darrenpauli
2010-09-29, 03:41
Hi guys
I have an infection on my win 7 box that launches three linkbucks.com windows on boot, and briefly runs the CMD window.
I believe it came from a game crack that a friend ran on my machine.
AVG detected and seemingly removed a generic Trojan, but the CMD prompt and links on boot remain.
Any help is greatly appreciated.
DDS dump:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Darren at 10:36:51.92 on Wed 29/09/2010
Internet Explorer: 9.0.7930.16406
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.2038.860 [GMT 10:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
C:\Program Files\Telstra\Telstra Connection Manager\WaHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Macquarie Library\WGMB\WGMB.exe
C:\Program Files\Macquarie Library\WGMT\WGMT.exe
C:\Users\Darren\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program files\Telstra\Telstra Connection Manager\Watcher.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiApiMuxX.exe
C:\Windows\system32\StikyNot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Darren\Desktop\dds.scr
C:\Windows\system32\conhost.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://jogostorrent.net/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Google Update] "c:\users\darren\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [WatcherHelper] "c:\program files\telstra\telstra connection manager\WaHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [AvgScan] c:\windows\system32\AvgScan.bat
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\users\darren\appdata\roaming\micros~1\windows\startm~1\programs\startup\macqua~2.lnk - c:\program files\macquarie library\wgmb\WGMB.exe
StartupFolder: c:\users\darren\appdata\roaming\micros~1\windows\startm~1\programs\startup\macqua~1.lnk - c:\program files\macquarie library\wgmt\WGMT.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://remote.idg.com.au/download/,DanaInfo=wilma.idgoz.com.au+dolcontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://remote.idg.com.au/,DanaInfo=wilma.idgoz.com.au+dwa8W.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.idg.com.au/dana-cached/sc/JuniperSetupClient.cab
TCP: {155B916A-7341-424F-BD5D-4CAFB33B5642} = 10.4.1.15
TCP: {33526B38-88D2-4DA0-A412-C35BDCD3FB6D} = 139.130.4.4 203.50.2.71
TCP: {69A18BDE-E82B-4A01-A38E-02352A87ADBA} = 211.29.132.12 61.88.88.88
TCP: {93CE4D97-4F95-4023-BB87-ED1629C25B81} = 211.29.132.12 61.88.88.88
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\darren\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-28 243024]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-28 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-28 308136]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-1 583640]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-8-4 218480]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-18 497856]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2004-1-18 4864]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2010-6-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2010-6-21 228352]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2010-6-21 156544]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-9-28 431432]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-7-23 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-7-23 100736]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-8-1 16472]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-1 1343400]
=============== Created Last 30 ================
2010-09-28 04:06:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-28 04:06:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-28 04:06:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-28 04:06:12 0 d-----w- c:\windows\system32\drivers\Avg
2010-09-28 04:06:09 0 d-----w- c:\programdata\AVG Security Toolbar
2010-09-28 03:57:28 0 d-----w- c:\programdata\avg9
2010-09-28 03:55:20 0 d-----w- c:\program files\AVG
2010-09-28 01:30:31 0 d-----w- c:\users\darren\appdata\roaming\QuickScan
2010-09-27 08:53:08 175 ----a-w- c:\windows\system32\AvgScan.bat
2010-09-27 08:29:41 0 d-----w- c:\users\darren\appdata\roaming\IObit
2010-09-27 00:08:37 0 d--h--w- c:\windows\msdownld.tmp
2010-09-27 00:08:32 0 d-----w- c:\windows\system32\directx
2010-09-26 21:43:34 0 d-----w- c:\program files\Steam
2010-09-26 21:13:48 0 d-----w- c:\program files\common files\Steam
2010-09-25 10:36:39 0 d-----w- c:\program files\Microsoft WSE
2010-09-25 10:19:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
2010-09-25 10:18:12 0 d-----w- c:\programdata\PC Suite
2010-09-25 10:16:51 0 d-----w- c:\program files\common files\PCSuite
2010-09-25 10:16:50 0 d-----w- c:\program files\common files\Nokia
2010-09-25 10:16:44 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-09-25 10:16:36 0 d-----w- c:\program files\PC Connectivity Solution
2010-09-25 10:16:18 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-09-25 10:16:18 0 d-----w- c:\program files\Nokia
2010-09-25 10:15:36 0 d-----w- c:\programdata\Installations
2010-09-25 06:38:05 0 d-----w- c:\program files\WeFi Software
2010-09-25 05:20:21 0 d-----w- c:\program files\ElcomSoft
2010-09-25 05:07:44 0 d-----w- c:\program files\RAR Password Recovery Magic
2010-09-20 07:25:42 23552 --sha-w- c:\users\darren\Thumbs.db
2010-09-16 23:59:41 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-09-16 23:59:41 737280 ----a-w- c:\windows\system32\d2d1.dll
2010-09-16 23:59:41 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-09-16 23:59:41 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2010-09-16 23:59:41 1076224 ----a-w- c:\windows\system32\DWrite.dll
2010-09-16 23:59:07 279552 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-09-16 23:59:07 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-09-16 23:58:36 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2010-09-16 23:57:40 0 d-----w- c:\program files\Feedback Tool
2010-09-15 13:14:25 0 d-----w- c:\program files\FileHound
2010-09-15 11:41:30 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 02:24:04 0 d-----w- c:\program files\Cisco
2010-09-15 02:24:02 0 d-----w- c:\programdata\Cisco
2010-09-13 21:35:26 154890 ----a-w- C:\arts-adpp-record-waiver-authority.pdf
2010-09-13 21:35:15 146072 ----a-w- C:\admin.pdf
2010-09-13 21:34:24 759697 ----a-w- C:\admissions-eligibility-guide.pdf
2010-09-11 07:47:29 0 d-----w- c:\programdata\Sun
2010-09-11 07:47:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 04:19:10 0 d-----w- c:\program files\TuneUpMedia
2010-09-09 08:10:55 0 d-----w- c:\program files\iPod
2010-09-05 11:50:50 0 d-----w- c:\program files\VideoLAN
2010-09-01 03:00:27 0 d-----w- c:\users\darren\appdata\roaming\TuneUpMedia
2010-09-01 02:59:36 0 d-----w- c:\programdata\TuneUpMedia
2010-09-01 02:47:51 0 d-----w- c:\programdata\eSellerate
2010-08-30 21:16:15 0 d-----w- c:\users\darren\appdata\roaming\BigPond News Ticker
2010-08-30 12:08:50 0 d-sh--w- c:\users\darren\appdata\roaming\.#
2010-08-30 11:09:01 0 d-----w- c:\program files\Telstra
2010-08-30 11:06:38 0 d-----w- c:\users\darren\appdata\roaming\Sierra Wireless
2010-08-30 11:06:38 0 d-----w- c:\programdata\Sierra Wireless
2010-08-30 11:06:38 0 d-----w- c:\program files\Sierra Wireless Inc
2010-08-30 10:59:53 65536 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TM.blf
2010-08-30 10:59:53 524288 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TMContainer00000000000000000002.regtrans-ms
2010-08-30 10:59:53 524288 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TMContainer00000000000000000001.regtrans-ms
==================== Find3M ====================
2010-09-28 20:36:01 656288 ----a-w- c:\windows\system32\perfh007.dat
2010-09-28 20:36:01 133764 ----a-w- c:\windows\system32\perfc007.dat
2010-08-31 14:46:36 1355264 ----a-w- c:\windows\system32\jscript9.dll
2010-08-31 14:44:24 1122304 ----a-w- c:\windows\system32\wininet.dll
2010-08-31 14:44:06 424960 ----a-w- c:\windows\system32\vbscript.dll
2010-08-31 14:43:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2010-08-31 14:43:12 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2010-08-31 14:43:12 114176 ----a-w- c:\windows\system32\iesysprep.dll
2010-08-31 14:43:10 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2010-08-31 14:43:10 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2010-08-31 14:42:58 51200 ----a-w- c:\windows\system32\admparse.dll
2010-08-31 14:42:54 75264 ----a-w- c:\windows\system32\iesetup.dll
2010-08-31 14:42:48 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2010-08-31 14:42:42 150016 ----a-w- c:\windows\system32\iexpress.exe
2010-08-31 14:42:42 149504 ----a-w- c:\windows\system32\wextract.exe
2010-08-31 14:42:20 33280 ----a-w- c:\windows\system32\imgutil.dll
2010-08-31 14:42:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2010-08-31 14:42:12 11264 ----a-w- c:\windows\system32\mshta.exe
2010-08-31 14:41:46 160768 ----a-w- c:\windows\system32\msls31.dll
2010-08-10 02:37:36 2215 ----a-w- c:\program files\Age of Empires II - The Conquerers.lnk
2010-08-06 02:22:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2010-08-02 10:04:52 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-02 02:55:43 38104 ----a-w- c:\windows\system32\perfd007.dat
2010-08-02 02:55:43 38104 ----a-w- c:\windows\inf\perflib\0407\perfd.dat
2010-08-02 02:55:43 38104 ----a-w- c:\windows\inf\perflib\0407\perfc.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\system32\perfi007.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\inf\perflib\0407\perfi.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\inf\perflib\0407\perfh.dat
2010-07-31 18:21:15 175104 ----a-w- c:\windows\system32\RemoteControl.dll
2010-07-31 17:28:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-31 16:43:19 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-07-31 11:36:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 10:37:07.10 ===============
I have an infection on my win 7 box that launches three linkbucks.com windows on boot, and briefly runs the CMD window.
I believe it came from a game crack that a friend ran on my machine.
AVG detected and seemingly removed a generic Trojan, but the CMD prompt and links on boot remain.
Any help is greatly appreciated.
DDS dump:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Darren at 10:36:51.92 on Wed 29/09/2010
Internet Explorer: 9.0.7930.16406
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.2038.860 [GMT 10:00]
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
C:\Program Files\Telstra\Telstra Connection Manager\WaHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Macquarie Library\WGMB\WGMB.exe
C:\Program Files\Macquarie Library\WGMT\WGMT.exe
C:\Users\Darren\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program files\Telstra\Telstra Connection Manager\Watcher.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiApiMuxX.exe
C:\Windows\system32\StikyNot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Darren\Desktop\dds.scr
C:\Windows\system32\conhost.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://jogostorrent.net/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Google Update] "c:\users\darren\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [WatcherHelper] "c:\program files\telstra\telstra connection manager\WaHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [AvgScan] c:\windows\system32\AvgScan.bat
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\users\darren\appdata\roaming\micros~1\windows\startm~1\programs\startup\macqua~2.lnk - c:\program files\macquarie library\wgmb\WGMB.exe
StartupFolder: c:\users\darren\appdata\roaming\micros~1\windows\startm~1\programs\startup\macqua~1.lnk - c:\program files\macquarie library\wgmt\WGMT.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://remote.idg.com.au/download/,DanaInfo=wilma.idgoz.com.au+dolcontrol.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://remote.idg.com.au/,DanaInfo=wilma.idgoz.com.au+dwa8W.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.idg.com.au/dana-cached/sc/JuniperSetupClient.cab
TCP: {155B916A-7341-424F-BD5D-4CAFB33B5642} = 10.4.1.15
TCP: {33526B38-88D2-4DA0-A412-C35BDCD3FB6D} = 139.130.4.4 203.50.2.71
TCP: {69A18BDE-E82B-4A01-A38E-02352A87ADBA} = 211.29.132.12 61.88.88.88
TCP: {93CE4D97-4F95-4023-BB87-ED1629C25B81} = 211.29.132.12 61.88.88.88
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\darren\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\darren\appdata\roaming\mozilla\firefox\profiles\7z8d53a5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-28 243024]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-28 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-28 308136]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-1 583640]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2010-8-4 218480]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-18 497856]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2004-1-18 4864]
R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\drivers\swiwdmbus.sys [2010-6-21 78720]
R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2010-6-21 228352]
R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2010-6-21 156544]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-9-28 431432]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-7-23 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-7-23 100736]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-8-1 16472]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-1 1343400]
=============== Created Last 30 ================
2010-09-28 04:06:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-28 04:06:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-28 04:06:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-28 04:06:12 0 d-----w- c:\windows\system32\drivers\Avg
2010-09-28 04:06:09 0 d-----w- c:\programdata\AVG Security Toolbar
2010-09-28 03:57:28 0 d-----w- c:\programdata\avg9
2010-09-28 03:55:20 0 d-----w- c:\program files\AVG
2010-09-28 01:30:31 0 d-----w- c:\users\darren\appdata\roaming\QuickScan
2010-09-27 08:53:08 175 ----a-w- c:\windows\system32\AvgScan.bat
2010-09-27 08:29:41 0 d-----w- c:\users\darren\appdata\roaming\IObit
2010-09-27 00:08:37 0 d--h--w- c:\windows\msdownld.tmp
2010-09-27 00:08:32 0 d-----w- c:\windows\system32\directx
2010-09-26 21:43:34 0 d-----w- c:\program files\Steam
2010-09-26 21:13:48 0 d-----w- c:\program files\common files\Steam
2010-09-25 10:36:39 0 d-----w- c:\program files\Microsoft WSE
2010-09-25 10:19:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
2010-09-25 10:18:12 0 d-----w- c:\programdata\PC Suite
2010-09-25 10:16:51 0 d-----w- c:\program files\common files\PCSuite
2010-09-25 10:16:50 0 d-----w- c:\program files\common files\Nokia
2010-09-25 10:16:44 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-09-25 10:16:36 0 d-----w- c:\program files\PC Connectivity Solution
2010-09-25 10:16:18 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-09-25 10:16:18 0 d-----w- c:\program files\Nokia
2010-09-25 10:15:36 0 d-----w- c:\programdata\Installations
2010-09-25 06:38:05 0 d-----w- c:\program files\WeFi Software
2010-09-25 05:20:21 0 d-----w- c:\program files\ElcomSoft
2010-09-25 05:07:44 0 d-----w- c:\program files\RAR Password Recovery Magic
2010-09-20 07:25:42 23552 --sha-w- c:\users\darren\Thumbs.db
2010-09-16 23:59:41 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-09-16 23:59:41 737280 ----a-w- c:\windows\system32\d2d1.dll
2010-09-16 23:59:41 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-09-16 23:59:41 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2010-09-16 23:59:41 1076224 ----a-w- c:\windows\system32\DWrite.dll
2010-09-16 23:59:07 279552 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-09-16 23:59:07 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-09-16 23:58:36 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2010-09-16 23:57:40 0 d-----w- c:\program files\Feedback Tool
2010-09-15 13:14:25 0 d-----w- c:\program files\FileHound
2010-09-15 11:41:30 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 02:24:04 0 d-----w- c:\program files\Cisco
2010-09-15 02:24:02 0 d-----w- c:\programdata\Cisco
2010-09-13 21:35:26 154890 ----a-w- C:\arts-adpp-record-waiver-authority.pdf
2010-09-13 21:35:15 146072 ----a-w- C:\admin.pdf
2010-09-13 21:34:24 759697 ----a-w- C:\admissions-eligibility-guide.pdf
2010-09-11 07:47:29 0 d-----w- c:\programdata\Sun
2010-09-11 07:47:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 04:19:10 0 d-----w- c:\program files\TuneUpMedia
2010-09-09 08:10:55 0 d-----w- c:\program files\iPod
2010-09-05 11:50:50 0 d-----w- c:\program files\VideoLAN
2010-09-01 03:00:27 0 d-----w- c:\users\darren\appdata\roaming\TuneUpMedia
2010-09-01 02:59:36 0 d-----w- c:\programdata\TuneUpMedia
2010-09-01 02:47:51 0 d-----w- c:\programdata\eSellerate
2010-08-30 21:16:15 0 d-----w- c:\users\darren\appdata\roaming\BigPond News Ticker
2010-08-30 12:08:50 0 d-sh--w- c:\users\darren\appdata\roaming\.#
2010-08-30 11:09:01 0 d-----w- c:\program files\Telstra
2010-08-30 11:06:38 0 d-----w- c:\users\darren\appdata\roaming\Sierra Wireless
2010-08-30 11:06:38 0 d-----w- c:\programdata\Sierra Wireless
2010-08-30 11:06:38 0 d-----w- c:\program files\Sierra Wireless Inc
2010-08-30 10:59:53 65536 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TM.blf
2010-08-30 10:59:53 524288 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TMContainer00000000000000000002.regtrans-ms
2010-08-30 10:59:53 524288 --sha-w- c:\users\darren\NTUSER.DAT{050df8a4-b2fc-11df-8bd9-0017426be574}.TMContainer00000000000000000001.regtrans-ms
==================== Find3M ====================
2010-09-28 20:36:01 656288 ----a-w- c:\windows\system32\perfh007.dat
2010-09-28 20:36:01 133764 ----a-w- c:\windows\system32\perfc007.dat
2010-08-31 14:46:36 1355264 ----a-w- c:\windows\system32\jscript9.dll
2010-08-31 14:44:24 1122304 ----a-w- c:\windows\system32\wininet.dll
2010-08-31 14:44:06 424960 ----a-w- c:\windows\system32\vbscript.dll
2010-08-31 14:43:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2010-08-31 14:43:12 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2010-08-31 14:43:12 114176 ----a-w- c:\windows\system32\iesysprep.dll
2010-08-31 14:43:10 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2010-08-31 14:43:10 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2010-08-31 14:42:58 51200 ----a-w- c:\windows\system32\admparse.dll
2010-08-31 14:42:54 75264 ----a-w- c:\windows\system32\iesetup.dll
2010-08-31 14:42:48 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2010-08-31 14:42:42 150016 ----a-w- c:\windows\system32\iexpress.exe
2010-08-31 14:42:42 149504 ----a-w- c:\windows\system32\wextract.exe
2010-08-31 14:42:20 33280 ----a-w- c:\windows\system32\imgutil.dll
2010-08-31 14:42:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2010-08-31 14:42:12 11264 ----a-w- c:\windows\system32\mshta.exe
2010-08-31 14:41:46 160768 ----a-w- c:\windows\system32\msls31.dll
2010-08-10 02:37:36 2215 ----a-w- c:\program files\Age of Empires II - The Conquerers.lnk
2010-08-06 02:22:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2010-08-02 10:04:52 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-02 02:55:43 38104 ----a-w- c:\windows\system32\perfd007.dat
2010-08-02 02:55:43 38104 ----a-w- c:\windows\inf\perflib\0407\perfd.dat
2010-08-02 02:55:43 38104 ----a-w- c:\windows\inf\perflib\0407\perfc.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\system32\perfi007.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\inf\perflib\0407\perfi.dat
2010-08-02 02:55:43 295922 ----a-w- c:\windows\inf\perflib\0407\perfh.dat
2010-07-31 18:21:15 175104 ----a-w- c:\windows\system32\RemoteControl.dll
2010-07-31 17:28:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-31 16:43:19 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-07-31 11:36:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 10:37:07.10 ===============