AV Care, probable virtumonde.sdn(Resolved)

**flabeachbum** · 2009-08-15, 19:14

Just a quick update, device manager shows nothing out of the ordinary. I tried a couple of variations on the Advanced tab, no improvements, reset back to the way it was.

I've got a few questions I'll be posting soon. Short version - that error on start up (Windows stopped the Generic Host Process...). I ran down the files, scanned, looked at 'em and there is at least one reference to internet services. If Windows isn't allowing the file to load, that might be part of the problem.

I'm also tempted at this point to grab the network card driver & re-install a fresh version, hopefully over-riding the problem.

Otherwise, the computer is working pretty well.

Better update Monday.

**katana** · 2009-08-15, 20:14

Originally Posted by flabeachbum

I'm also tempted at this point to grab the network card driver & re-install a fresh version, hopefully over-riding the problem.

That may be the best option at this point.

Uninstall the network device, reboot, and let windows "Find" the new hardware.
It should reinstall itself on Pre-Build machine.
If it is a custom build you will need the drivers for it.

**flabeachbum** · 2009-08-17, 21:27

Thanks! I'll download the drivers, but I'll wait to hear back from you first. Here is my previously mentioned longer post, lol!

Tried the Device Manager - nothing out of sorts.

Went under my network adapter, Advanced tab, Network Address, manually assigned the proper value, rebooted, no change. Changed it back to "Not Present".

Both
IEEE802.1P Support: Disable.
VLAN Support: Disable.

Set both to "Enable", rebooted, no change, , repeated with proper network address, rebooted, no change, reset to original values, rebooted.

Only difference is that the Local Area Connection Status reads "Limited or no connectivity". It showed a different IP address than the router. I'm not sure what that means, but I fixed it back manually and rebooted.

So far, looks the same as before.

~~~

I'm wondering about this error that I get on boot, every single time I log on (mostly once, sometimes twice).

"Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program.

Name: Generic Host Process for Win32 Services
Publisher: Microsoft Corporation

<Close Message>

Data Execution Prevention helps protect against damage from viruses and other security threats.

Details:

C:\DOCUME~1\Owner\LOCALS~1\Temp\WERa1a9.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERa1a9.dir00\appcompat.txt"

~~~

Browsing to it, there are four files in the folder.

appcompat.txt (16 KB)
manifest.txt (3 KB)
svchost.exe.hdmp (20,396 KB)
svchost.exe.mdmp (0 KB)

I scanned the lot of them (of course), and found that interestingly, appcompat.txt refers in part to Internet Extensions for Win32. I'm really beginning to think perhaps the problem is that Windows is not allowing these to load.

I'm not sure why svchost.exe.hdmp and svchost.exe.mdmp have those "?dmp" extensions, so I figured I'd ask and maybe you would know.

I might be on a wild goose chase here, but at this point, it's worth asking. I'll leave the whole thing alone until I hear back from you.

~~~~~~~

manifest.txt reads as follows:

Server=watson.microsoft.com
UI LCID=1033
Flags=1671504
Brand=WINDOWS
TitleName=Generic Host Process for Win32 Services
DigPidRegPath=HKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductId
ErrorText=This error occurred on 8/8/2009 at 4:39:46 PM.
HeaderText=Generic Host Process for Win32 Services encountered a problem and needed to close.
Stage1URL=
Stage1URL=/StageOne/Generic/BEX/svchost_exe/0_0_0_0/00000000/unknown/0_0_0_0/00000000/00000000/c0000005/00000008.htm
Stage2URL=
Stage2URL=/dw/GenericTwo.ASP?EventType=BEX&P1=svchost.exe&P2=0.0.0.0&P3=00000000&P4=unknown&P5=0.0.0.0&P6=00000000&P7=00000000&P8=c0000005&P9=00000008
DataFiles=C:\DOCUME~1\Owner\LOCALS~1\Temp\WER37e3.dir00\svchost.exe.mdmp|C:\DOCUME~1\Owner\LOCALS~1\Temp\WER37e3.dir00\appcompat.txt
Heap=C:\DOCUME~1\Owner\LOCALS~1\Temp\WER37e3.dir00\svchost.exe.hdmp
ErrorSubPath=Generic\BEX\svchost.exe\0.0.0.0\00000000\unknown\0.0.0.0\00000000\00000000\c0000005\00000008
DirectoryDelete=C:\DOCUME~1\Owner\LOCALS~1\Temp\WER37e3.dir00

~~~~~~~~~~

appcompat.txt reads as follows:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="SYSTEM INFO" FILTER="GRABMI_FILTER_SYSTEM">
<MATCHING_FILE NAME="advapi32.dll" SIZE="617472" CHECKSUM="0xA0887D0D" BIN_FILE_VERSION="5.1.2600.5755" BIN_PRODUCT_VERSION="5.1.2600.5755" PRODUCT_VERSION="5.1.2600.5755" FILE_DESCRIPTION="Advanced Windows 32 Base API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)" ORIGINAL_FILENAME="advapi32.dll" INTERNAL_NAME="advapi32.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA5BB8" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5755" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5755" LINK_DATE="02/09/2009 12:10:48" UPTO_LINK_DATE="02/09/2009 12:10:48" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="gdi32.dll" SIZE="286720" CHECKSUM="0x98314A3F" BIN_FILE_VERSION="5.1.2600.5698" BIN_PRODUCT_VERSION="5.1.2600.5698" PRODUCT_VERSION="5.1.2600.5698" FILE_DESCRIPTION="GDI Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)" ORIGINAL_FILENAME="gdi32" INTERNAL_NAME="gdi32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4CE95" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5698" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5698" LINK_DATE="10/23/2008 12:36:14" UPTO_LINK_DATE="10/23/2008 12:36:14" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="ntdll.dll" SIZE="714752" CHECKSUM="0xC695BA95" BIN_FILE_VERSION="5.1.2600.5755" BIN_PRODUCT_VERSION="5.1.2600.5755" PRODUCT_VERSION="5.1.2600.5755" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xBC674" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5755" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5755" LINK_DATE="02/09/2009 12:10:48" UPTO_LINK_DATE="02/09/2009 12:10:48" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="ole32.dll" SIZE="1287168" CHECKSUM="0xB764FEEA" BIN_FILE_VERSION="5.1.2600.5512" BIN_PRODUCT_VERSION="5.1.2600.5512" PRODUCT_VERSION="5.1.2600.5512" FILE_DESCRIPTION="Microsoft OLE for Windows" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5512 (xpsp.080413-2108)" ORIGINAL_FILENAME="OLE32.DLL" INTERNAL_NAME="OLE32.DLL" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14744B" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5512" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5512" LINK_DATE="04/14/2008 00:10:57" UPTO_LINK_DATE="04/14/2008 00:10:57" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="oleaut32.dll" SIZE="551936" CHECKSUM="0xE8E0E87" BIN_FILE_VERSION="5.1.2600.5512" BIN_PRODUCT_VERSION="5.1.2600.5512" PRODUCT_VERSION="5.1.2600.5512" COMPANY_NAME="Microsoft Corporation" FILE_VERSION="5.1.2600.5512" INTERNAL_NAME="OLEAUT32.DLL" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1993-2001." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8D4E3" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5512" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5512" LINK_DATE="04/14/2008 00:10:58" UPTO_LINK_DATE="04/14/2008 00:10:58" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="shell32.dll" SIZE="8461312" CHECKSUM="0x229B7DE8" BIN_FILE_VERSION="6.0.2900.5622" BIN_PRODUCT_VERSION="6.0.2900.5622" PRODUCT_VERSION="6.00.2900.5622" FILE_DESCRIPTION="Windows Shell Common Dll" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.00.2900.5622 (xpsp_sp3_gdr.080617-1319)" ORIGINAL_FILENAME="SHELL32.DLL" INTERNAL_NAME="SHELL32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x812125" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.0.2900.5622" UPTO_BIN_PRODUCT_VERSION="6.0.2900.5622" LINK_DATE="06/17/2008 19:02:17" UPTO_LINK_DATE="06/17/2008 19:02:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="user32.dll" SIZE="578560" CHECKSUM="0x6280E825" BIN_FILE_VERSION="5.1.2600.5512" BIN_PRODUCT_VERSION="5.1.2600.5512" PRODUCT_VERSION="5.1.2600.5512" FILE_DESCRIPTION="Windows XP USER API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5512 (xpsp.080413-2105)" ORIGINAL_FILENAME="user32" INTERNAL_NAME="user32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8FC76" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5512" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5512" LINK_DATE="04/14/2008 00:11:07" UPTO_LINK_DATE="04/14/2008 00:11:07" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="wininet.dll" SIZE="666624" CHECKSUM="0x6E0819D9" BIN_FILE_VERSION="6.0.2900.5835" BIN_PRODUCT_VERSION="6.0.2900.5835" PRODUCT_VERSION="6.00.2900.5835" FILE_DESCRIPTION="Internet Extensions for Win32" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)" ORIGINAL_FILENAME="wininet.dll" INTERNAL_NAME="wininet.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xABE8B" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.0.2900.5835" UPTO_BIN_PRODUCT_VERSION="6.0.2900.5835" LINK_DATE="06/26/2009 16:50:05" UPTO_LINK_DATE="06/26/2009 16:50:05" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="winsock.dll" SIZE="2864" CHECKSUM="0x73AE8088" BIN_FILE_VERSION="3.10.0.103" BIN_PRODUCT_VERSION="3.10.0.103" PRODUCT_VERSION="3.10" FILE_DESCRIPTION="Windows Socket 16-Bit DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows(TM) Operating System" FILE_VERSION="3.10" ORIGINAL_FILENAME="WINSOCK.DLL" INTERNAL_NAME="WINSOCK" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1981-1996" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10001" VERFILETYPE="0x2" MODULE_TYPE="WIN16" S16BIT_DESCRIPTION="BSD Socket API for Windows" S16BIT_MODULE_NAME="WINSOCK" UPTO_BIN_FILE_VERSION="3.10.0.103" UPTO_BIN_PRODUCT_VERSION="3.10.0.103" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

**katana** · 2009-08-18, 00:01

I scanned the lot of them (of course), and found that interestingly, appcompat.txt refers in part to Internet Extensions for Win32. I'm really beginning to think perhaps the problem is that Windows is not allowing these to load.

I'm not sure why svchost.exe.hdmp and svchost.exe.mdmp have those "?dmp" extensions, so I figured I'd ask and maybe you would know.

I might be on a wild goose chase here, but at this point, it's worth asking. I'll leave the whole thing alone until I hear back from you.

Those files look to be part of Windows error reporting system, but I don't know why they are still trying to run ??
They wouldn't affect the connection anyway.

Do you have an XP install disc ?
It may be far quicker to perform a repair install.

Run disc cleanup to clear your temp files

Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
Select C drive and click OK.
Put a "Tick" in all the available boxes
When done, click OK.
You will be prompted again. Press Yes to confirm.
When done, Disk Cleanup will close automatically.

Now download the driver for you network card and the uninstall/reinstall it.

Let me know how it goes.

**flabeachbum** · 2009-08-20, 14:35

Machine was a pre-build, so I did the cleanup, deleted the networking card, re-booted and it re-installed automatically.

The only change was the connection status, which now reads "Connected". The IP address has corrected itself automatically, which is good.

System Tray is still iffy, sometimes 4 items, sometimes the proper 8.

The rest of the symptoms remain the same.

I repeated the process, same result.

BTW, I wondered if Windows Firewall was working in the background. I enabled it, allowed pretty much everything, no effect. Disabled it, no effect.

The connection status is intriguing. Packets are sent and received until the boot sequence is completely done, which of course takes a couple of minutes after logon. After that, no packets are received (which is why I suspected Windows Firewall). This usually comes to a grinding halt somewhere around 100 packets received, sometimes 76, sometimes 112, but that's the best I've seen.

It might be something squirrely in AVG's settings - I'll have to look.

I'll wait for your reply, but I'll do a cold boot, then run HJT and save the log in case you ask for it.

**katana** · 2009-08-20, 14:49

Does the other machine connect to the internet yet ?

**flabeachbum** · 2009-08-21, 03:06

Yep - this post came from one of the other computers on the network.

Still haven't checked AVG, etc. Had a busy couple of days, lol!

**katana** · 2009-08-21, 12:31

I'm sorry if I appear to be dragging this out, but I am trying to make sense of what is happening.

(BTW, other computer cannot access internet either. Rebooted both modem & router twice. Nothing. Cannot access router login either. Pinged router IP, zero response. My girlfriend is having to post & check these from her work.)

How did you resolve this ?

Have you tried connecting directly to the modem since you reinstalled the network card ?

I need to see some fresh logs ...
Please download a fresh copy of Combofix and run it

**flabeachbum** · 2009-08-21, 18:53

We have two other computers in the house. The one is older (Win2kpro), Windows update messed that internet connection up. The second one is working fine, though.

~~~

Back to the main one with the issues.

So far, I'd ran through all combinations on Windows firewall. No change in Internet access.

I did the same with AVG, no change.

I ran the "Network Diagnostics for Windows XP" tool, which gave me this:

"Windows cannot connect to the Internet using HTTP, HTTPS, or FTP. This is probably caused by the firewall settings on this computer.

Check the firewall settings for the HTTP port (80), HTTPS port (443) and FTP port (21)."

I figured that I've tried HTTP, I have a couple of web sites that I maintain, why not try my FTP program.

Surprisingly, FTP is working!!!

It has complete access to the remote servers (including file downloads), which of course means that the problem is not the internet connection per se. The network diagnostics program is obviously missing something.

I tried running Microsoft Outlook (my normal e-mail program), errors only show up about receiving files. I tried sending one, but it failed. Another strange bit.

Tried to kill the Data Execution Prevention (DEP). It required a restart, but exactly the same thing happened, despite the exceptions I checked. Curious. It hasn't changed any functioning, but I've reset it anyway.

Now we just have to figure out why HTTP, SMTP, IMAP, and POP3 protocols are being blocked, especially why it just seems to be for receiving files.

I'll re-run ComboFix and post the log ASAP.

**flabeachbum** · 2009-08-21, 21:37

Ran CF, aparrently no changes to anything...

~~~

ComboFix 09-08-20.07 - Owner 08/21/2009 13:33.9.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.734.338 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\ocr-deca.ttf
c:\windows\Fonts\SECRCODE.TTF
c:\windows\prxid93ps.dat
c:\windows\system32\share.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\winspool.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOPIDKC

((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-18 01:18 . 2009-08-18 01:18 -------- d-----w- c:\windows\system32\NtmsData
2009-08-08 19:46 . 2009-08-08 19:46 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-04 02:51 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-04 02:51 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-03 12:53 . 2009-08-03 12:54 -------- d-----w- C:\rsit
2009-08-02 12:00 . 2009-08-02 12:01 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 15:14 . 2007-08-10 18:40 -------- d-----w- c:\program files\FTP Commander
2009-08-06 14:15 . 2008-05-08 18:03 -------- d-----w- c:\program files\Comodo
2009-08-05 12:52 . 2008-06-15 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-02 21:10 . 2009-06-29 13:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-02 17:05 . 2008-04-19 22:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 13:45 . 2008-06-15 15:41 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 22:25 . 2006-01-09 01:31 509576 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 17:21 . 2006-01-17 18:37 -------- d-----w- c:\program files\Lx_cats
2009-06-27 01:29 . 2009-06-27 01:29 -------- d-----w- c:\program files\Advanced GIF Animator
2009-06-26 16:50 . 2004-08-04 00:56 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-23 16:25 . 2009-06-23 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-23 13:31 . 2009-06-23 13:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-23 13:30 . 2008-06-15 15:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-23 13:30 . 2007-05-03 22:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-17 00:48 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:07 . 2009-06-23 16:25 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-11 11:40 . 2009-06-11 11:40 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-04 00:56 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 19:58 . 2009-04-21 21:04 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2008-05-03 14:01 . 2008-05-03 03:36 0 ------w- c:\program files\jre-6u6-windows-i586-p.exe
2008-05-03 14:01 . 2008-05-03 03:35 1211 ----a-w- c:\program files\jre-6u6-windows-i586-p.exe.sdm
2008-05-03 03:38 . 2008-05-03 03:36 0 ----a-w- c:\program files\jre-6u6-windows-i586-p.exe.bak2
2008-05-03 03:36 . 2008-05-03 03:36 0 ----a-w- c:\program files\jre-6u6-windows-i586-p.exe.bak
2008-05-02 01:01 . 2008-05-02 01:01 382352 ----a-w- c:\program files\jre-6u6-windows-i586-p-iftw.exe
2007-06-02 21:52 . 2007-06-02 21:46 137383529 ----a-w- c:\program files\j2sdk-1_4_2_13-nb-5_0-win-ml.exe
2009-06-18 17:16 . 2009-06-18 17:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 17:36 . 2009-06-18 17:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
.

------- Sigcheck -------

[7] 2004-08-04 00:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\cache\sfcfiles.dll

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\sfcfiles.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-04_02.57.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 17:51 . 2009-08-21 17:51 16384 c:\windows\TEMP\Perflib_Perfdata_6a8.dat
+ 2007-04-26 23:05 . 2009-08-12 20:23 452096 c:\windows\system32\Restore\rstrlog.dat
+ 2005-10-30 11:37 . 2005-07-29 21:09 202240 c:\windows\system32\fdco1.dll
- 2005-10-30 11:37 . 2005-07-30 01:09 202240 c:\windows\system32\fdco1.dll
+ 2009-08-08 17:50 . 2009-08-08 17:50 208896 c:\windows\erdnt\AutoBackup\8-8-2009\Users\00000002\UsrClass.dat
+ 2009-08-07 12:44 . 2009-08-07 12:44 208896 c:\windows\erdnt\AutoBackup\8-7-2009\Users\00000002\UsrClass.dat
+ 2009-08-07 12:44 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-7-2009\ERDNT.EXE
+ 2009-08-06 14:08 . 2009-08-06 14:08 208896 c:\windows\erdnt\AutoBackup\8-6-2009\Users\00000002\UsrClass.dat
+ 2009-08-06 14:08 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-6-2009\ERDNT.EXE
+ 2009-08-05 12:51 . 2009-08-05 12:51 208896 c:\windows\erdnt\AutoBackup\8-5-2009\Users\00000002\UsrClass.dat
+ 2009-08-05 12:51 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-5-2009\ERDNT.EXE
+ 2009-08-04 12:55 . 2009-08-04 12:55 208896 c:\windows\erdnt\AutoBackup\8-4-2009\Users\00000002\UsrClass.dat
+ 2009-08-04 12:55 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-4-2009\ERDNT.EXE
+ 2009-08-21 13:50 . 2009-08-21 13:50 208896 c:\windows\erdnt\AutoBackup\8-21-2009\Users\00000002\UsrClass.dat
+ 2009-08-21 13:50 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-21-2009\ERDNT.EXE
+ 2009-08-17 19:15 . 2009-08-17 19:15 208896 c:\windows\erdnt\AutoBackup\8-17-2009\Users\00000002\UsrClass.dat
+ 2009-08-17 19:15 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-17-2009\ERDNT.EXE
+ 2009-08-13 16:47 . 2009-08-13 16:47 208896 c:\windows\erdnt\AutoBackup\8-13-2009\Users\00000002\UsrClass.dat
+ 2009-08-13 16:47 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-13-2009\ERDNT.EXE
+ 2009-08-12 15:32 . 2009-08-12 15:32 208896 c:\windows\erdnt\AutoBackup\8-12-2009\Users\00000002\UsrClass.dat
+ 2009-08-12 15:32 . 2005-10-20 16:02 163328 c:\windows\erdnt\AutoBackup\8-12-2009\ERDNT.EXE
+ 2009-08-08 17:50 . 2009-08-08 17:50 20578304 c:\windows\erdnt\AutoBackup\8-8-2009\Users\00000001\NTUSER.DAT
+ 2009-08-07 12:44 . 2009-08-07 12:44 20578304 c:\windows\erdnt\AutoBackup\8-7-2009\Users\00000001\NTUSER.DAT
+ 2009-08-06 14:08 . 2009-08-06 14:08 20578304 c:\windows\erdnt\AutoBackup\8-6-2009\Users\00000001\NTUSER.DAT
+ 2009-08-05 12:51 . 2009-08-05 12:51 20578304 c:\windows\erdnt\AutoBackup\8-5-2009\Users\00000001\NTUSER.DAT
+ 2009-08-04 12:55 . 2009-08-04 12:55 20578304 c:\windows\erdnt\AutoBackup\8-4-2009\Users\00000001\NTUSER.DAT
+ 2009-08-21 13:50 . 2009-08-21 13:50 20578304 c:\windows\erdnt\AutoBackup\8-21-2009\Users\00000001\ntuser.dat
+ 2009-08-17 19:15 . 2009-08-17 19:15 20578304 c:\windows\erdnt\AutoBackup\8-17-2009\Users\00000001\ntuser.dat
+ 2009-08-13 16:47 . 2009-08-13 16:47 20578304 c:\windows\erdnt\AutoBackup\8-13-2009\Users\00000001\ntuser.dat
+ 2009-08-12 15:32 . 2009-08-12 15:32 20578304 c:\windows\erdnt\AutoBackup\8-12-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up Stopper"="c:\program files\Panicware\Pop-Up Stopper\dpps2.exe" [2001-03-04 692224]
"WheelMouse"="c:\mouses~1.2\wh_exec.exe" [2007-02-28 86016]
"KEMailKb"="c:\progra~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 401408]
"KPDrv4XP"="c:\progra~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 40960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-16 29744]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-23 1948440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-6-23 745472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= c:\documents and settings\Owner\My Documents\My Pictures\RonPaul\.resized_500x227_RONPAULLARGEREVOLUTIONCROPPEDurl.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\documents and settings\Owner\My Documents\My Pictures\tyler02.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= c:\documents and settings\Owner\My Documents\My Pictures\tyler01.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= c:\documents and settings\Owner\My Documents\Business\index.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-23 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\lxcgcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Brother\\BRAdmin Professional\\BRAdmPro.exe"=
"c:\\Program Files\\UltraPlayer\\UPlayer.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Player\\NevoMediaPlayer.exe"=
"c:\\Program Files\\Nevo\\NevoMedia Server\\NevoMediaServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/15/2008 11:41 AM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/15/2008 11:41 AM 298776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [6/23/2007 12:49 AM 66048]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\drivers\HIDKbFlt.sys [7/25/2005 6:13 AM 23680]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [1/25/2007 11:45 AM 6784]
S2 gupdate1c9bacc70ab1608;Google Update Service (gupdate1c9bacc70ab1608);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2009 1:39 PM 133104]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [1/11/2006 2:15 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [1/11/2006 2:15 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [1/11/2006 2:15 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [1/10/2006 9:55 PM 10368]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/15/2008 9:21 PM 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [6/23/2007 12:49 AM 112384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 17:38]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 17:38]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2365430957-3993245626-2034127582-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-19 21:47]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2365430957-3993245626-2034127582-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-19 21:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://uphambeach.axiscam.net/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9cflan5s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 13:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(192)
c:\program files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
c:\mouses~1.2\wh_hook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-21 14:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 18:02
ComboFix2.txt 2009-08-06 14:38
ComboFix3.txt 2009-08-05 21:36
ComboFix4.txt 2009-08-05 18:27
ComboFix5.txt 2009-08-08 18:01

Pre-Run: 10,657,525,760 bytes free
Post-Run: 10,616,381,440 bytes free

389 --- E O F --- 2009-07-29 07:04

Thread: AV Care, probable virtumonde.sdn(Resolved)

Thread Tools

Display

Device Manager

Whaddya think?

Network driver

Sure

Update

ComboFix Log

Posting Permissions