View Full Version : Virtumonde virus
gjnalder
2010-02-20, 08:21
Hello, I have been using Spybot for ages and 3 days ago when scanning my computer it found the Virtumonde virus which I asked it to delete and then I rebooted computer (without being connected to internet) and scanned again and virus still showing. Scanned again now and virus still there, what can I do please?
cheers
Hijack log below:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:48:14 PM, on 20/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01E7E5F8-63DE-4B78-B0CB-98E78A1BAAD1} - C:\WINDOWS\System32\dsauth32.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZKxdm011YYAU
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226823619453&h=81709914d9c8a2165de892c5cedc2991/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
O18 - Protocol: hirodownload - {77F2FF4C-CEDD-4C71-8ABF-DF7CC05EFC63} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\,C:\WINDOWS\SYSTEM32\,C:\WINDOWS\SYSTEM32\ C:\WINDOWS\SYSTEM32\EAPPGNUI32.DLL C:\PROGRA~1\GOOGLE\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11034 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log
gjnalder
2010-02-24, 00:52
Thank you so much, new log attached.
cheers
J.Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:20:24 AM, on 24/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01E7E5F8-63DE-4B78-B0CB-98E78A1BAAD1} - C:\WINDOWS\System32\dsauth32.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZKxdm011YYAU
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226823619453&h=81709914d9c8a2165de892c5cedc2991/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
O18 - Protocol: hirodownload - {77F2FF4C-CEDD-4C71-8ABF-DF7CC05EFC63} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11015 bytes
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
gjnalder
2010-02-24, 09:12
Logs attached for you.
DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 17:37:18.15 on Wed 24/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1322 [GMT 9.5:30]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://ninemsn.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
uWinlogon: Shell=c:\documents and settings\owner\application data\control-center\ccmain.exe
BHO: {01e7e5f8-63de-4b78-b0cb-98e78a1baad1} - c:\windows\system32\dsauth32.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qtsystem\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [RTHDBPL] c:\documents and settings\owner\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226823619453&h=81709914d9c8a2165de892c5cedc2991/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\hiro-media\hiroclient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\hiro-media\hiroclient\HiroProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-11-11 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-11 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-11 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-9 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-19 30192]
=============== Created Last 30 ================
2010-02-20 07:03:54 0 d-----w- c:\program files\TrendMicro
2010-02-19 08:23:01 0 d-----w- C:\VundoFix Backups
2010-02-17 07:57:33 20 ----a-w- c:\windows\system32\44c5dd05
2010-02-17 07:52:19 0 d-----w- c:\docume~1\owner\applic~1\Control-Center
2010-02-17 07:49:22 195584 ----a-w- c:\windows\system32\dsauth32.dll
2010-02-17 07:29:43 1911 ----a-w- c:\windows\GnuHashes.ini
2010-02-17 07:22:33 1236 --sha-w- c:\windows\system32\1142262354
2010-02-17 07:21:53 0 d-sh--w- c:\windows\system32\SysWoW32
2010-02-17 07:21:36 203776 --sh--w- c:\windows\system32\unrar.exe
2010-02-17 07:21:36 0 d-----w- c:\windows\system32\645381477
2010-02-17 07:21:18 0 d-sh--w- c:\docume~1\owner\applic~1\SystemProc
2010-02-17 07:21:13 197120 ----a-w- c:\windows\system32\cryptdlg32.dll
2010-02-08 07:57:06 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser
==================== Find3M ====================
2010-01-20 08:01:10 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-09 08:47:11 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:46:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 09:03:56 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-12-18 08:52:46 88 --sh--r- c:\docume~1\alluse~1\applic~1\B9BA940FD4.sys
2009-12-18 07:47:29 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-04-27 09:04:02 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12:06 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 17:37:49.89 ===============
2nd log
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/11/2008 8:11:46 PM
System Uptime: 24/02/2010 4:53:57 PM (1 hours ago)
Motherboard: http://www.abit.com.tw/ | | AB9/AB9RPO(Intel965+ICH8)
Processor: Intel(R) Pentium(R) Dual CPU E2200 @ 2.20GHz | Socket 775 | 2244/204mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 149 GiB total, 89.353 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
K: is Removable
==== Disabled Device Manager Items =============
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia E51
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E51
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
==== System Restore Points ===================
RP257: 11/12/2009 9:46:03 AM - Installed HP Deskjet 460
RP258: 11/12/2009 11:28:21 AM - Software Distribution Service 3.0
RP259: 12/12/2009 4:45:21 PM - Avg8 Update
RP260: 12/12/2009 4:47:42 PM - Avg8 Update
RP261: 13/12/2009 4:59:37 PM - System Checkpoint
RP262: 14/12/2009 6:16:10 PM - System Checkpoint
RP263: 16/12/2009 6:10:46 PM - System Checkpoint
RP264: 17/12/2009 6:25:06 PM - Installed Corel Paint Shop Pro Photo X2.
RP265: 18/12/2009 5:14:06 PM - Installed MSVCSetup
RP266: 18/12/2009 6:36:18 PM - Removed Corel Paint Shop Pro Photo X2.
RP267: 19/12/2009 5:48:36 PM - Installed Serif PhotoPlus X2
RP268: 19/12/2009 5:50:56 PM - Installed Serif AlbumPlus SE PRO
RP269: 19/12/2009 5:55:46 PM - Installed Serif PanoramaPlus 3
RP270: 21/12/2009 10:43:12 AM - System Checkpoint
RP271: 22/12/2009 5:55:04 PM - Avg8 Update
RP272: 24/12/2009 11:53:08 AM - System Checkpoint
RP273: 25/12/2009 7:25:27 PM - System Checkpoint
RP274: 26/12/2009 7:57:46 PM - System Checkpoint
RP275: 28/12/2009 5:15:53 PM - Installed Windows XP -- Software Updates KB952011.
RP276: 30/12/2009 6:54:19 PM - System Checkpoint
RP277: 2/01/2010 4:41:05 PM - System Checkpoint
RP278: 3/01/2010 1:49:16 PM - Avg8 Update
RP279: 4/01/2010 6:15:03 PM - System Checkpoint
RP280: 6/01/2010 4:17:27 PM - Avg8 Update
RP281: 7/01/2010 4:45:26 PM - System Checkpoint
RP282: 9/01/2010 6:14:09 PM - Installed AVG Free 9.0
RP283: 10/01/2010 12:03:37 PM - Avg8 Update
RP284: 13/01/2010 6:12:17 PM - Software Distribution Service 3.0
RP285: 16/01/2010 4:37:23 PM - System Checkpoint
RP286: 19/01/2010 5:20:16 PM - Avg8 Update
RP287: 19/01/2010 5:34:55 PM - Software Distribution Service 3.0
RP288: 20/01/2010 12:03:13 PM - Software Distribution Service 3.0
RP289: 20/01/2010 5:16:05 PM - Installed Windows Internet Explorer 8.
RP290: 20/01/2010 5:16:52 PM - Software Distribution Service 3.0
RP291: 21/01/2010 5:44:36 PM - Software Distribution Service 3.0
RP292: 22/01/2010 6:21:39 PM - Software Distribution Service 3.0
RP293: 24/01/2010 12:11:46 PM - System Checkpoint
RP294: 26/01/2010 4:28:20 PM - System Checkpoint
RP295: 27/01/2010 4:48:38 PM - Avg8 Update
RP296: 29/01/2010 11:11:22 AM - System Checkpoint
RP297: 30/01/2010 4:45:46 PM - System Checkpoint
RP298: 31/01/2010 6:12:41 PM - System Checkpoint
RP299: 2/02/2010 5:19:55 PM - System Checkpoint
RP300: 10/02/2010 5:59:40 PM - Software Distribution Service 3.0
RP301: 12/02/2010 5:03:16 PM - System Checkpoint
RP302: 14/02/2010 10:39:09 AM - System Checkpoint
RP303: 15/02/2010 5:26:17 PM - System Checkpoint
RP304: 17/02/2010 5:55:07 PM - System Checkpoint
RP305: 20/02/2010 4:21:34 PM - System Checkpoint
RP306: 20/02/2010 4:33:54 PM - Installed HiJackThis
RP307: 23/02/2010 5:08:32 PM - System Checkpoint
==== Installed Programs ======================
0.0.1
101 Action Arcade Sports Games
101 Card & Board Games
101 Puzzle & Logic Games
32 Bit HP CIO Components Installer
ABIT uGuru
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player Plugin
Adobe Photoshop 5.5
Adobe Reader 9.3
AIO_Scan
AnvSoft Photo Flash Maker Free 5.11
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVG Free 9.0
BitComet 1.09
Bonjour
BufferChm
C7200
C7200_Help
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Digital Camera USB WIA Driver
Canon EOS 5D WIA Driver
Canon G.726 WMP-Decoder
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities 3D-PhotoPrint
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.4
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.1
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Cards_Calendar_OrderGift_DoMorePlugout
Cartoon Maker 6.01
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Compatibility Pack for the 2007 Office system
Control-Center
Copy
CorelDRAW Graphics Suite X3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
DVD Suite
e-tax 2009
EN
ERUNT 1.1j
eSupportQFolder
Fax
FontNav
Garmin City Navigator Australia and New Zealand NT 2010.10 Update
Garmin Communicator Plugin
Garmin USB Drivers
getPlus(R) Download Manager for Corel
getPlus(R) for Adobe
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
GPBaseService2
Gym-To-Go
High Definition Audio Driver Package - KB888111
HiJackThis
HIRO Client
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Card Games 2005
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 3.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
IncrediMail
iTunes
Java(TM) 6 Update 10
LimeWire 4.18.8
Logitech SetPoint
MarketResearch
Memory Card Utility
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Pro 7.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Plus! Game Pack: Cards and Puzzles
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
MpcStar 4.2
MSVC80_x86
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
neroxml
OCR Software by I.R.I.S. 10.0
Office mouse driver
OGA Notifier 2.0.0048.0
Otshot
PanoStandAlone
PC Connectivity Solution
Photo Frame Show
Photo Story 3 for Windows
Photo to Cartoon
Photo To Sketch 3.51
PHOTOfunSTUDIO
Picasa 3
PIXMA Extended Survey Program
PowerDVD
PowerProducer
Preclick PhotoMovieMaker
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Serif AlbumPlus SE PRO
Serif DrawPlus 4.0
Serif PagePlus SE 1.0
Serif PanoramaPlus 3
Serif PhotoPlus X2
Shockwave
Shop for HP Supplies
Skins
SmartWebPrinting
SolutionCenter
Spybot - Search & Destroy
Status
The Print Shop 12
Toolbox
TrayApp
TuneUp Companion 1.5.9
Ulead CD & DVD PictureShow 4
Ulead Photo Explorer 8.5
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
VBA
VideoToolkit01
VLC media player 0.9.8a
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Xvid 1.2.1 final uninstall
==== Event Viewer Messages From Past Week ========
18/02/2010 4:33:01 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
18/02/2010 10:31:08 PM, error: Service Control Manager [7000] - The Aspi32 service failed to start due to the following error: The system cannot find the file specified.
18/02/2010 10:30:49 PM, error: Dhcp [1002] - The IP address lease 10.0.0.1 for the Network Card with network address 00508D94E883 has been denied by the DHCP server 10.0.0.138 (The DHCP Server sent a DHCPNACK message).
17/02/2010 6:32:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
17/02/2010 6:32:41 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
==== End Of File ===========================
gjnalder
2010-02-24, 09:28
Downloaded GMER and managed to save this but tried to scan twice and both times computer shut down so not able to complete.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-24 17:49:05
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxwoapow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
Since GMER was unable to fully complete its run on your computer, we'll try a different rootkit scanner in its place.
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
BitComet 1.09
LimeWire 4.18.8
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1 Download and run SysProt
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items only:
Process
Kernel Modes
SSDT
Kernel Hooks
Hidden Files
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
gjnalder
2010-02-25, 01:43
This one worked. Removed the P2P as suggested.
cheers
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 800
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 860
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 892
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 936
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 948
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1120
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1140
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1208
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1368
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1408
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1460
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1632
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1740
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgchsvx.exe
PID: 1748
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgrsx.exe
PID: 1764
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgcsrvx.exe
PID: 1860
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1900
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 1088
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1316
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PID: 1352
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1388
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgwdsvc.exe
PID: 1500
Hidden: No
Window Visible: No
Name: C:\Program Files\Canon\BJCard\Bjmcmng.exe
PID: 1524
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1588
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 484
Hidden: No
Window Visible: No
Name: C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PID: 556
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 600
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 712
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 520
Hidden: No
Window Visible: No
Name: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PID: 1624
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgtray.exe
PID: 1620
Hidden: No
Window Visible: No
Name: C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
PID: 1720
Hidden: No
Window Visible: No
Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 1876
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1956
Hidden: No
Window Visible: No
Name: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PID: 2084
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2160
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG9\avgnsx.exe
PID: 2220
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
PID: 2264
Hidden: No
Window Visible: No
Name: C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PID: 2372
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2448
Hidden: No
Window Visible: No
Name: C:\Program Files\IncrediMail\bin\ImApp.exe
PID: 2900
Hidden: No
Window Visible: No
Name: C:\Program Files\Canon\CAL\CALMAIN.exe
PID: 3176
Hidden: No
Window Visible: No
Name: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2988
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 3000
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 4032
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3884
Hidden: No
Window Visible: No
Name: C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
PID: 3680
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 2020
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 2432
Hidden: No
Window Visible: No
Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1836
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Owner\Desktop\SysProt\SysProt.exe
PID: 3644
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Owner\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A958B000
Module End: A9596000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7358000
Module End: F7386000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7347000
Module End: F7358000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7487000
Module End: F7491000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7497000
Module End: F74A7000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F74A7000
Module End: F74B5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F74B7000
Module End: F74C2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7328000
Module End: F7347000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F798B000
Module End: F798D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7302000
Module End: F7328000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74C7000
Module End: F74D4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F72EA000
Module End: F7302000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\SI3132.sys
Service Name: SI3132
Module Base: F72D9000
Module End: F72EA000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F72C1000
Module End: F72D9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74D7000
Module End: F74E0000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74E7000
Module End: F74F4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F72A1000
Module End: F72C1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F728F000
Module End: F72A1000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\SiWinAcc.sys
Service Name: SiFilter
Module Base: F789B000
Module End: F789E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F74F7000
Module End: F7500000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7278000
Module End: F728F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F7265000
Module End: F7278000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F71D8000
Module End: F7265000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F71AB000
Module End: F71D8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\uGuru.sys
Service Name: UGURU
Module Base: F789F000
Module End: F78A3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7191000
Module End: F71AB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F7577000
Module End: F7580000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6030000
Module End: F64AF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F601C000
Module End: F6030000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F5FF4000
Module End: F601C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7857000
Module End: F785D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F5FD0000
Module End: F5FF4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F785F000
Module End: F7867000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
Service Name: RTLE8023xp
Module Base: F5FBC000
Module End: F5FD0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F7587000
Module End: F7597000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7597000
Module End: F75A4000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\L8042mou.sys
Service Name: L8042mou
Module Base: F75A7000
Module End: F75B5000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\LMouKE.sys
Service Name: LMouKE
Module Base: F5FAB000
Module End: F5FBC000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F786F000
Module End: F7875000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\L8042Kbd.sys
Service Name: L8042Kbd
Module Base: F7161000
Module End: F7165000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7877000
Module End: F787D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F75B7000
Module End: F75C2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Afc.sys
Service Name: Afc
Module Base: F787F000
Module End: F7887000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F75C7000
Module End: F75D7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F653F000
Module End: F654E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F5F88000
Module End: F5FAB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F652F000
Module End: F6539000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7ACC000
Module End: F7ACD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F651F000
Module End: F652C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7159000
Module End: F715C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F5F71000
Module End: F5F88000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F650F000
Module End: F651A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F64FF000
Module End: F650B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7887000
Module End: F788C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F5F60000
Module End: F5F71000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F64EF000
Module End: F64F8000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F788F000
Module End: F7894000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F771F000
Module End: F7724000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F5F30000
Module End: F5F60000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F64DF000
Module End: F64E9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79CB000
Module End: F79CD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5ED2000
Module End: F5F30000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F6A8C000
Module End: F6A90000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F64CF000
Module End: F64D9000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\AtiHdmi.sys
Service Name: AtiHdmiService
Module Base: AE7E4000
Module End: AE7FE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: AE7C0000
Module End: AE7E4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F75D7000
Module End: F75E6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F75F7000
Module End: F7606000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79D1000
Module End: F79D3000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: AE385000
Module End: AE7C0000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F79DD000
Module End: F79DF000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7AF6000
Module End: F7AF7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F79DF000
Module End: F79E1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F779F000
Module End: F77A6000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F77A7000
Module End: F77AD000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F79E3000
Module End: F79E5000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F79E5000
Module End: F79E7000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F77B7000
Module End: F77BC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F77BF000
Module End: F77C7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7973000
Module End: F7976000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: ACD70000
Module End: ACD83000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: ACD17000
Module End: ACD70000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: ACCC0000
Module End: ACD17000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: ACC9A000
Module End: ACCC0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7637000
Module End: F7640000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7647000
Module End: F7656000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: ACBD2000
Module End: ACBFA000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: ACBB0000
Module End: ACBD2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7657000
Module End: F7660000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: ACB85000
Module End: ACBB0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: ACB15000
Module End: ACB85000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7667000
Module End: F7672000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F77C7000
Module End: F77CD000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: ACAC5000
Module End: ACB15000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F77CF000
Module End: F77D6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F77DF000
Module End: F77E7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: F5E36000
Module End: F5E3A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F77E7000
Module End: F77EE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Service Name: HPZius12
Module Base: F77EF000
Module End: F77F5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HPZid412.sys
Service Name: HPZid412
Module Base: F7687000
Module End: F7694000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Service Name: HPZipr12
Module Base: F5E2A000
Module End: F5E2E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F76A7000
Module End: F76B7000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: ACA85000
Module End: ACA9D000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A0D000
Module End: F7A0F000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: ACDA7000
Module End: ACDAA000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7807000
Module End: F780C000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B7D000
Module End: F7B7E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AA6E4000
Module End: AA6E8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AA2BF000
Module End: AA2D4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AA414000
Module End: AA423000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A9F9A000
Module End: A9FC7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A9D63000
Module End: A9DBA000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A948A000
Module End: A94CB000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: A8FFF000
Module End: A902A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7867000
Module End: F786E000
Hidden: No
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{BA5F1BE8-4313-43EC-A543-71340BAFF207}
Status: Access denied
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
gjnalder
2010-02-25, 08:28
Combo fix log attached for you.
thanks.
ComboFix 10-02-24.03 - Owner 25/02/2010 16:36:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1468 [GMT 9.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\020000006cb43abd800C.manifest
c:\documents and settings\Owner\Application Data\020000006cb43abd800O.manifest
c:\documents and settings\Owner\Application Data\020000006cb43abd800P.manifest
c:\documents and settings\Owner\Application Data\020000006cb43abd800S.manifest
c:\documents and settings\Owner\Application Data\Control-Center
c:\documents and settings\Owner\Application Data\Control-Center\faq\guide.html
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\05.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\06.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\07.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\08.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\09.png
c:\documents and settings\Owner\Application Data\Control-Center\faq\images\10.png
c:\documents and settings\Owner\Application Data\Control-Center\settings.ini
c:\documents and settings\Owner\Application Data\Control-Center\uninstall.exe
c:\documents and settings\Owner\Application Data\SystemProc
c:\documents and settings\Owner\My Documents\ZbThumbnail.info
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\GnuHashes.ini
c:\windows\Readme.txt
c:\windows\system32\645381477
c:\windows\system32\cryptdlg32.dll
c:\windows\system32\dsauth32.dll
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\mi1310687320v4
c:\windows\system32\SysWoW32\mi1310687320v4.kwd
c:\windows\system32\SysWoW32\mi1310687320v6
c:\windows\system32\SysWoW32\mi1310687320v6.kwd
c:\windows\system32\SysWoW32\mi1310687320v7
c:\windows\system32\SysWoW32\mi1310687320v7.kwd
c:\windows\system32\SysWoW32\mu1310687320v5
c:\windows\system32\SysWoW32\mu1310687320v5.kwd
c:\windows\system32\SysWoW32\wu1310687320v0.kwd
c:\windows\system32\SysWoW32\wu1310687320v1.kwd
c:\windows\system32\SysWoW32\wu1310687320v2.kwd
c:\windows\system32\SysWoW32\wu1310687320v3.kwd
c:\windows\system32\unrar.exe
----- BITS: Possible infected sites -----
hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.
2010-02-20 07:01 . 2010-02-20 07:01 -------- d-----w- c:\program files\ERUNT
2010-02-19 08:23 . 2010-02-19 08:23 -------- d-----w- C:\VundoFix Backups
2010-02-08 07:57 . 2010-02-25 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-30 08:06 . 2010-01-30 08:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 06:08 . 2009-02-17 07:14 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-02-25 01:14 . 2008-11-21 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2010-02-25 00:29 . 2008-12-23 07:55 -------- d-----w- c:\program files\BitComet
2010-02-23 08:03 . 2008-11-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 07:03 . 2010-02-20 07:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 07:03 . 2010-02-20 07:03 -------- d-----w- c:\program files\TrendMicro
2010-02-20 06:27 . 2010-01-09 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-17 07:48 . 2008-11-16 08:25 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-02-17 07:38 . 2009-03-16 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUpMedia
2010-02-08 07:57 . 2008-11-16 02:12 -------- d-----w- c:\program files\Canon
2010-01-30 08:01 . 2008-11-16 01:17 -------- d-----w- c:\program files\Google
2010-01-23 08:08 . 2008-11-11 10:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 08:01 . 2010-01-20 07:59 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-20 07:21 . 2008-12-07 08:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 00:30 . 2010-01-14 00:30 301872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-09 08:47 . 2008-11-11 12:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47 . 2008-11-11 12:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:47 . 2008-11-11 12:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-09 08:46 . 2008-11-11 12:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-09 08:45 . 2008-11-11 12:16 -------- d-----w- c:\program files\AVG
2010-01-02 13:33 . 2009-01-04 07:33 -------- d-----w- c:\program files\MpcStar
2010-01-02 13:32 . 2010-01-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-01 08:30 . 2009-08-27 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 08:40 . 2008-11-15 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 07:50 . 2008-11-11 10:45 172200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 07:47 . 2009-12-18 07:44 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43 . 2008-11-11 10:36 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-04-27 09:04 . 2008-12-24 09:55 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12 . 2008-12-24 09:55 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-16 39408]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2010-01-02 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-09 08:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
2006-03-23 02:11 417792 ----a-w- c:\program files\ABIT\uGuru\uGuru.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 06:27 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 16:27 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-04-17 04:44 98616 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2002-03-14 00:11 630784 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 11:47 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 01:24 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 06:45 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 06:45 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 06:41 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 13:25 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 03:31 28160 ----a-w- c:\windows\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-25 05:20 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 20:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:32 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-02 13:32 413696 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 05:40 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-04 07:59 16206848 ------r- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-04-24 07:20 1448960 ----a-w- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:33 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 02:47 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-16 08:21 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2005-05-23 00:27 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 03:18 94208 ----a-w- c:\program files\Office mouse driver\StartAutorun.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16906:TCP"= 16906:TCP:BitComet 16906 TCP
"16906:UDP"= 16906:UDP:BitComet 16906 UDP
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [11/11/2008 9:06 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 9:46 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/01/2010 6:15 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 5:31 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 5:15 PM 30192]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [25/02/2010 10:06 AM 44288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{C615DD69-9C13-415F-9DAA-F1CD921C4510}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{01E7E5F8-63DE-4B78-B0CB-98E78A1BAAD1} - c:\windows\System32\dsauth32.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe
MSConfigStartUp-CanonMyPrinter - c:\program files\Canon\MyPrinter\BJMyPrt.exe
MSConfigStartUp-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
AddRemove-_{63218538-4A69-497F-8455-904261B0E9E4} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {63218538-4A69-497F-8455-904261B0E9E4}
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1409082233-329068152-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98B7EA84-75C3-E614-AE77-DA0C125889DF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oafhiijpfknbnfkmphpfebbanmolih"=hex:61,69,6c,70,62,64,65,69,65,70,67,65,62,6d,
6a,6f,64,68,65,6d,67,6c,68,67,6b,63,62,6e,64,6a,61,70,64,67,67,6d,6a,63,63,\
"iamgifckhghdamnfch"=hex:6b,61,61,61,6e,6e,70,6e,6c,65,66,6e,61,6a,65,61,61,6c,
69,69,66,66,00,00
"hachkflkplggfccm"=hex:6a,61,61,61,6b,6e,67,69,6c,6e,63,62,68,63,6f,63,6c,66,
69,67,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-25 16:41:31
ComboFix-quarantined-files.txt 2010-02-25 07:11
Pre-Run: 99,332,579,328 bytes free
Post-Run: 99,436,621,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - B6D438580A66C83880F782D184C674CA
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Folder::
c:\program files\BitComet
c:\documents and settings\Owner\Application Data\LimeWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16906:TCP"=-
"16906:UDP"=-
DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
RegNull::
[HKEY_USERS\S-1-5-21-1409082233-329068152-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98B7EA84-75C3-E614-AE77-DA0C125889DF}*]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on gjnalder's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
gjnalder? How are things coming along?
gjnalder
2010-03-01, 02:35
My sincere apologies, have been checking forum each day for further instructions and just found page 2!! have just been moving down to check. How stupid! So have now done the next steps and attached are the results.
ComboFix 10-02-27.04 - Owner 01/03/2010 10:48:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1397 [GMT 9.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\LimeWire
c:\documents and settings\Owner\Application Data\LimeWire\browser\xul-v2.0b2.4-do-not-remove
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\Owner\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\Owner\Application Data\LimeWire\bugs.data
c:\documents and settings\Owner\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Owner\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Owner\Application Data\LimeWire\downloads.dat
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Owner\Application Data\LimeWire\filters.props
c:\documents and settings\Owner\Application Data\LimeWire\gnutella.net
c:\documents and settings\Owner\Application Data\LimeWire\installation.props
c:\documents and settings\Owner\Application Data\LimeWire\library.dat
c:\documents and settings\Owner\Application Data\LimeWire\library5.dat
c:\documents and settings\Owner\Application Data\LimeWire\limewire.props
c:\documents and settings\Owner\Application Data\LimeWire\mojito.props
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\3816C1E5d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\6B5B8EF7d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\AE98BDF8d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\B09EF8CDd01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\Cache\BAFF9A99d01
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\Owner\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Owner\Application Data\LimeWire\questions.props
c:\documents and settings\Owner\Application Data\LimeWire\responses.cache
c:\documents and settings\Owner\Application Data\LimeWire\simpp.xml
c:\documents and settings\Owner\Application Data\LimeWire\spam.dat
c:\documents and settings\Owner\Application Data\LimeWire\tables.props
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Owner\Application Data\LimeWire\ttdata.cache
c:\documents and settings\Owner\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Owner\Application Data\LimeWire\version.xml
c:\documents and settings\Owner\Application Data\LimeWire\versions.props
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\video.sxml3
c:\program files\BitComet
c:\program files\BitComet\archive\03c80b41656a69779a4412c2d919d4874b046e30.torrent
c:\program files\BitComet\archive\086c2aa9a0aec09e0b1bc5b940085559aa58b8fa.torrent
c:\program files\BitComet\archive\112df9f483361a036acab7f63da1f430c97bba93.torrent
c:\program files\BitComet\archive\120bcedf7463dd467ab751fd9a93cac960a36220.torrent
c:\program files\BitComet\archive\27ba68fff05e5ae34a18325b9cae5d63b5833f3d.torrent
c:\program files\BitComet\archive\280d7a9b3de82437e679faf1dbd5ec36ca041084.torrent
c:\program files\BitComet\archive\327900e826ecaee5e3d8e7f70e50d45a8e00fbb8.torrent
c:\program files\BitComet\archive\3bb84ef9af3ee211e03a1ca5c3f45106a1b000ca.torrent
c:\program files\BitComet\archive\429ea3d59bef33c208f5ae93bf8075bda0090af6.torrent
c:\program files\BitComet\archive\483258de34ad68aa932c3f2af612b3c0456eccd4.torrent
c:\program files\BitComet\archive\48c04f247e981b6eb8ff8b527ff42d17cbded832.torrent
c:\program files\BitComet\archive\4a015a48ef74f1f76f7bace7371747c2e07034bb.torrent
c:\program files\BitComet\archive\4a20254ac609a8925eaef76f8db3aa43b5100997.torrent
c:\program files\BitComet\archive\6aa47c0f1348aa6327269ef3efc824eb0911804b.torrent
c:\program files\BitComet\archive\766ec299a3c281ec435b837a41db830975ecfe08.torrent
c:\program files\BitComet\archive\7c4a99797774f8360d95cc1a53df947da4e8a46c.torrent
c:\program files\BitComet\archive\85a046f79d95b39cdb253cc8ee6210fcd03222c5.torrent
c:\program files\BitComet\archive\926afd99b16bfc228f7ca98bf709919affb14c8f.torrent
c:\program files\BitComet\archive\93e20462024a1302d6a5c6f9c17810d3c36bff94.torrent
c:\program files\BitComet\archive\97cba0d8f6fa17e23329a71b9f49022bb89cbc1a.torrent
c:\program files\BitComet\archive\a529470fe7128fc26a44217ef47aaa02880c013e.torrent
c:\program files\BitComet\archive\be5a6f79c9b7ddcac411e3011639d182057e9fd4.torrent
c:\program files\BitComet\archive\c1add909754ff78c778285f07b6639f557b70739.torrent
c:\program files\BitComet\archive\ce623f2cf0cd6e9a423a03bac4eff1f28cf28f2c.torrent
c:\program files\BitComet\archive\d219caa21d4bc44c647fe63f85f29ed3766bed9d.torrent
c:\program files\BitComet\archive\d6319776652f95788963c6a849fbdc2750eae309.torrent
c:\program files\BitComet\archive\ed2bca09a17dbcc3b75ea0df3964705b69843a42.torrent
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\Downloads.xml.bak
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\torrents\erunt-setup.exe.xml
c:\program files\BitComet\torrents\etax2009_1.msi.xml
c:\program files\BitComet\torrents\HijackThis.msi.xml
c:\program files\BitComet\torrents\setup.exe.xml
c:\program files\BitComet\torrents\Tale_of_Two_Brains.wmv.xml
c:\program files\BitComet\torrents\VundoFix.exe.xml
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.
2010-02-25 06:06 . 2010-02-25 06:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-02-20 07:03 . 2010-02-20 07:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 07:03 . 2010-02-20 07:03 -------- d-----w- c:\program files\TrendMicro
2010-02-20 07:01 . 2010-02-20 07:01 -------- d-----w- c:\program files\ERUNT
2010-02-19 08:23 . 2010-02-19 08:23 -------- d-----w- C:\VundoFix Backups
2010-02-08 07:57 . 2010-02-25 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-30 08:06 . 2010-01-30 08:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 01:12 . 2009-02-17 07:14 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-02-27 07:57 . 2010-01-14 00:30 301872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 01:14 . 2008-11-21 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2010-02-23 08:03 . 2008-11-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 06:27 . 2010-01-09 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-17 07:38 . 2009-03-16 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUpMedia
2010-02-08 07:57 . 2008-11-16 02:12 -------- d-----w- c:\program files\Canon
2010-01-30 08:01 . 2008-11-16 01:17 -------- d-----w- c:\program files\Google
2010-01-23 08:08 . 2008-11-11 10:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 08:01 . 2010-01-20 07:59 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-20 07:21 . 2008-12-07 08:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-09 08:47 . 2008-11-11 12:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47 . 2008-11-11 12:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:47 . 2008-11-11 12:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-09 08:46 . 2008-11-11 12:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-09 08:45 . 2008-11-11 12:16 -------- d-----w- c:\program files\AVG
2010-01-02 13:33 . 2009-01-04 07:33 -------- d-----w- c:\program files\MpcStar
2010-01-02 13:32 . 2010-01-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-01 08:30 . 2009-08-27 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 07:50 . 2008-11-11 10:45 172200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 07:47 . 2009-12-18 07:44 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43 . 2008-11-11 10:36 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-27 09:04 . 2008-12-24 09:55 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12 . 2008-12-24 09:55 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-16 39408]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2010-01-02 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-09 08:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
2006-03-23 02:11 417792 ----a-w- c:\program files\ABIT\uGuru\uGuru.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 06:27 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 16:27 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-04-17 04:44 98616 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2002-03-14 00:11 630784 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 11:47 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 01:24 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 06:45 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 06:45 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 06:41 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 13:25 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 03:31 28160 ----a-w- c:\windows\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-25 05:20 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 20:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:32 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-02 13:32 413696 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 05:40 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-04 07:59 16206848 ------r- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-04-24 07:20 1448960 ----a-w- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:33 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 02:47 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-16 08:21 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2005-05-23 00:27 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 03:18 94208 ----a-w- c:\program files\Office mouse driver\StartAutorun.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [11/11/2008 9:06 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 9:46 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/01/2010 6:15 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 5:31 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 5:15 PM 30192]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [25/02/2010 10:06 AM 44288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{C615DD69-9C13-415F-9DAA-F1CD921C4510}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 10:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3728)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\IncrediMail\bin\B4ImApp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Canon\BJCard\Bjmcmng.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\IncrediMail\bin\IMApp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-01 11:00:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 01:30
ComboFix2.txt 2010-02-25 07:11
Pre-Run: 99,189,440,512 bytes free
Post-Run: 99,123,191,808 bytes free
- - End Of File - - 98454472255831BE7E8032062721A66B
gjnalder
2010-03-01, 02:35
DDS report below:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 11:02:28.10 on Mon 01/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1379 [GMT 9.5:30]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://ninemsn.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qtsystem\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226823619453&h=81709914d9c8a2165de892c5cedc2991/&filename=jinstall-6u10-windows-i586-jc.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\hiro-media\hiroclient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\hiro-media\hiroclient\HiroProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-11-11 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-11 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-11 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-9 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-19 30192]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\owner\desktop\sysprot\SysProtDrv.sys [2010-2-25 44288]
=============== Created Last 30 ================
2010-02-25 07:05:05 0 d-sha-r- C:\cmdcons
2010-02-25 07:02:55 98816 ----a-w- c:\windows\sed.exe
2010-02-25 07:02:55 77312 ----a-w- c:\windows\MBR.exe
2010-02-25 07:02:55 261632 ----a-w- c:\windows\PEV.exe
2010-02-25 07:02:55 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 07:03:54 0 d-----w- c:\program files\TrendMicro
2010-02-19 08:23:01 0 d-----w- C:\VundoFix Backups
2010-02-17 07:57:33 20 ----a-w- c:\windows\system32\44c5dd05
2010-02-17 07:22:33 1236 --sha-w- c:\windows\system32\1142262354
2010-02-08 07:57:06 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser
==================== Find3M ====================
2010-01-20 08:01:10 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-09 08:47:11 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:46:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 09:03:56 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-12-18 08:52:46 88 --sh--r- c:\docume~1\alluse~1\applic~1\B9BA940FD4.sys
2009-12-18 07:47:29 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-04-27 09:04:02 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12:06 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 11:02:41.78 ===============
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u18 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 10
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
gjnalder
2010-03-01, 11:03
Done, log attached.
Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/03/2010 7:32:25 PM
mbam-log-2010-03-01 (19-32-11).txt
Scan type: Quick Scan
Objects scanned: 119584
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
gjnalder
2010-03-01, 11:06
Sorry forgot to click the remove Selected button, so new log attached.
Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/03/2010 7:34:11 PM
mbam-log-2010-03-01 (19-34-11).txt
Scan type: Quick Scan
Objects scanned: 119584
Time elapsed: 9 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step # 1 Update Adobe Acrobat Reader
Your version of Adobe Reader is out of date.
Please open up Adobe Reader, then click Help, then Check for updates
Once Adobe is done checking for updates, select the update for Adobe Reader 9.3.1 and have Adobe download and install the update.
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. How is your computer doing, any problems?
gjnalder
2010-03-02, 04:19
Report attached. Computer seems to be fine but have only been doing what you have requested so havent had much time to "play" with it except checking emails.
cheers
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, March 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, March 01, 2010 20:43:46
Records in database: 3679174
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Objects scanned: 100598
Threats found: 8
Infected objects found: 24
Suspicious objects found: 0
Scan duration: 01:43:26
File name / Threat / Threats count
C:\101aasg\Arcade\3D Pickman\RegTest.exe Infected: Trojan-Spy.Win32.Ardamax.abh 1
C:\101cbg\Card\Card Game 1001\Card Game 1001.exe Infected: Trojan.Win32.Rozena.bhk 1
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Documents and Settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Documents and Settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\dagda.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Documents and Settings\Owner\My Documents\My Music\dagda.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
C:\Documents and Settings\Owner\My Documents\My Music\fallen hard.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Owner\My Documents\My Music\gary bennett MTV.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Documents and Settings\Owner\My Documents\My Music\once in red moon (best quality).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Owner\My Documents\My Music\serenade to spring.mp3 Infected: Trojan-Downloader.WMA.Wimad.r 1
C:\Documents and Settings\Owner\My Documents\My Music\songs for longing.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Owner\My Documents\My Music\windancer secret garden - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi1310687320v4.vir Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi1310687320v6.vir Infected: Trojan-Downloader.WMA.GetCodec.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi1310687320v7.vir Infected: Trojan-Downloader.WMA.GetCodec.s 1
Selected area has been scanned.
Computer seems to be fine but have only been doing what you have requested so havent had much time to "play" with it except checking emails.
Go ahead and do other stuff on the computer (like surfing the web) besides checking e-mails. Let me know how your computer runs and if you get any pop-ups and/or redirects when browsing the 'Net.
Kaspersky found some files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those and ComboFix in an upcoming post.
Delete CFScript.txt from your Desktop, you will be creating and running a new one.
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
C:\101aasg\Arcade\3D Pickman\RegTest.exe
C:\101cbg\Card\Card Game 1001\Card Game 1001.exe
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma
C:\Documents and Settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au
C:\Documents and Settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au
C:\Documents and Settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\dagda.mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3
C:\Documents and Settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3
C:\Documents and Settings\Owner\My Documents\My Music\dagda.mp3
C:\Documents and Settings\Owner\My Documents\My Music\fallen hard.wma
C:\Documents and Settings\Owner\My Documents\My Music\gary bennett MTV.mp3
C:\Documents and Settings\Owner\My Documents\My Music\once in red moon (best quality).mp3
C:\Documents and Settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3
C:\Documents and Settings\Owner\My Documents\My Music\serenade to spring.mp3
C:\Documents and Settings\Owner\My Documents\My Music\songs for longing.wma
C:\Documents and Settings\Owner\My Documents\My Music\windancer secret garden - greatest hits.mp3
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on gjnalder's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
gjnalder
2010-03-02, 08:43
Hello again, scan done and report attached! complicated business heh!
ComboFix 10-02-27.04 - Owner 02/03/2010 16:59:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1440 [GMT 9.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\101aasg\Arcade\3D Pickman\RegTest.exe"
"c:\101cbg\Card\Card Game 1001\Card Game 1001.exe"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au"
"c:\documents and settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au"
"c:\documents and settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\dagda.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3"
"c:\documents and settings\Owner\My Documents\My Music\dagda.mp3"
"c:\documents and settings\Owner\My Documents\My Music\fallen hard.wma"
"c:\documents and settings\Owner\My Documents\My Music\gary bennett MTV.mp3"
"c:\documents and settings\Owner\My Documents\My Music\once in red moon (best quality).mp3"
"c:\documents and settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3"
"c:\documents and settings\Owner\My Documents\My Music\serenade to spring.mp3"
"c:\documents and settings\Owner\My Documents\My Music\songs for longing.wma"
"c:\documents and settings\Owner\My Documents\My Music\windancer secret garden - gre"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\101aasg\Arcade\3D Pickman\RegTest.exe
c:\101cbg\Card\Card Game 1001\Card Game 1001.exe
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au
c:\documents and settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au
c:\documents and settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\dagda.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3
c:\documents and settings\Owner\My Documents\My Music\dagda.mp3
c:\documents and settings\Owner\My Documents\My Music\fallen hard.wma
c:\documents and settings\Owner\My Documents\My Music\gary bennett MTV.mp3
c:\documents and settings\Owner\My Documents\My Music\once in red moon (best quality).mp3
c:\documents and settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3
c:\documents and settings\Owner\My Documents\My Music\serenade to spring.mp3
c:\documents and settings\Owner\My Documents\My Music\songs for longing.wma
.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.
2010-03-02 07:17 . 2010-03-02 07:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-01 08:08 . 2010-01-07 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 08:08 . 2010-01-07 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 07:53 . 2010-03-01 07:53 -------- d-----w- c:\program files\Common Files\Java
2010-03-01 07:53 . 2010-03-01 07:53 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\msvcp71.dll
2010-03-01 07:53 . 2010-03-01 07:53 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\jmc.dll
2010-03-01 07:53 . 2010-03-01 07:53 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\msvcr71.dll
2010-03-01 07:53 . 2010-03-01 07:53 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7483c383-n\decora-sse.dll
2010-03-01 07:53 . 2010-03-01 07:53 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7483c383-n\decora-d3d.dll
2010-02-25 06:06 . 2010-02-25 06:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-02-20 07:03 . 2010-02-20 07:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 07:03 . 2010-02-20 07:03 -------- d-----w- c:\program files\TrendMicro
2010-02-20 07:01 . 2010-02-20 07:01 -------- d-----w- c:\program files\ERUNT
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 08:23 . 2010-02-19 08:23 -------- d-----w- C:\VundoFix Backups
2010-02-08 07:57 . 2010-03-02 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 07:07 . 2009-02-17 07:14 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-03-01 08:00 . 2008-11-16 01:21 -------- d-----w- c:\program files\CCleaner
2010-03-01 07:53 . 2008-11-16 08:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 07:57 . 2010-01-14 00:30 301872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 01:14 . 2008-11-21 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2010-02-23 08:03 . 2008-11-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 06:27 . 2010-01-09 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-17 07:38 . 2009-03-16 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUpMedia
2010-02-08 07:57 . 2008-11-16 02:12 -------- d-----w- c:\program files\Canon
2010-01-30 08:01 . 2008-11-16 01:17 -------- d-----w- c:\program files\Google
2010-01-23 08:08 . 2008-11-11 10:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 08:01 . 2010-01-20 07:59 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-20 07:21 . 2008-12-07 08:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-09 08:47 . 2008-11-11 12:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47 . 2008-11-11 12:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:47 . 2008-11-11 12:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-09 08:46 . 2008-11-11 12:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-09 08:45 . 2008-11-11 12:16 -------- d-----w- c:\program files\AVG
2010-01-02 13:33 . 2009-01-04 07:33 -------- d-----w- c:\program files\MpcStar
2010-01-02 13:32 . 2010-01-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-01 08:30 . 2009-08-27 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 07:50 . 2008-11-11 10:45 172200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 07:47 . 2009-12-18 07:44 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43 . 2008-11-11 10:36 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-27 09:04 . 2008-12-24 09:55 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12 . 2008-12-24 09:55 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-25_07.10.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-02 07:34 . 2010-03-02 07:34 16384 c:\windows\temp\Perflib_Perfdata_544.dat
+ 2010-03-01 07:53 . 2010-03-01 07:53 153376 c:\windows\system32\javaws.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 145184 c:\windows\system32\javaw.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 145184 c:\windows\system32\java.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 180224 c:\windows\Installer\22191.msi
+ 2010-03-01 07:53 . 2010-03-01 07:53 577536 c:\windows\Installer\2218c.msi
+ 2010-03-02 00:46 . 2010-03-02 00:46 802304 c:\windows\Installer\1b19f0.msi
+ 2010-03-02 00:46 . 2010-03-02 00:46 295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2010-02-28 00:26 . 2010-02-28 00:26 393216 c:\windows\ERDNT\AutoBackup\28-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-28 00:26 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\28-02-2010\ERDNT.EXE
+ 2010-02-27 01:42 . 2010-02-27 01:42 393216 c:\windows\ERDNT\AutoBackup\27-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-27 01:42 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\27-02-2010\ERDNT.EXE
+ 2010-02-25 22:33 . 2010-02-25 22:33 393216 c:\windows\ERDNT\AutoBackup\26-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-25 22:33 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\26-02-2010\ERDNT.EXE
+ 2010-03-02 00:40 . 2010-03-02 00:40 393216 c:\windows\ERDNT\AutoBackup\2-03-2010\Users\00000002\UsrClass.dat
+ 2010-03-02 00:40 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\2-03-2010\ERDNT.EXE
+ 2010-03-01 01:06 . 2010-03-01 01:06 393216 c:\windows\ERDNT\AutoBackup\1-03-2010\Users\00000002\UsrClass.dat
+ 2010-03-01 01:06 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\1-03-2010\ERDNT.EXE
+ 2010-02-25 00:28 . 2010-02-25 00:28 5527040 c:\windows\Installer\1b19eb.msp
+ 2009-10-27 11:04 . 2009-10-27 11:04 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2010-02-28 00:26 . 2010-02-28 00:26 10465280 c:\windows\ERDNT\AutoBackup\28-02-2010\Users\00000001\ntuser.dat
+ 2010-02-27 01:42 . 2010-02-27 01:42 10465280 c:\windows\ERDNT\AutoBackup\27-02-2010\Users\00000001\ntuser.dat
+ 2010-02-25 22:33 . 2010-02-25 22:33 10465280 c:\windows\ERDNT\AutoBackup\26-02-2010\Users\00000001\ntuser.dat
+ 2010-03-02 00:40 . 2010-03-02 00:40 10465280 c:\windows\ERDNT\AutoBackup\2-03-2010\Users\00000001\ntuser.dat
+ 2010-03-01 01:06 . 2010-03-01 01:06 10465280 c:\windows\ERDNT\AutoBackup\1-03-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-16 39408]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2010-01-02 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-09 08:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
2006-03-23 02:11 417792 ----a-w- c:\program files\ABIT\uGuru\uGuru.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 06:27 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 16:27 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-04-17 04:44 98616 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2002-03-14 00:11 630784 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 11:47 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 01:24 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 06:45 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 06:45 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 06:41 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 13:25 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 03:31 28160 ----a-w- c:\windows\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-25 05:20 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 20:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:32 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-02 13:32 413696 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 05:40 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-04 07:59 16206848 ------r- c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-04-24 07:20 1448960 ----a-w- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:33 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 02:47 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2005-05-23 00:27 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 03:18 94208 ----a-w- c:\program files\Office mouse driver\StartAutorun.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [11/11/2008 9:06 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 9:46 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/01/2010 6:15 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 5:31 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 5:15 PM 30192]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [25/02/2010 10:06 AM 44288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]
2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{C615DD69-9C13-415F-9DAA-F1CD921C4510}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 17:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\IncrediMail\bin\B4ImApp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Canon\BJCard\Bjmcmng.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\IncrediMail\bin\IMApp.exe
.
**************************************************************************
.
Completion time: 2010-03-02 17:10:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 07:40
ComboFix2.txt 2010-03-01 01:30
ComboFix3.txt 2010-02-25 07:11
Pre-Run: 98,919,239,680 bytes free
Post-Run: 98,903,093,248 bytes free
- - End Of File - - F7B6FC395B36D3F578C6C7B3A0E1AC48
It looks like ComboFix removed what we wanted it to remove. :)
How is your computer doing now, notice any problems while using it/browsing the web?
gjnalder
2010-03-03, 08:19
Ran Spybot and AVG and both of them found no bugs so looking good now.
Seems to running well, no hickups at the moment. Will monitor and let u know if anything goes amuck. Many thanks for ALL your help, you are a wizard. cheers Janine
Let's do this, use your computer as you normally would until this upcoming Friday. If there are no problems, go ahead and post back on Friday saying so and I'll give you my "All-Clean" post/speech. :)
If something does come up between now and Friday, post about that as well and we'll look into it.
gjnalder
2010-03-05, 08:49
No problems so far, so all good.
cheers
J:
That's good to hear.
Since there are no more problems, you are good to go. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
gjnalder
2010-03-06, 08:08
Farewell and many thanks again.
:thanks::)
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!