PDA

View Full Version : Need Help Removing Malware/Virus!!



bowlzy17
2010-09-10, 02:38
Hello,
Where do I begin?? I recently recieved a virus which was causing redirects in IE8 and also wouldn't let me open Malwarebytes or Spybot along with certain processes running using alot of memory (ie. csrss.exe, svchost.exe). Appears from the threads this is a common malware/virus. Being the stubborn one I am (thinking I could fix this) and against all the good advice from the experts I downloaded Combofix and ran it. This seemed to remove everything (along with running Malwarebytes afterwords) so I deleted old restore points and created a clean one.
Couple days later I visited a site and got a pop-up from a poker site and couple minutes later malware doctor was installed, firewall, and security centre turned off, avg resident shield was going crazy with new virus detections! Manged to remove some stuff with malwarebytes and avg (I think they were conflicting with each other though) but I'm still getting redirects and weird processes running. Also noticed some new and strange processes in the msconfig - startup so I stopped a couple and now recieve an error on start up (RUNDLL error loading C:/Windows/tsvadxsi.dll) which was one of the startup processes I stopped.
Now I've decided to come to the experts which I should have done from the beginning, I thank you in advance and appreciate all your help, it's nice to know there are some computer experts out there not creating annoying and dangerous viruses!
I have installed and run the ERUNT and the DDS with attchment is below!

Thanks again!:)

5699

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:33:45.12 on Thu 09/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.999 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgupd.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uyejoducexu] rundll32.exe "c:\windows\tsvadxsi.dll",Startup
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Hrovomopa] rundll32.exe "c:\windows\aregedey.dll",Startup
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-18 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-18 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-18 243024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-6 532224]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2009-4-16 41025]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-09-08 01:36:53 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-07 02:31:28 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-09-07 02:31:09 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-07 02:31:09 0 d-----w- c:\windows\system32\ZoneLabs
2010-09-07 02:31:07 420800 ----a-w- c:\windows\system32\vsconfig.xml
2010-09-07 02:31:07 0 d-----w- c:\program files\Zone Labs
2010-09-07 02:29:49 0 d-----w- c:\windows\Internet Logs
2010-09-07 01:25:10 0 d-----w- c:\windows\system32\LogFiles
2010-09-06 20:58:18 120 ----a-w- c:\windows\Nvavubuca.dat
2010-09-06 20:58:18 0 ----a-w- c:\windows\Fjewuva.bin
2010-09-06 20:56:01 0 d-----w- c:\docume~1\owner\applic~1\33822E9F2C5251F20FAD0D559D9605FB
2010-09-02 01:40:10 0 d-sha-r- C:\cmdcons
2010-09-02 01:37:44 98816 ----a-w- c:\windows\sed.exe
2010-09-02 01:37:44 77312 ----a-w- c:\windows\MBR.exe
2010-09-02 01:37:44 256512 ----a-w- c:\windows\PEV.exe
2010-09-02 01:37:44 161792 ----a-w- c:\windows\SWREG.exe
2010-09-02 01:22:06 0 d-----w- c:\docume~1\owner\applic~1\AVG9
2010-08-29 02:39:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-29 01:27:51 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-29 01:27:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-29 01:24:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 01:24:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 16:57:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-07-15 21:56:59 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 21:56:54 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 21:56:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-04-07 19:37:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040720090408\index.dat

============= FINISH: 17:35:23.55 ===============

ken545
2010-09-11, 23:42
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Never run Combofix on your own. Its a very powerful tool and should not be taken lightly. This forum, myself and sUbs will not be responsible if you damage your system when running this on your own.


If you still have Combofix on your desktop drag it to the trash and download a fresh copy

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::




DDS::
uRun: [Uyejoducexu]
mRun: [Hrovomopa]

Files::
c:\windows\Nvavubuca.dat
c:\windows\Fjewuva.bin


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

bowlzy17
2010-09-13, 03:43
Hi, thanks for the response and help... Much appreciated! I have run combofix and havn't noticed any redirects yet, computer seems to be running better. The log is as follows:

5726

Thanks!

ComboFix 10-09-12.01 - Owner 09/12/2010 20:23:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1086 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\33822E9F2C5251F20FAD0D559D9605FB
c:\documents and settings\Owner\Application Data\33822E9F2C5251F20FAD0D559D9605FB\enemies-names.txt
c:\documents and settings\Owner\Application Data\33822E9F2C5251F20FAD0D559D9605FB\local.ini
c:\documents and settings\Owner\Local Settings\Application Data\{016D4F54-6B2C-414E-9B62-8ED6D7D4B826}
c:\documents and settings\Owner\Local Settings\Application Data\{016D4F54-6B2C-414E-9B62-8ED6D7D4B826}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{016D4F54-6B2C-414E-9B62-8ED6D7D4B826}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{016D4F54-6B2C-414E-9B62-8ED6D7D4B826}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{016D4F54-6B2C-414E-9B62-8ED6D7D4B826}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-10 00:30 . 2010-09-10 00:31 -------- d-----w- c:\program files\iTunes
2010-09-10 00:30 . 2010-09-10 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-10 00:28 . 2010-09-10 00:29 -------- d-----w- c:\program files\QuickTime
2010-09-10 00:27 . 2010-09-10 00:27 -------- d-----w- c:\program files\Apple Software Update
2010-09-10 00:27 . 2010-09-10 00:31 -------- dc----w- c:\windows\system32\DRVSTORE
2010-09-10 00:27 . 2010-09-10 00:27 -------- d-----w- c:\program files\Bonjour
2010-09-10 00:26 . 2010-09-10 00:30 -------- d-----w- c:\program files\Common Files\Apple
2010-09-09 21:39 . 2010-09-09 21:39 -------- d-----w- c:\program files\Common Files\Java
2010-09-09 21:39 . 2010-09-09 21:39 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-764eaaa7-n\decora-sse.dll
2010-09-09 21:39 . 2010-09-09 21:39 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3b1b0b5f-n\msvcp71.dll
2010-09-09 21:39 . 2010-09-09 21:39 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3b1b0b5f-n\jmc.dll
2010-09-09 21:39 . 2010-09-09 21:39 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3b1b0b5f-n\msvcr71.dll
2010-09-09 21:39 . 2010-09-09 21:39 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-764eaaa7-n\decora-d3d.dll
2010-09-09 21:39 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-09 00:44 . 2010-09-09 00:44 -------- d-----w- c:\program files\ERUNT
2010-09-08 01:36 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-07 02:31 . 2010-09-07 02:31 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-09-07 02:31 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-09-07 02:31 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-09-07 02:31 . 2010-09-07 02:31 -------- d-----w- c:\windows\system32\ZoneLabs
2010-09-07 02:31 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-09-07 02:31 . 2010-09-07 02:31 -------- d-----w- c:\program files\Zone Labs
2010-09-07 02:29 . 2010-09-13 00:29 -------- d-----w- c:\windows\Internet Logs
2010-09-07 01:25 . 2010-09-07 01:25 -------- d-----w- c:\windows\system32\LogFiles
2010-09-06 21:41 . 2010-09-06 21:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-06 20:58 . 2010-09-13 00:03 120 ----a-w- c:\windows\Nvavubuca.dat
2010-09-06 20:58 . 2010-09-13 00:03 0 ----a-w- c:\windows\Fjewuva.bin
2010-09-02 01:22 . 2010-09-02 01:22 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG9
2010-09-01 13:12 . 2010-09-01 13:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-29 02:39 . 2010-09-10 22:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-29 01:27 . 2010-08-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 01:27 . 2010-08-29 02:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-29 01:24 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 01:24 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-28 16:57 . 2010-08-29 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-10 22:54 . 2009-04-28 22:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-09-10 00:30 . 2009-06-25 23:40 -------- d-----w- c:\program files\iPod
2010-09-10 00:28 . 2009-04-28 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-09 21:39 . 2009-04-19 14:19 -------- d-----w- c:\program files\Java
2010-09-08 22:54 . 2009-11-13 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-07 03:02 . 2009-04-18 18:06 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-09-07 01:20 . 2010-04-01 04:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Onykz
2010-09-06 21:07 . 2010-06-21 17:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Etob
2010-08-28 02:39 . 2009-04-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 03:03 . 2009-10-31 19:00 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2010-08-08 22:48 . 2009-06-28 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 22:44 . 2010-07-27 22:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-20 01:44 . 2009-05-28 22:12 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-07-16 00:47 . 2009-04-20 22:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-15 21:56 . 2009-04-18 18:40 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 21:56 . 2010-07-15 21:56 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 21:56 . 2009-04-18 18:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-15 03:34 . 2009-04-06 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-15 03:34 . 2009-11-01 17:45 -------- d-----w- c:\program files\IESCAD
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-02_01.54.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-13 00:20 . 2010-09-13 00:20 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2010-09-07 02:31 . 2010-06-23 17:51 99328 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 70656 c:\windows\system32\ZoneLabs\zatray.exe
+ 2010-09-07 02:31 . 2010-06-23 17:51 21504 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 14336 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 46592 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 85504 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 37376 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 12800 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 12800 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 12800 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 20992 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 12800 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 10240 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 11264 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 14336 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 12288 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 11264 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 29184 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 13312 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 35840 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 38912 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 75776 c:\windows\system32\ZoneLabs\camupd.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 43008 c:\windows\system32\vswmi.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 58368 c:\windows\system32\vsregexp.dll
+ 2004-08-04 12:00 . 2008-04-14 00:12 34699 c:\windows\system32\hlp.dat
+ 2010-09-10 00:27 . 2010-04-20 00:47 41984 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaapl.sys
+ 2010-09-10 00:27 . 2010-04-20 00:29 18432 c:\windows\system32\DRVSTORE\netaapl_3A00C5601D92D37DDCB0AE45518D6B42BE1588E6\netaapl.sys
+ 2010-09-10 00:31 . 2009-05-18 17:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2005-02-02 05:21 . 2009-05-18 17:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
- 2009-04-06 20:04 . 2009-04-20 22:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-06 20:04 . 2010-09-06 20:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-06 20:04 . 2010-09-06 20:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-06 20:04 . 2009-04-20 22:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-06 20:04 . 2009-04-20 22:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-09-06 20:55 . 2010-09-06 20:55 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-09-10 00:27 . 2010-09-10 00:27 27136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
+ 2010-09-07 02:31 . 2010-06-23 17:51 141824 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 173056 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2010-09-07 02:29 . 2010-06-23 17:51 211456 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2010-09-07 02:31 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 434688 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 135680 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2010-09-07 02:31 . 2009-07-14 03:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 126976 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 279040 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 225792 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 368640 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 184832 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 375296 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2010-09-07 02:29 . 2010-02-08 12:41 595432 c:\windows\system32\ZoneLabs\icslta.dll
+ 2010-09-07 02:31 . 2010-05-04 18:04 284136 c:\windows\system32\ZoneLabs\ffapi.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 169984 c:\windows\system32\ZoneLabs\fbl.dll
+ 2010-09-07 02:31 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 110080 c:\windows\system32\vsxml.dll
+ 2010-09-07 02:29 . 2010-06-23 17:51 713728 c:\windows\system32\vsutil.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 302592 c:\windows\system32\vspubapi.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 108032 c:\windows\system32\vsmonapi.dll
+ 2010-09-07 02:29 . 2010-06-23 17:51 228864 c:\windows\system32\vsinit.dll
+ 2010-09-07 02:31 . 2010-05-13 14:02 532224 c:\windows\system32\vsdatant.sys
+ 2010-09-07 02:29 . 2010-06-23 17:51 112128 c:\windows\system32\vsdata.dll
+ 2010-09-10 00:32 . 2010-09-10 00:38 232912 c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
+ 2010-09-10 00:32 . 2010-09-10 00:38 311760 c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.dll
+ 2010-09-09 21:39 . 2010-07-17 09:00 153376 c:\windows\system32\javaws.exe
+ 2010-09-09 21:39 . 2010-07-17 09:00 145184 c:\windows\system32\javaw.exe
+ 2010-09-09 21:39 . 2010-07-17 09:00 145184 c:\windows\system32\java.exe
+ 2005-05-31 14:20 . 2008-04-17 16:12 107368 c:\windows\system32\GEARAspi.dll
+ 2010-09-10 00:31 . 2008-04-17 16:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2010-09-09 21:39 . 2010-09-09 21:39 180224 c:\windows\Installer\8b3c5.msi
+ 2010-09-10 00:27 . 2010-09-10 00:27 807936 c:\windows\Installer\45a88c.msi
+ 2010-09-10 00:31 . 2010-09-10 00:31 380928 c:\windows\Installer\{350FB27C-CF62-4EF3-AF9D-70FF313FE221}\iTunesIco.exe
+ 2010-09-09 21:32 . 2010-09-09 21:32 536576 c:\windows\ERDNT\AutoBackup\9-9-2010\Users\00000002\UsrClass.dat
+ 2010-09-09 21:32 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-9-2010\ERDNT.EXE
+ 2010-09-09 01:05 . 2010-09-09 01:05 536576 c:\windows\ERDNT\AutoBackup\9-8-2010\Users\00000002\UsrClass.dat
+ 2010-09-09 01:05 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-8-2010\ERDNT.EXE
+ 2010-09-13 00:03 . 2010-09-13 00:03 548864 c:\windows\ERDNT\AutoBackup\9-12-2010\Users\00000002\UsrClass.dat
+ 2010-09-13 00:03 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-12-2010\ERDNT.EXE
+ 2010-09-10 22:37 . 2010-09-10 22:37 548864 c:\windows\ERDNT\AutoBackup\9-10-2010\Users\00000002\UsrClass.dat
+ 2010-09-10 22:37 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-10-2010\ERDNT.EXE
+ 2010-09-09 00:45 . 2005-10-20 16:02 163328 c:\windows\ERDNT\9-8-2010\ERDNT.EXE
+ 2004-08-04 12:00 . 2008-04-14 00:12 198656 c:\windows\aregedey.dll
+ 2010-09-07 02:31 . 2010-06-23 17:51 1790464 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2010-09-07 02:31 . 2010-06-23 17:52 2435592 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2010-09-07 02:31 . 2010-06-23 17:51 1536512 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2010-09-10 00:27 . 2010-04-20 00:47 3062048 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaaplrc.dll
+ 2010-09-10 00:27 . 2010-04-20 00:29 1461992 c:\windows\system32\DRVSTORE\netaapl_3A00C5601D92D37DDCB0AE45518D6B42BE1588E6\wdfcoinstaller01009.dll
+ 2010-09-10 00:31 . 2010-09-10 00:31 6478336 c:\windows\Installer\45aba4.msi
+ 2010-09-10 00:29 . 2010-09-10 00:29 9472000 c:\windows\Installer\45ab25.msi
+ 2010-09-10 00:27 . 2010-09-10 00:27 1554944 c:\windows\Installer\45a8c5.msi
+ 2010-09-10 00:27 . 2010-09-10 00:27 3084800 c:\windows\Installer\45a897.msi
+ 2010-09-10 00:27 . 2010-09-10 00:27 1984000 c:\windows\Installer\45a892.msi
+ 2010-09-09 21:32 . 2010-09-09 21:32 4698112 c:\windows\ERDNT\AutoBackup\9-9-2010\Users\00000001\NTUSER.DAT
+ 2010-09-09 01:05 . 2010-09-09 01:05 4698112 c:\windows\ERDNT\AutoBackup\9-8-2010\Users\00000001\NTUSER.DAT
+ 2010-09-13 00:03 . 2010-09-13 00:03 4747264 c:\windows\ERDNT\AutoBackup\9-12-2010\Users\00000001\NTUSER.DAT
+ 2010-09-10 22:37 . 2010-09-10 22:37 4747264 c:\windows\ERDNT\AutoBackup\9-10-2010\Users\00000001\NTUSER.DAT
+ 2010-09-10 00:23 . 2010-09-10 00:23 12263936 c:\windows\Installer\45a887.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 21:56 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO -viewer-.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO -viewer-.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO -viewer-.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2007-10-11 12:45 31232 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:29 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-25 05:04 122939 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-27 14:03 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Licensing Service"=3 (0x3)
"ACDaemon"=2 (0x2)
"WUSB54GSv2SVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51559:TCP"= 51559:TCP:*:Disabled:51559

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/18/2009 2:40 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/18/2009 2:40 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 5:56 PM 308136]
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [4/16/2009 5:15 PM 41025]
.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-09 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-byivqr - c:\windows\system32\msllhsjn.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 20:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-12 20:33:55
ComboFix-quarantined-files.txt 2010-09-13 00:33
ComboFix2.txt 2010-09-02 01:56

Pre-Run: 57,034,493,952 bytes free
Post-Run: 57,101,979,648 bytes free

- - End Of File - - 4DAA90758C23F0EB6BD30DFBA6500DD1

ken545
2010-09-13, 04:12
Hi,

Just a few more things to do. Please copy and paste the reports into the thread rather than attach them, its easier for these old eyes to analyze.

uTorrent. <-- Just want to give you a heads up on P2P programs, your downloading a file from an unknown source, you never know whats attached to that file, its like playing Russian roulette malwarewise.

Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

You should uninstall this program via Add Remove Programs in the Control Panel.


FYI
pciide.sys (Generic PCI IDE Bus Driver ) this file was infected CF replaced it with a known clean copy.



Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\Nvavubuca.dat
c:\windows\Fjewuva.bin


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.





Malwarebytes should run now

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please


Post the report from both OTM and Malwarebytes please

bowlzy17
2010-09-13, 05:04
Hey Ken545 thanks for the quick response! I have unistalled utorrent as per your request and have posted the OTM an MBAM log below. I noticed a program called "bonjour" installed when I was in add/remove programs, is this related to any of these "fix" programs recently installed? I don't recall installing this or it being there before. Also, I don't appear to be having any problems lately but I do want to make sure I'm totally safe.

Thanks:)

OTM Log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\Nvavubuca.dat moved successfully.
c:\windows\Fjewuva.bin moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Boland

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 4547 bytes

User: Owner
->Temp folder emptied: 199625 bytes
->Temporary Internet Files folder emptied: 4392494 bytes
->Java cache emptied: 273499 bytes
->Flash cache emptied: 2012766 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4304997 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11.00 mb


OTM by OldTimer - Version 3.1.16.0 log created on 09122010_213406

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEE20.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEE35.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEE9B.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEEB0.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEF01.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFEF16.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temp\~DFF52A.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HZRANQZJ\showthread[1].htm moved successfully.
File C:\WINDOWS\temp\ZLT01943.TMP not found!

Registry entries deleted on Reboot...

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4602

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/12/2010 9:56:38 PM
mbam-log-2010-09-12 (21-56-38).txt

Scan type: Quick scan
Objects scanned: 141938
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545
2010-09-13, 11:23
Good Morning,

When you installed iTunes it installed Bonjour, its safe. Its software that lets your computer talk to your apple device.

Things are looking better, to be on the safe side, run this free online virus scanner, it wont take long.

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

bowlzy17
2010-09-14, 04:23
Hey Ken, thanks for the continued support. Okay, I ran the ESET scan as requested, it seemed to stall at 40% when it found 2 trojans in an old bit Torrent folder (one i havn't used in a long time) so I left and came back later. 11 Items were found and AVG found 2 items in "system volume informatio". Here is the log from the ESET scan and the AVG Resident shield items that were found.

ESET

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7a3f10571461974894782786d75fe213
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-14 12:47:18
# local_time=2010-09-13 08:47:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 26175375 26175375 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 0 6179240 0 0
# scanned=84041
# found=11
# cleaned=11
# scan_time=10478
C:\Documents and Settings\Owner\My Documents\BitTorrent Downloads\AnyDVD v6.1.5.5.zip probably a variant of Win32/Agent.FSVKUSK trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\My Documents\BitTorrent Downloads\AnyDVD v6.1.5.5\AnyDVD v6.1.5.5 Crack by MaBi.zip probably a variant of Win32/Agent.FSVKUSK trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\My Documents\Downloads\Autocad Civil 3d 2009 - rar\DVD3\237A1-09A001-P304A.iso probably a variant of Win32/Agent.IYJPMHT trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Shared\nite day club remix - best track ever.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Shared\Clone DVD2 + Any DVD+ crack+serial\Elby Clone Dvd V1.3.10.1 Anydvd 2.0.0.4 Ger Key\AnyDVD v2.0.0.4.rar probably a variant of Win32/Adware.Agent.EQTHDWD application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Shared\Clone DVD2 + Any DVD+ crack+serial\Elby Clone Dvd V1.3.10.1 Anydvd 2.0.0.4 Ger Key\Anydvd V2.0.0.4\SetupAnyDVD2004.exe probably a variant of Win32/Adware.Agent.EQTHDWD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rdpcdd.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{26B7B9BC-EA76-4F71-92A3-98E41C99F6E7}\RP7\A0001299.exe probably a variant of Win32/Adware.Agent.EQTHDWD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\aregedey.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

AVG (I used print screen and attached jpeg, not sure how else to copy and show you, highlighted the recent threat)

Thanks!!!!!!!!!

5733

ken545
2010-09-14, 04:35
Hi,

AnyDVD v6.1.5.5 Crack <-- This is a cracked copy of this program which is illegal. We don't condone the use of illegal software, besides it being illegal , cracked software always comes bundled with some sort of malware. If i was to continue to help you it could be construed in the eyes of the law as aiding and abetting a crime.

I am going to ask you to uninstall this program via Add Remove Programs in the Control Panel.

Then run this program
Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

bowlzy17
2010-09-14, 05:00
Hey, Any DVD was not actually installed on my sytem, regardless I deleted the files from the torrent folder. Also after running the scan something for a powerISO crack came up so being proactive I unistalled that program too (this is old stuff I forgot existed). The log is below, Thanks a million!!!

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\fff.nfo
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\keygen.exe
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\poweriso38.exe
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\read me !!!.txt
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\thumbs.db
c:\documents and settings\owner\my documents\azureus downloads\poweriso v3.8 [fff keygen][h33t][matt14]\tracked_by_h33t_com.txt
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\setupclonedvd2.exe
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\clonedvd.reg
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\clonedvd1.3.10.1.exe
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\keygen-clonedvd.exe
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\serial !!!!!!!!!!!!!!!.txt
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\anydvd v2.0.0.4\anydvd.exe
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\anydvd v2.0.0.4\anydvd.pdf
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\anydvd v2.0.0.4\install-deutsch.txt
c:\documents and settings\owner\shared\clone dvd2 + any dvd+ crack+serial\elby clone dvd v1.3.10.1 anydvd 2.0.0.4 ger key\anydvd v2.0.0.4\install-englich.txt
scanner sequence 3.FI.11
----- EOF -----

ken545
2010-09-14, 11:35
Hmmmm, another cracked program. People don't know, they think they are getting something for free, what those free programs bring with them are a ton of grief, there all infected.

Since your computer has been cleaned and in lew of the illegal software this thread will now be closed.