Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: TR/Crypt.XPACK.Gen2 & Gen3 Repeated Re-infections

  1. 2010-10-06, 14:51 #1
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default TR/Crypt.XPACK.Gen2 & Gen3 Repeated Re-infections

    Hi.

    Avira AntiVir Premium reports that I continue to be automatically re-infected with TR/Crypt.XPACK.Gen2 -AND- TR/Crypt.XPACK.Gen3 -AND- TR/ATRAPS.Gen. This is similar to the problem described in this thread: TR/Crypt.XPACK.Gen2 Trojan urgent problem. But you make it abundantly clear that I must not follow those instructions on my own and that I should instead ask for separate instructions, which is what I'm doing now.

    All the infected files are found in the C:\Windows\Temp directory and are named according to the pattern "TMPxxx.tmp". Avira reports anywhere from 4 to 20 infected files per automated startup scan every time I boot.

    Avira quarantines the infected files, but several times now it's reported several more infections even while it's moving the previous infections to quarantine!

    Here is an excerpt from one Avira log showing all the infections I'm seeing:

    Beginning disinfection:
    C:\WINDOWS\Temp\TMPE.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4e52a1fe.qua'.
    C:\WINDOWS\Temp\TMP190.tmp
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '56c585e1.qua'.
    C:\WINDOWS\Temp\TMP186.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '049adff8.qua'.
    C:\WINDOWS\Temp\TMP184.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '62ad9038.qua'.
    C:\WINDOWS\Temp\TMP180.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '2729bd00.qua'.
    C:\WINDOWS\Temp\TMP16B.tmp
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '58328f60.qua'.
    C:\WINDOWS\Temp\TMP169.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '148aa328.qua'.
    C:\WINDOWS\Temp\TMP15F.tmp
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6892e346.qua'.
    C:\WINDOWS\Temp\TMP155.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '45c8cc09.qua'.
    C:\WINDOWS\Temp\TMP153.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5ca0f795.qua'.
    C:\WINDOWS\Temp\TMP14F.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '30fcdba7.qua'.
    C:\WINDOWS\Temp\TMP114.tmp
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4145e23c.qua'.
    C:\WINDOWS\Temp\TMP111.tmp
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4f5fd2f9.qua'.
    C:\WINDOWS\Temp\TMP10F.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0a76abbd.qua'.
    C:\WINDOWS\Temp\TMP10E.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '037daf14.qua'.
    C:\WINDOWS\Temp\TMP10B.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5b3cb663.qua'.


    I read the instructions at: "BEFORE you POST", and here's the info you requested:

    (1): I backed up the system registry using ERUNT (but then I blocked ERUNT from running every time I boot up. Is that ok?)

    (2): I've attached the DDS output file as Attach.zip

    (3): I will post RSIT's log file and info file in separate posts to follow, as requested.

    (4): I tried to run the GMER Rootkit Scanner with the specified options turned off, but it saturated both cores of my 4 GHz dual core processor at 100% for over 30 minutes without finishing or showing any progress! I eventually felt I had to press the reset button because of this. Is that normal? If you, may I suggest you warn people about this? If it's not normal, please let me know what to do.

    (5): Neither Spybot S&D nor TeaTimer is installed right now. I figured I should wait and follow your instructions on that score, too.

    I'm running Windows XP Pro / SP3 on an Intel mobo and 4 GHz processor with 4 GB RAM, 2.3 GB of it available to Windows.


    In closing, here is DDS.txt:

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by mjb at 7:32:51.92 on Tue 10/05/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3322.2299 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
    FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Intel\AMT\atchksrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    D:\Apps\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\system32\dldocoms.exe
    C:\Program Files\DC5\DCRServ.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Intel\Intel Desktop Utilities\iduServ.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\WINDOWS\system32\ofps.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
    D:\Apps\Spyware Doctor\pctsAuxs.exe
    D:\Apps\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\Apps\Spyware Doctor\pctsTray.exe
    D:\Apps\StuffIt 2009\ArcNameService.exe
    C:\Program Files\Intel\AMT\UNS.exe
    C:\Program Files\Intel\Intel Desktop Utilities\iptray.exe
    D:\Apps\SlySoft\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\Dell 968 AIO Printer\dldomon.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Iconoid\Iconoid.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\R-Wipe&Clean\rwiped.exe
    C:\Program Files\QuicKeys\QkEngine.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\dllhost.exe
    D:\Apps\PasswordsPlus\Passwords Plus\Desktop\PasswordsPlus.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\System32\vssvc.exe
    D:\Apps\Mozilla\Firefox\firefox.exe
    C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
    D:\Apps\Mozilla\Firefox\plugin-container.exe
    C:\Program Files\Common Files\Corel\Standby\Standby.exe
    C:\Documents and Settings\mjb\Desktop\ANTI-MALWARE TOOLS from SpyBot Malware Forum\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\apps\techsmith snagit 9\SnagitBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
    TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - d:\apps\techsmith snagit 9\SnagitIEAddin.dll
    TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Adobe Reader Speed Launcher] "d:\apps\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [ipTray.exe] c:\program files\intel\intel desktop utilities\iptray.exe
    mRun: [VirtualCloneDrive] "d:\apps\slysoft\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [dldomon.exe] c:\program files\dell 968 aio printer\dldomon.exe
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    mRun: [ISTray] "d:\apps\spyware doctor\pctsTray.exe"
    mRun: [ISUSScheduler] c:\program files\common files\installshield\updateservice\issch.exe -start
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt registry backup\AUTOBACK.EXE
    StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\quickeys engine.lnk - c:\program files\quickeys\QkEngine.exe
    uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: NoSMMyPictures = 01000000
    mPolicies-explorer: NoInstrumentation = 1 (0x1)
    IE: E&xport to Microsoft Excel - d:\apps\micros~1\office~1\office12\EXCEL.EXE/3000
    IE: Open with ScanSoft PDF Converter 4.1 - d:\apps\nuance-scansoft\pdf professional 4.0\cnvres_eng.dll /100
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\apps\micros~1\office~1\office12\ONBttnIE.dll
    IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\apps\micros~1\office~1\office12\REFIEBAR.DLL
    LSP: c:\program files\avira\antivir desktop\avsda.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {3B89785B-4E94-400A-8705-5841B14063A7} - hxxp://www.arcsoft.com/data/SimHDAss.CAB
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213325852156
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mjb\applic~1\mozilla\firefox\profiles\26rgi5i4.default\
    FF - prefs.js: browser.startup.homepage -
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
    FF - plugin: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\mjb\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\vlc\npvlc.dll
    FF - plugin: d:\apps\adobe\reader 9.0\reader\browser\nppdf32.dll
    FF - plugin: d:\apps\misc\real alternative\browser\plugins\nppl3260.dll
    FF - plugin: d:\apps\misc\real alternative\browser\plugins\nprpjplug.dll
    FF - plugin: d:\apps\mozilla\firefox\plugins\npwachk.dll
    FF - plugin: d:\apps\opera\program\plugins\np_gp.dll
    FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
    FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
    FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
    FF - plugin: d:\apps\opera\program\plugins\npdsplay.dll
    FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
    FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin2.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin3.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin4.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin5.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin6.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin7.dll
    FF - plugin: d:\apps\opera\program\plugins\NPSWF32.dll
    FF - plugin: d:\apps\opera\program\plugins\npwmsdrm.dll
    FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.proxy.type", 5);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2010-1-22 294408]
    R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2010-1-22 19624]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-14 28552]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 218592]
    R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-12-30 89728]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-16 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-8-12 95592]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 528128]
    R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-9-16 337064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-16 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-16 267432]
    R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-16 60936]
    R2 Browser Defender Update Service;Browser Defender Update Service;d:\apps\spyware doctor\bdt\BDTUpdateService.exe [2009-12-4 112592]
    R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-12-18 316416]
    R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
    R2 DriveCryptService;DriveCrypt Service;c:\program files\dc5\DCRServ.exe [2010-1-22 96680]
    R2 IduService;Intel(R) Desktop Utilities Service;c:\program files\intel\intel desktop utilities\iduServ.exe [2009-1-22 124928]
    R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
    R2 JCPacket;FLDP Packet Driver;c:\windows\system32\drivers\jcpacket.sys [2002-5-26 10880]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-12 10448]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
    R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-r\SATARaid5ConfigService.exe [2005-10-5 131072]
    R2 sdAuxService;PC Tools Auxiliary Service;d:\apps\spyware doctor\pctsAuxs.exe [2008-7-5 366840]
    R2 sdCoreService;PC Tools Security Service;d:\apps\spyware doctor\pctsSvc.exe [2008-7-5 1142224]
    R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-5-29 66944]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-12 2514944]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-14 114952]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-6-20 252440]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-5 1691480]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [2007-10-22 35200]
    S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-1-22 17920]
    S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-8-27 320384]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-22 27064]
    S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional home xii.sp2c\RpcAgentSrv.exe [2009-4-13 98488]
    S4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-9-16 405672]
    S4 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2009-10-9 99568]
    S4 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]

    ============== File Associations ===============

    cmdfile="\"%1\" %*"
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .txt=UltraEdit.txt

    =============== Created Last 30 ================

    2010-10-05 11:31:21 0 d-----w- c:\program files\ERUNT Registry Backup
    2010-10-05 10:36:22 0 d-----w- c:\docume~1\mjb\applic~1\Malwarebytes
    2010-10-05 10:36:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-05 10:36:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-05 10:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-05 10:36:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-16 11:39:05 0 d-----w- c:\docume~1\mjb\applic~1\Avira
    2010-09-16 11:19:43 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-09-16 11:19:42 0 d-----w- c:\program files\Avira
    2010-09-16 11:19:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-09-14 08:49:43 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-09-14 08:49:22 0 d-----w- c:\program files\Panda Security
    2010-09-07 11:48:04 0 d-----w- c:\program files\Iconoid
    2010-09-07 09:31:28 0 d-----w- c:\docume~1\mjb\applic~1\KC Softwares
    2010-09-07 09:30:08 0 d-----w- c:\program files\SUMo - Software Update Monitor

    ==================== Find3M ====================

    2010-10-05 09:57:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-28 07:54:09 10022 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-12 04:07:46 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-08-12 04:07:46 133616 ------w- c:\windows\system32\pxafs.dll
    2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-08-12 04:07:46 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-08-06 06:14:57 1996 ----a-w- C:\copype.cmd
    2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\6904553153.sys
    2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\1B750485A4.sys
    2010-07-26 14:13:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-21 03:03:12 767928 ----a-w- c:\windows\BDTSupport.dll
    2010-07-21 01:22:46 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-17 08:56:14 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-07-17 08:56:12 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-07-09 22:57:47 3663 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
    2010-07-09 22:56:12 1085616 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

    ============= FINISH: 7:33:37.01 ===============

    Sorry, tashi for getting ahead of myself with those two logs you deleted. Clearly I was confused, since the FAQ I said I read clearly didn't request that I post them. Please forgive me.

    Also, although I have some P2P software installed, I've never actually completed any transfers with them. I'll be happy to uninstall them if you like.
    Last edited by tashi; 2010-10-06 at 16:44. Reason: Merged posts, helpers look for topics with 0 response. :-)
  2. 2010-10-11, 16:27 #2
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent
    BitComet FLV Converter
    BitTorrent


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    After that:

    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. Post back its report + fresh dds.txt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  3. 2010-10-13, 10:45 #3
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    Thank you for your reply, Blade81.

    I was happy to uninstall those programs you requested, but note that as I informed Tashi above, I'd never actually completed any transfer using them.

    Here is the Kaspersky Online Scan Report (in blue):

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Wednesday, October 13, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, October 12, 2010 08:47:44
    Records in database: 4202236
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    Q:\
    R:\
    Y:\

    Scan statistics:
    Objects scanned: 752503
    Threats found: 3
    Infected objects found: 0
    Suspicious objects found: 3
    Scan duration: 17:41:25


    File name / Threat / Threats count
    C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
    C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
    C:\Documents and Settings\mjb\Application Data\Thunderbird\Profiles\nd01ohcg.default\Mail\mail.comcast.net\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1

    Selected area has been scanned.

    It is my opinion that the Kaspersky Online Scan completely missed the actual infections I reported in my OP. The evidence points away from all those infections reported by Avira Premium being false positives, since those reported files actually were multiplying like crazy. I absolutely do not trust that I'm infection-free except for those infected emails, as the Kaspersky scan claims.

    Here is the dds.txt file:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by mjb at 4:30:27.64 on Wed 10/13/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3322.2292 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
    FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Intel\AMT\atchksrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    D:\Apps\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\system32\dldocoms.exe
    C:\Program Files\DC5\DCRServ.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Intel\Intel Desktop Utilities\iduServ.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\WINDOWS\system32\ofps.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
    D:\Apps\Spyware Doctor\pctsAuxs.exe
    D:\Apps\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\Apps\Spyware Doctor\pctsTray.exe
    C:\Program Files\Intel\AMT\UNS.exe
    C:\Program Files\Intel\Intel Desktop Utilities\iptray.exe
    D:\Apps\SlySoft\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\Dell 968 AIO Printer\dldomon.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Iconoid\Iconoid.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\R-Wipe&Clean\rwiped.exe
    C:\Program Files\QuicKeys\QkEngine.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Apps\Mozilla\Thunderbird\thunderbird.exe
    C:\Documents and Settings\mjb\Desktop\ANTI-MALWARE TOOLS from SpyBot Malware Forum\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - d:\apps\techsmith snagit 9\SnagitBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - d:\apps\techsmith snagit 9\SnagitIEAddin.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - d:\apps\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    uRun: [Iconoid] "c:\program files\iconoid\Iconoid.exe"
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Adobe Reader Speed Launcher] "d:\apps\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [ipTray.exe] c:\program files\intel\intel desktop utilities\iptray.exe
    mRun: [VirtualCloneDrive] "d:\apps\slysoft\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [dldomon.exe] c:\program files\dell 968 aio printer\dldomon.exe
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    mRun: [ISTray] "d:\apps\spyware doctor\pctsTray.exe"
    mRun: [ISUSScheduler] c:\program files\common files\installshield\updateservice\issch.exe -start
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    StartupFolder: c:\docume~1\mjb\startm~1\programs\startup\quickeys engine.lnk - c:\program files\quickeys\QkEngine.exe
    uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: NoSMMyPictures = 01000000
    mPolicies-explorer: NoInstrumentation = 1 (0x1)
    IE: E&xport to Microsoft Excel - d:\apps\micros~1\office~1\office12\EXCEL.EXE/3000
    IE: Open with ScanSoft PDF Converter 4.1 - d:\apps\nuance-scansoft\pdf professional 4.0\cnvres_eng.dll /100
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\apps\micros~1\office~1\office12\ONBttnIE.dll
    IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\apps\micros~1\office~1\office12\REFIEBAR.DLL
    LSP: c:\program files\avira\antivir desktop\avsda.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {3B89785B-4E94-400A-8705-5841B14063A7} - hxxp://www.arcsoft.com/data/SimHDAss.CAB
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213325852156
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mjb\applic~1\mozilla\firefox\profiles\26rgi5i4.default\
    FF - prefs.js: browser.startup.homepage -
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
    FF - component: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
    FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
    FF - plugin: c:\documents and settings\mjb\application data\mozilla\firefox\profiles\26rgi5i4.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\vlc\npvlc.dll
    FF - plugin: d:\apps\adobe\reader 9.0\reader\browser\nppdf32.dll
    FF - plugin: d:\apps\misc\real alternative\browser\plugins\nppl3260.dll
    FF - plugin: d:\apps\misc\real alternative\browser\plugins\nprpjplug.dll
    FF - plugin: d:\apps\mozilla\firefox\plugins\npwachk.dll
    FF - plugin: d:\apps\opera\program\plugins\np_gp.dll
    FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
    FF - plugin: d:\apps\opera\program\plugins\np32asw.dll
    FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
    FF - plugin: d:\apps\opera\program\plugins\npdivx32.dll
    FF - plugin: d:\apps\opera\program\plugins\npdsplay.dll
    FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
    FF - plugin: d:\apps\opera\program\plugins\NPOFF12.DLL
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin2.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin3.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin4.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin5.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin6.dll
    FF - plugin: d:\apps\opera\program\plugins\npqtplugin7.dll
    FF - plugin: d:\apps\opera\program\plugins\NPSWF32.dll
    FF - plugin: d:\apps\opera\program\plugins\npwmsdrm.dll
    FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - d:\apps\mozilla\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.proxy.type", 5);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\apps\mozilla\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\apps\mozilla\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\apps\mozilla\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\apps\mozilla\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2010-1-22 294408]
    R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2010-1-22 19624]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-14 28552]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 218592]
    R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-12-30 89728]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-16 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-8-12 95592]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-20 528128]
    R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-9-16 337064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-16 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-16 267432]
    R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-16 60936]
    R2 Browser Defender Update Service;Browser Defender Update Service;d:\apps\spyware doctor\bdt\BDTUpdateService.exe [2009-12-4 112592]
    R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-12-18 316416]
    R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
    R2 DriveCryptService;DriveCrypt Service;c:\program files\dc5\DCRServ.exe [2010-1-22 96680]
    R2 IduService;Intel(R) Desktop Utilities Service;c:\program files\intel\intel desktop utilities\iduServ.exe [2009-1-22 124928]
    R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-12-23 711352]
    R2 JCPacket;FLDP Packet Driver;c:\windows\system32\drivers\jcpacket.sys [2002-5-26 10880]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-12 10448]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
    R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-r\SATARaid5ConfigService.exe [2005-10-5 131072]
    R2 sdAuxService;PC Tools Auxiliary Service;d:\apps\spyware doctor\pctsAuxs.exe [2008-7-5 366840]
    R2 sdCoreService;PC Tools Security Service;d:\apps\spyware doctor\pctsSvc.exe [2008-7-5 1142224]
    R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-5-29 66944]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-12 2514944]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-14 114952]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-3-9 38304]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-6-20 252440]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-5 1691480]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
    S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [2007-10-22 35200]
    S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-1-22 17920]
    S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-8-27 320384]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-22 27064]
    S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional home xii.sp2c\RpcAgentSrv.exe [2009-4-13 98488]
    S4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-9-16 405672]
    S4 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2009-10-9 99568]
    S4 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]

    ============== File Associations ===============

    cmdfile="\"%1\" %*"
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .txt=UltraEdit.txt

    =============== Created Last 30 ================

    2010-10-05 12:00:04 0 d-----w- c:\program files\trend micro
    2010-10-05 11:31:21 0 d-----w- c:\program files\ERUNT Registry Backup
    2010-10-05 10:36:22 0 d-----w- c:\docume~1\mjb\applic~1\Malwarebytes
    2010-10-05 10:36:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-05 10:36:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-05 10:36:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-05 10:36:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-16 11:39:05 0 d-----w- c:\docume~1\mjb\applic~1\Avira
    2010-09-16 11:19:43 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-09-16 11:19:42 0 d-----w- c:\program files\Avira
    2010-09-16 11:19:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-09-14 08:49:43 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-09-14 08:49:22 0 d-----w- c:\program files\Panda Security

    ==================== Find3M ====================

    2010-10-12 11:33:41 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-10-09 15:10:00 10022 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-12 04:07:46 133616 ------w- c:\windows\system32\pxafs.dll
    2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-08-12 04:07:46 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-08-06 06:14:57 1996 ----a-w- C:\copype.cmd
    2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\6904553153.sys
    2010-08-02 11:48:33 8 --sh--r- c:\docume~1\alluse~1\applic~1\1B750485A4.sys
    2010-07-26 14:13:40 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-21 03:03:12 767928 ----a-w- c:\windows\BDTSupport.dll
    2010-07-21 01:22:46 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-17 08:56:14 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-07-17 08:56:12 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

    ============= FINISH: 4:31:30.55 ===============


    NOTE: I disabled Avira Premium during the Kaspersky Scan as suggested. The DDS.txt file shows it active because I re-enabled it after the scan.
  4. 2010-10-13, 15:14 #4
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    As I feared, Avira is reporting the same infections again. Here are the two most recent infections reported:

    Begin scan in 'C:\WINDOWS\Temp\TMPC.tmp'
    C:\WINDOWS\Temp\TMPC.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
    [NOTE] A backup was created as '4fb20e67.qua' ( QUARANTINE )
    [NOTE] The file was moved to the quarantine directory under the name '572521d8.qua'.
    Begin scan in 'C:\WINDOWS\Temp\TMPF.tmp'
    C:\WINDOWS\Temp\TMPF.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
    [NOTE] A backup was created as '057a7458.qua' ( QUARANTINE )

    What will happen now is that each time I ask Avira Premium to remove those infections, still more will appear...
  5. 2010-10-13, 16:35 #5
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Show hidden files
    -----------------
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

    Upload these files to http://www.virustotal.com and post back the results or links to those:
    C:\Documents and Settings\All users\application data\6904553153.sys
    C:\Documents and Settings\All users\application data\1B750485A4.sys


    Update MBAM and run a full scan with it. Let it remove its findings. Post back the report.

    How have you set Antivir heuristics settings?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  6. 2010-10-14, 18:32 #6
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    OK, the VirusTotal scans reported no infections of those two files you specified. I've attached a zip file containing the HTML-only reports.

    mbam also reported no infections. Here'e the report:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4820

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/14/2010 10:53:45 AM
    mbam-log-2010-10-14 (10-53-45).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
    Objects scanned: 750348
    Time elapsed: 2 hour(s), 58 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    However, Avira reported more new infections exactly like the others.

    As far as Avira's heuristic level, both the Scanner and the Guard have these settings:
    Macrovirus heuristic - Enabled
    Advanced Heuristic Analysis and Detection - Enabled, Medium detection level.

    Thanks for sticking with me!
  7. 2010-10-14, 18:33 #7
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    Sorry, here's that zip file...
  8. 2010-10-14, 18:47 #8
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Nothing appearing in those logs and since it seems to be only Antivir alerting I suspect it could be a false alarm. Have you updated Antivir definitions recently?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  9. 2010-10-15, 10:12 #9
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    First, yes, I've updated the definitions, including just an hour ago.

    As for this being a false positive, I uploaded an infected file to VirusTotal, and along with Avira, McAfee-GW-Edition reported it to be infected with this name (I've attached the report HTML file to this post):

    Heuristic.LooksLike.Win32.Suspicious.J!86

    When I looked that up with Google, it found several pages describing it. Two of the English pages are as follows:

    W32/VBTroj

    Xandor Report

    I think one likely reason that the other scanners you asked me to run missed this because they probably didn't scan .tmp files. But I realize that something else on my computer would have to be infected and it is that which must be creating the .tmp files, and it is that infection that we are searching primarily for, correct?

    My guess is that the .tmp files are being created by this other infection as the first step in compromising my system, and the next step must be renaming or copying it to some form of executable. Because otherwise, I don't see how a .tmp file could cause damage as long as it is still named xxx.tmp.

    But again, my opinion is that these are not false positives because they multiply very fast every time Avira tries to move them into quarantine. Surely something is infected.

    Thanks again for sticking with me, Blade81!
  10. 2010-10-15, 10:15 #10
    Gorenth
    Gorenth is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    18

    Default

    Hmmm... I guess I can't attach an html file. This time, I've zipped it first...
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules