-25_11.34.35.zip Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299977.sys Infected: Trojan.Win32.Agent.chwd 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299978.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299979.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299980.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299981.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299982.dll Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0300004.exe Infected: Trojan-Downloader.Win32.Agent.hlp 1

The selected area was scanned.


Regarding the questions that you asked in the previous post, my friend does not know what the folder "New Project" is.
He doesn't play online games, and doesn't know about the open firewall ports.
(He is not reallly computer savvy).

Very best regards

Stephen
 
Run CFScript


  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:


Code: 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Loaris Trojan Remover"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"realteks"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"=-
"37785:TCP"=-
"25996:TCP"=-
"27165:TCP"=-
"14047:TCP"=-
"51711:TCP"=-
"27816:TCP"=-
"37065:TCP"=-
"16020:TCP"=-
"40219:TCP"=-
"34969:TCP"=-
"64887:TCP"=-
"8575:TCP"=-
"63055:TCP"=-
"17305:TCP"=-
"19958:TCP"=-
"16313:TCP"=-
"5064:TCP"=-
"48689:TCP"=-

File::
c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
C:\New Project.dat


  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    CFScriptExample.jpg

  • Refering to the picture below, drag CFScript into ComboFix.exe

    CFScriptB-4.gif

  • When finished, it shall produce a log for you at C:\ComboFix.txt


NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
  • A description of how your computer is behaving
 
Hi,

Here is the Combo-Fix log and also the Hijack this log.

ComboFix 09-07-03.03 - tom 04/07/2009 10:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.398 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe"
"C:\New Project.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\New Project.dat
c:\windows\Installer\3da649.msi
c:\windows\Installer\460a4c.msi
c:\windows\Installer\47cf3d.msi
c:\windows\system32\UACbwaqcmxehatlrkc.log
c:\windows\system32\UACcvamdrvnfdtkolq.log
c:\windows\system32\UACcxcqecmkeicvmky.log
c:\windows\system32\UACcxvtcratgetmscn.log
c:\windows\system32\UACdljiokilbkjbwwy.log
c:\windows\system32\UACdxuvmjgsblijjmw.log
c:\windows\system32\UACdyqxhfrxcegxdyr.log
c:\windows\system32\UACetgnmvbemharkkw.log
c:\windows\system32\UACfwowxcmdvpvwauh.log
c:\windows\system32\UACjlkxqircqfigfjp.log
c:\windows\system32\UACmjyierxtneojoou.log
c:\windows\system32\UACpbcrcvgxgxivppn.log
c:\windows\system32\UACpxrnirdqurqfdsq.log
c:\windows\system32\UACqepxqidnskaccgt.log
c:\windows\system32\UACqioxxgvynbbiyuu.log
c:\windows\system32\UACtwhxurvivknpulk.log
c:\windows\system32\UACuihsyvmuwfjxgor.log
c:\windows\system32\UACvbexujxlspbytph.log
c:\windows\system32\UACvipioiefrwapcny.log

.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-06-27 09:54 . 2009-06-12 09:55 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-27 09:54 . 2009-06-12 09:55 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-27 09:54 . 2009-06-12 09:55 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-27 09:53 . 2009-06-12 09:54 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-27 09:53 . 2009-06-27 09:53 390664 ----a-w- c:\documents and settings\tom\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 09:26 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-07-04 09:20 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-07-03 15:41 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-03 14:11 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-27 09:54 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 10:35 . 2006-11-23 13:18 -------- d-----w- c:\documents and settings\tom\Application Data\CyberLink
2009-06-25 10:35 . 2008-12-29 12:08 -------- d-----w- c:\documents and settings\tom\Application Data\ArcSoft
2009-06-25 10:35 . 2006-07-15 15:30 -------- d-----w- c:\documents and settings\tom\Application Data\Apple Computer
2009-06-25 10:35 . 2006-01-16 10:39 -------- d-----w- c:\documents and settings\tom\Application Data\AdobeUM
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_15.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 09:20 . 2009-07-04 09:20 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
- 2002-09-19 19:26 . 2009-04-24 08:44 63188 c:\windows\system32\perfc009.dat
+ 2002-09-19 19:26 . 2009-06-27 10:29 63188 c:\windows\system32\perfc009.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-11-28 14:08 . 2006-11-28 14:08 94208 c:\windows\Installer\263d04.msi
+ 2009-05-02 16:34 . 2009-05-02 16:34 24064 c:\windows\Installer\13a791.msi
+ 2007-02-06 15:23 . 2007-02-06 15:23 29696 c:\windows\Installer\107ebd.msi
+ 2002-09-19 19:16 . 2002-08-29 12:00 67584 c:\windows\I386\WINNT32.MSI
- 2002-09-19 19:26 . 2009-04-24 08:44 403968 c:\windows\system32\perfh009.dat
+ 2002-09-19 19:26 . 2009-06-27 10:29 403968 c:\windows\system32\perfh009.dat
+ 2008-09-17 16:53 . 2007-04-02 18:34 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-09-17 16:53 . 2007-04-02 18:34 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-02-11 15:59 . 2009-02-11 15:59 697856 c:\windows\Installer\df0c4.msi
+ 2008-12-29 12:07 . 2008-12-29 12:07 202752 c:\windows\Installer\d9d98.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 182784 c:\windows\Installer\d9d87.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 182784 c:\windows\Installer\d9d82.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 185856 c:\windows\Installer\d9d7d.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 307712 c:\windows\Installer\d9d78.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 183808 c:\windows\Installer\d9d73.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 302592 c:\windows\Installer\d9d6e.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 190464 c:\windows\Installer\d9d69.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 295936 c:\windows\Installer\d9d64.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 370688 c:\windows\Installer\d9d5f.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 281088 c:\windows\Installer\d9d5a.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 212992 c:\windows\Installer\d9d54.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 562688 c:\windows\Installer\d9d4e.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 186368 c:\windows\Installer\d9d49.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 180736 c:\windows\Installer\d9d44.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 181248 c:\windows\Installer\d9d3f.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 396800 c:\windows\Installer\d9d3a.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 406528 c:\windows\Installer\d9d35.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 291840 c:\windows\Installer\d9d30.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 357376 c:\windows\Installer\d9d2b.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 291840 c:\windows\Installer\d9d26.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 182784 c:\windows\Installer\d9d21.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 288768 c:\windows\Installer\d9d1c.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 294912 c:\windows\Installer\d9d17.msi
+ 2002-09-19 19:54 . 2002-09-19 19:54 264704 c:\windows\Installer\d91e.msi
+ 2007-06-21 17:34 . 2007-06-21 17:34 509952 c:\windows\Installer\9db3f.msi
+ 2009-06-14 16:33 . 2009-06-14 16:33 981504 c:\windows\Installer\8298c.msi
+ 2009-01-10 20:57 . 2009-01-10 20:57 562176 c:\windows\Installer\8052d.msi
+ 2007-08-15 12:04 . 2007-08-15 12:04 431104 c:\windows\Installer\7902e6.msi
+ 2008-11-12 19:25 . 2008-11-12 19:25 432640 c:\windows\Installer\715032.msi
+ 2008-10-01 11:38 . 2008-10-01 11:38 532992 c:\windows\Installer\65d98.msi
+ 2007-12-01 11:46 . 2007-12-01 11:46 492032 c:\windows\Installer\65bdf.msi
+ 2008-08-11 20:47 . 2008-08-11 20:47 337408 c:\windows\Installer\47c833.msi
+ 2009-05-17 10:31 . 2009-05-17 10:31 806912 c:\windows\Installer\2e051f.msi
+ 2006-11-18 13:42 . 2006-11-18 13:42 428544 c:\windows\Installer\23842f.msi
+ 2006-06-13 14:12 . 2006-06-13 14:12 509440 c:\windows\Installer\203a12.msp
+ 2005-12-27 17:40 . 2005-12-27 17:40 131072 c:\windows\Installer\1e4a1.msi
+ 2005-12-27 17:40 . 2005-12-27 17:40 131072 c:\windows\Installer\1e49c.msi
+ 2005-12-27 17:40 . 2005-12-27 17:40 132608 c:\windows\Installer\1e497.msi
+ 2005-12-27 17:39 . 2005-12-27 17:39 327680 c:\windows\Installer\1e492.msi
+ 2005-12-27 17:21 . 2005-12-27 17:21 129536 c:\windows\Installer\1c64a7.msi
+ 2005-12-27 17:20 . 2005-12-27 17:20 540672 c:\windows\Installer\1c6483.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 501248 c:\windows\Installer\1c6478.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 130560 c:\windows\Installer\1c6473.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 510464 c:\windows\Installer\1c646e.msi
+ 2005-12-27 17:18 . 2005-12-27 17:18 275456 c:\windows\Installer\1c6459.msi
+ 2005-12-27 17:18 . 2005-12-27 17:18 340480 c:\windows\Installer\1c6443.msi
+ 2005-12-27 17:15 . 2005-12-27 17:15 209920 c:\windows\Installer\1c6424.msi
+ 2008-06-11 13:02 . 2008-06-11 13:02 830464 c:\windows\Installer\19fe946.msp
+ 2006-03-11 13:58 . 2006-03-11 13:58 557056 c:\windows\Installer\194908.msi
+ 2006-05-12 16:49 . 2005-04-04 00:07 982016 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ISScript11.Msi
+ 2002-09-19 19:26 . 2004-07-17 18:35 1326080 c:\windows\system32\webfldrs.msi
+ 2004-07-17 18:35 . 2004-07-17 18:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-09-17 16:54 . 2007-04-02 18:42 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 12:08 . 2007-05-25 12:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2008-06-04 12:54 . 2008-06-04 12:54 3620864 c:\windows\Installer\f7820.msi
+ 2007-03-19 09:31 . 2007-03-19 09:31 5259776 c:\windows\Installer\e4254.msp
+ 2009-04-06 16:00 . 2009-04-06 16:00 5518336 c:\windows\Installer\e1a4a.msp
+ 2008-10-22 22:43 . 2008-10-22 22:43 6820352 c:\windows\Installer\ddeb8b.msp
+ 2008-10-22 22:48 . 2008-10-22 22:48 7672832 c:\windows\Installer\ddeb79.msp
+ 2008-11-05 14:25 . 2008-11-05 14:25 5518336 c:\windows\Installer\ddeb67.msp
+ 2007-09-18 13:18 . 2007-09-18 13:18 5489152 c:\windows\Installer\da55dc.msp
+ 2008-12-29 12:06 . 2008-12-29 12:06 1506304 c:\windows\Installer\d9d92.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 1922560 c:\windows\Installer\d9d8c.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 1020928 c:\windows\Installer\d9d11.msi
+ 2008-12-29 12:01 . 2008-12-29 12:01 2109440 c:\windows\Installer\d9d0b.msi
+ 2008-09-05 12:08 . 2008-09-05 12:08 5515776 c:\windows\Installer\c6fe91.msp
+ 2007-06-19 14:48 . 2007-06-19 14:48 5247488 c:\windows\Installer\b4fe2.msp
+ 2007-06-05 13:48 . 2007-06-05 13:48 9944064 c:\windows\Installer\b4fd0.msp
+ 2009-01-14 15:43 . 2009-01-14 15:43 5520384 c:\windows\Installer\9c0fc8.msp
+ 2008-04-18 13:26 . 2008-04-18 13:26 5518336 c:\windows\Installer\880b76.msp
+ 2006-05-12 16:49 . 2006-05-12 16:49 8979968 c:\windows\Installer\87178.msi
+ 2009-01-10 22:23 . 2009-01-10 22:23 2329600 c:\windows\Installer\7cd16.msi
+ 2007-05-25 10:55 . 2007-05-25 10:55 5265408 c:\windows\Installer\7c910a.msp
+ 2009-05-12 12:01 . 2009-05-12 12:01 6818816 c:\windows\Installer\7b604.msp
+ 2009-05-28 11:32 . 2009-05-28 11:32 5518848 c:\windows\Installer\7b5f2.msp
+ 2009-04-23 16:57 . 2009-04-23 16:57 7672832 c:\windows\Installer\7b5e0.msp
+ 2007-07-23 15:40 . 2007-07-23 15:40 9945600 c:\windows\Installer\79031b.msp
+ 2007-07-24 14:02 . 2007-07-24 14:02 5240320 c:\windows\Installer\790309.msp
+ 2007-05-22 08:46 . 2007-05-22 08:46 6108672 c:\windows\Installer\7902f7.msp
+ 2008-10-25 09:15 . 2008-10-25 09:15 6227456 c:\windows\Installer\715055.msp
+ 2008-10-17 09:03 . 2008-10-17 09:03 5518336 c:\windows\Installer\715043.msp
+ 2009-02-11 15:02 . 2009-02-11 15:02 5519872 c:\windows\Installer\56bf75.msp
+ 2005-10-26 14:59 . 2005-10-26 14:59 2883072 c:\windows\Installer\54dcfd.msp
+ 2006-12-04 13:51 . 2006-12-04 13:51 5250560 c:\windows\Installer\54dceb.msp
+ 2008-03-16 16:11 . 2008-03-16 16:11 5512704 c:\windows\Installer\543f04.msp
+ 2009-05-01 14:49 . 2009-05-01 14:49 4328960 c:\windows\Installer\5029fa.msp
+ 2007-11-02 09:30 . 2007-11-02 09:30 7554048 c:\windows\Installer\4e49cf.msp
+ 2008-01-14 16:53 . 2008-01-14 16:53 5213696 c:\windows\Installer\4df31a.msp
+ 2008-01-25 15:29 . 2008-01-25 15:29 5514752 c:\windows\Installer\4df309.msp
+ 2009-01-10 22:10 . 2009-01-10 22:10 1549312 c:\windows\Installer\4b3ad8.msi
+ 2007-11-16 12:58 . 2007-11-16 12:58 5495296 c:\windows\Installer\4895eb.msp
+ 2007-11-08 11:42 . 2007-11-08 11:42 4158464 c:\windows\Installer\4895da.msp
+ 2009-03-05 14:40 . 2009-03-05 14:40 6819840 c:\windows\Installer\4815fb.msp
+ 2008-08-14 14:01 . 2008-08-14 14:01 5517312 c:\windows\Installer\44a463.msp
+ 2007-01-24 13:05 . 2007-01-24 13:05 5228544 c:\windows\Installer\4251b7.msp
+ 2007-01-19 10:46 . 2007-01-19 10:46 6814208 c:\windows\Installer\425193.msp
+ 2006-12-18 11:48 . 2006-12-18 11:48 5444096 c:\windows\Installer\425181.msp
+ 2007-01-24 07:48 . 2007-01-24 07:48 9804800 c:\windows\Installer\42516f.msp
+ 2007-01-10 10:05 . 2007-01-10 10:05 9921024 c:\windows\Installer\42515d.msp
+ 2006-11-20 16:37 . 2006-11-20 16:37 6553088 c:\windows\Installer\42514b.msp
+ 2008-05-15 08:50 . 2008-05-15 08:50 5515776 c:\windows\Installer\4217cd.msp
+ 2008-01-31 10:30 . 2008-01-31 10:30 9947648 c:\windows\Installer\3df00b.msp
+ 2008-02-15 14:57 . 2008-02-15 14:57 5517312 c:\windows\Installer\3defe5.msp
+ 2008-12-12 11:09 . 2008-12-12 11:09 5517824 c:\windows\Installer\2ffd47.msp
+ 2007-04-11 12:47 . 2007-04-11 12:47 5264896 c:\windows\Installer\2794ab.msp
+ 2007-04-25 14:14 . 2007-04-25 14:14 9828864 c:\windows\Installer\279487.msp
+ 2007-04-25 14:09 . 2007-04-25 14:09 9944064 c:\windows\Installer\279475.msp
+ 2007-04-25 14:10 . 2007-04-25 14:10 6835712 c:\windows\Installer\279463.msp
+ 2006-09-19 16:13 . 2006-09-19 16:13 8272896 c:\windows\Installer\203a5a.msp
+ 2006-10-12 10:50 . 2006-10-12 10:50 1091584 c:\windows\Installer\203a48.msp
+ 2006-12-19 15:42 . 2006-12-19 15:42 4008448 c:\windows\Installer\2039ff.msp
+ 2006-12-19 15:42 . 2006-12-19 15:42 6649856 c:\windows\Installer\2039fe.msp
+ 2006-09-11 12:19 . 2006-09-11 12:19 6253056 c:\windows\Installer\2039d6.msp
+ 2006-11-20 13:42 . 2006-11-20 13:42 9713664 c:\windows\Installer\2039b2.msp
+ 2005-12-27 17:20 . 2005-12-27 17:20 1179648 c:\windows\Installer\1c6492.msi
+ 2008-06-11 14:05 . 2008-06-11 14:05 9994240 c:\windows\Installer\1a06af.msp
+ 2008-06-10 13:09 . 2008-06-10 13:09 5517312 c:\windows\Installer\1a0699.msp
+ 2008-07-16 09:39 . 2008-07-16 09:39 5519360 c:\windows\Installer\19fe96a.msp
+ 2008-07-08 10:27 . 2008-07-08 10:27 8436736 c:\windows\Installer\19fe958.msp
+ 2004-09-30 13:21 . 2004-09-30 13:21 3443712 c:\windows\Installer\17b78.msi
+ 2007-09-10 16:01 . 2007-09-10 16:01 5488640 c:\windows\Installer\176f959.msp
+ 2009-01-10 22:44 . 2009-01-10 22:44 3762688 c:\windows\Installer\13c230.msi
+ 2009-01-10 22:42 . 2009-01-10 22:42 1652224 c:\windows\Installer\13c0a3.msi
+ 2009-01-10 22:41 . 2009-01-10 22:41 8989696 c:\windows\Installer\13c09e.msi
+ 2009-01-10 22:38 . 2009-01-10 22:38 3152384 c:\windows\Installer\13be09.msi
+ 2004-09-30 13:48 . 2004-09-30 13:48 3135488 c:\windows\Installer\12abd.msi
+ 2004-09-30 13:46 . 2004-09-30 13:46 4716032 c:\windows\Installer\12ab0.msi
+ 2004-09-30 13:44 . 2004-09-30 13:44 3924992 c:\windows\Installer\12aa0.msi
+ 2004-09-30 13:42 . 2004-09-30 13:42 1225728 c:\windows\Installer\12a9a.msi
+ 2007-02-12 16:30 . 2007-02-12 16:30 5235200 c:\windows\Installer\1147a5.msp
+ 2005-12-27 15:49 . 2009-05-17 10:25 6170112 c:\windows\Downloaded Installations\{C0FA7138-477B-4FEC-8F23-640C21C2287B}\Microsoft AntiSpyware.msi
+ 2006-05-12 16:49 . 2005-12-21 10:57 9934848 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\iTunes.msi
+ 2005-12-27 14:11 . 2004-09-30 13:25 10038784 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\Java 2 Runtime Environment, SE v1.4.2_04.msi
+ 2005-09-23 07:48 . 2005-09-23 07:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2007-02-06 15:22 . 2007-01-19 13:20 16633344 c:\windows\Installer\MSN Messenger 8.1.0178\MsnMsgs.Msi
+ 2008-12-29 11:58 . 2008-12-29 11:58 26360320 c:\windows\Installer\d9d00.msi
+ 2008-08-13 13:49 . 2008-08-13 13:49 11816960 c:\windows\Installer\c6fea3.msp
+ 2008-04-14 13:26 . 2008-04-14 13:26 11888128 c:\windows\Installer\880b64.msp
+ 2007-12-01 11:47 . 2007-12-01 11:47 19210240 c:\windows\Installer\65c2a.msp
+ 2007-12-01 13:55 . 2007-12-01 13:55 15256576 c:\windows\Installer\5d3bc2.msp
+ 2008-01-14 15:24 . 2008-01-14 15:24 10721280 c:\windows\Installer\4df2f7.msp
+ 2008-01-14 16:50 . 2008-01-14 16:50 11887104 c:\windows\Installer\4df2e5.msp
+ 2008-07-30 07:50 . 2008-07-30 07:50 12506112 c:\windows\Installer\44a487.msp
+ 2008-06-04 12:29 . 2008-06-04 12:29 16905728 c:\windows\Installer\44a475.msp
+ 2007-01-18 14:29 . 2007-01-18 14:29 10978816 c:\windows\Installer\4251a5.msp
+ 2008-01-31 09:45 . 2008-01-31 09:45 11565056 c:\windows\Installer\3df030.msp
+ 2008-02-29 22:09 . 2008-02-29 22:09 16907776 c:\windows\Installer\3df01e.msp
+ 2008-03-17 12:48 . 2008-03-17 12:48 11813888 c:\windows\Installer\342398.msp
+ 2005-08-08 14:25 . 2005-08-08 14:25 97385984 c:\windows\Installer\285eae.msp
+ 2007-05-01 08:29 . 2007-05-01 08:29 10994688 c:\windows\Installer\279499.msp
+ 2006-09-27 14:28 . 2006-09-27 14:28 10256384 c:\windows\Installer\203a36.msp
+ 2006-09-19 11:23 . 2006-09-19 11:23 12292096 c:\windows\Installer\203a24.msp
+ 2006-09-12 22:44 . 2006-09-12 22:44 13737984 c:\windows\Installer\2039c4.msp
+ 2008-07-08 09:09 . 2008-07-08 09:09 11887616 c:\windows\Installer\19fe97c.msp
+ 2008-07-01 08:25 . 2008-07-01 08:25 11814912 c:\windows\Installer\19fe935.msp
+ 2006-05-12 16:44 . 2006-05-12 16:43 33983488 c:\windows\Downloaded Installations\{CB6E9C5F-FCB5-4937-A4BF-6032D737110C}\iPod for Windows 2006-01-10.msi
+ 2007-07-27 08:03 . 2007-07-27 08:03 119977472 c:\windows\Installer\1b1e4b8.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]

2009-07-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]

2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-04 10:37
ComboFix-quarantined-files.txt 2009-07-04 09:36
ComboFix2.txt 2009-06-25 10:42
ComboFix3.txt 2009-06-20 15:54

Pre-Run: 55,406,632,960 bytes free
Post-Run: 55,604,523,008 bytes free

386 --- E O F --- 2009-06-14 12:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:01, on 04/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 11159 bytes

Regarding how the computer is behaving.
The false infection warning pop-ups have now ceased.(Before your help, they were occuring very frequently).
Sygate is now running correctly (it was not previously, and we were unable to reinstall it).
My friend tells me that he is unable to access Google from his own user (Tom) (as the system locks out).
However he can access Google from one of the other users that are defined on the system.

Once again many thanbks for your help.

Best regards

Stephen
 
Hello!

looks like your friend got reinfected. I am looking into the google problem.

Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

  • If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.


Remove HijackThis entries


  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
    O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.



Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.



  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:


  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • Hijackthis Uninstall list
  • Malwarebytes Antimalware log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
Hi,

Thanks for your help, I'll follow the instructions and send you the logs etc later this week.
Best regards
Stephen
 
Hi,

I visited my friend this morning to do the scans etc.
The Malwarebytes scan has been running for 5 hours 24 minutes now, has scanned 45437 objects, and found 6 infected objects.
Is this length of time excessive, or would you expect the scan to have to run overnight for example before completing?
One thing that my friend mentioned (I don't know whether this would influence the duration of the scan), but his daughter has been using the internet while the scan is running (from her own computer via a wireless connection).
Can you advise please?

Best regards

Stephen
 
Hello!

It seems very long scan time. What you could do is a quick scan and then run full scan over night. Several things will affect the scan time like how powerful the machine is, is the computer being used, are the other security programs running, how many files there is to be scanned and so on. Her daughters internet surfing wont affect the scan time.
 
Status
Not open for further replies.
Back
Top