Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Redirect Virus Problem

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    13

    Default Redirect Virus Problem

    I have had the redirect virus, and AVG was saying winlogon.exe and explorer.exe were infected. It also said "virus found win32/patched". I'm sorry, but I did run combofix (I had not yet read the "Before you post" forum). That means I had to remove AVG. Combofix also detected winlogon and explorer as infected. I can post my combofix log or do a new one if you'd like. I actually have tried quite a bit on my own to defeat the virus but have had no success. I appreciate any help and let me know if any other information is needed. Thanks.

    Here is my DDS log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 15:09:21.07 on Fri 12/31/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.49 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Program Files\ERUNT\ERUNT.EXE
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
    uPolicies-system: huuipbxzyjxjlyqlrnmrTaskMgr = 0 (0x0)
    IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
    Trusted Zone: trymedia.com
    DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
    DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/a/f/b/afba1967-2025-49da-8356-bc4132038945/VirtualEarth3D.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\d9y2cq1r.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b11a7d6&v=6.010.006.004&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
    FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: FavLoc: {472f4ef0-a825-11da-a746-0800200c9a66} - %profile%\extensions\{472f4ef0-a825-11da-a746-0800200c9a66}
    FF - Ext: Google Bookmarks for Firefox: {473f9a20-ce5a-11da-a94d-0800200c9a66} - %profile%\extensions\{473f9a20-ce5a-11da-a94d-0800200c9a66}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Sothink Web Video Downloader for Firefox: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08} - %profile%\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
    FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
    FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-7 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-7 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-7 243024]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-6-2 194304]
    R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
    S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
    S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-23 136176]
    S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-9-21 327000]
    S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-30 16968]
    S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]
    S4 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
    S4 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]

    =============== Created Last 30 ================

    2010-12-31 21:15:22 98816 ----a-w- c:\windows\sed.exe
    2010-12-31 21:15:22 89088 ----a-w- c:\windows\MBR.exe
    2010-12-31 21:15:22 256512 ----a-w- c:\windows\PEV.exe
    2010-12-31 21:15:22 161792 ----a-w- c:\windows\SWREG.exe
    2010-12-31 21:15:08 -------- d-----w- C:\NewCF
    2010-12-31 20:35:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-31 20:06:34 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\AVG8
    2010-12-31 00:37:42 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
    2010-12-31 00:37:39 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
    2010-12-31 00:32:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-12-31 00:26:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-12-31 00:09:11 -------- d-----w- c:\program files\Bonjour
    2010-12-15 03:24:31 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Garmin
    2010-12-15 02:52:13 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\GARMIN_Corp
    2010-12-15 02:30:46 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\GARMIN
    2010-12-14 23:57:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\GARMIN
    2010-12-14 23:57:28 -------- d-----w- c:\program files\Garmin GPS Plugin
    2010-12-14 23:55:48 9344 ----a-w- c:\windows\system32\drivers\grmnusb.sys
    2010-12-14 23:55:47 18304 ----a-w- c:\windows\system32\drivers\grmngen.sys
    2010-12-14 23:55:29 -------- d-----w- C:\Garmin
    2010-12-14 23:55:27 -------- d-----w- c:\program files\Garmin

    ==================== Find3M ====================

    2010-11-30 00:44:12 3818105 ----a-w- C:\ComboFix.exe
    2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46D.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46A.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP462.tmp
    2010-11-29 00:31:23 0 ----a-w- c:\windows\system32\FAP453.tmp
    2010-11-29 00:25:55 0 ----a-w- c:\windows\system32\FAP450.tmp
    2010-11-29 00:24:49 0 ----a-w- c:\windows\system32\FAP443.tmp
    2010-11-29 00:24:48 0 ----a-w- c:\windows\system32\FAP42A.tmp
    2010-11-29 00:24:47 0 ----a-w- c:\windows\system32\FAP41F.tmp
    2010-11-29 00:24:46 0 ----a-w- c:\windows\system32\FAP41D.tmp
    2010-11-28 23:19:22 0 ----a-w- c:\windows\system32\FAP40D.tmp
    2010-11-28 23:19:21 0 ----a-w- c:\windows\system32\FAP40B.tmp
    2010-11-28 23:14:15 0 ----a-w- c:\windows\system32\FAP408.tmp
    2010-11-28 23:10:05 0 ----a-w- c:\windows\system32\FAP404.tmp
    2010-11-28 23:08:43 0 ----a-w- c:\windows\system32\FAP402.tmp
    2010-11-28 23:08:03 0 ----a-w- c:\windows\system32\FAP3FF.tmp
    2010-11-28 23:08:00 0 ----a-w- c:\windows\system32\FAP3FD.tmp
    2010-11-28 23:07:55 0 ----a-w- c:\windows\system32\FAP3FB.tmp
    2010-11-28 23:07:54 0 ----a-w- c:\windows\system32\FAP3F8.tmp
    2010-11-28 23:07:47 0 ----a-w- c:\windows\system32\FAP3F6.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F4.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F1.tmp
    2010-11-28 23:06:30 0 ----a-w- c:\windows\system32\FAP3EF.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3EB.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3E8.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E6.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E4.tmp
    2010-11-28 23:06:03 0 ----a-w- c:\windows\system32\FAP3E1.tmp
    2010-11-28 23:06:02 0 ----a-w- c:\windows\system32\FAP3DF.tmp
    2010-11-28 23:05:56 0 ----a-w- c:\windows\system32\FAP3DD.tmp
    2010-11-28 23:03:53 0 ----a-w- c:\windows\system32\FAP3DB.tmp
    2010-11-28 23:03:37 0 ----a-w- c:\windows\system32\FAP3D9.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3D1.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3CF.tmp
    2010-11-28 22:41:02 0 ----a-w- c:\windows\system32\FAP3CD.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A9.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A7.tmp
    2010-11-28 20:08:23 0 ----a-w- c:\windows\system32\FAP3A5.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A3.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A1.tmp
    2010-11-28 20:02:51 0 ----a-w- c:\windows\system32\FAP39D.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP39B.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP397.tmp
    2010-11-28 19:59:09 0 ----a-w- c:\windows\system32\FAP38E.tmp
    2010-11-28 19:59:05 0 ----a-w- c:\windows\system32\FAP383.tmp
    2010-11-28 19:59:04 0 ----a-w- c:\windows\system32\FAP37A.tmp
    2010-11-28 19:58:26 0 ----a-w- c:\windows\system32\FAP378.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP364.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP35E.tmp
    2010-11-28 19:57:53 0 ----a-w- c:\windows\system32\FAP351.tmp
    2010-11-28 19:57:47 0 ----a-w- c:\windows\system32\FAP34F.tmp
    2010-11-28 19:57:45 0 ----a-w- c:\windows\system32\FAP34B.tmp
    2010-11-28 19:56:04 0 ----a-w- c:\windows\system32\FAP345.tmp
    2010-11-28 19:37:06 0 ----a-w- c:\windows\system32\FAP334.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP30B.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP306.tmp
    2010-11-28 16:25:39 0 ----a-w- c:\windows\system32\FAP300.tmp
    2010-11-28 16:25:38 0 ----a-w- c:\windows\system32\FAP2FC.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2E6.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2D5.tmp
    2010-11-28 16:25:23 0 ----a-w- c:\windows\system32\FAP2CE.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2C7.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2B2.tmp
    2010-11-28 16:25:16 0 ----a-w- c:\windows\system32\FAP2AD.tmp
    2010-11-28 16:25:14 0 ----a-w- c:\windows\system32\FAP2A1.tmp
    2010-11-28 07:36:19 0 ----a-w- c:\windows\system32\FAP1D8.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1B4.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1AF.tmp
    2010-11-28 07:36:15 0 ----a-w- c:\windows\system32\FAP1A8.tmp
    2010-11-28 07:36:13 0 ----a-w- c:\windows\system32\FAP19C.tmp
    2010-11-28 07:35:18 0 ----a-w- c:\windows\system32\FAP199.tmp
    2010-11-28 07:34:29 0 ----a-w- c:\windows\system32\FAP18C.tmp
    2010-11-28 07:33:41 0 ----a-w- c:\windows\system32\FAP179.tmp
    2010-11-28 07:33:39 0 ----a-w- c:\windows\system32\FAP176.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP16D.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP169.tmp
    2010-11-28 07:32:12 0 ----a-w- c:\windows\system32\FAP167.tmp
    2010-11-28 07:28:36 0 ----a-w- c:\windows\system32\FAP162.tmp
    2010-11-28 07:28:34 0 ----a-w- c:\windows\system32\FAP160.tmp
    2010-11-28 01:57:17 0 ----a-w- c:\windows\system32\FAPFF.tmp
    2010-11-28 01:56:59 0 ----a-w- c:\windows\system32\FAPFD.tmp
    2010-11-28 01:56:44 0 ----a-w- c:\windows\system32\FAPFB.tmp
    2010-11-28 01:56:18 0 ----a-w- c:\windows\system32\FAPF7.tmp
    2010-11-28 01:56:09 0 ----a-w- c:\windows\system32\FAPF5.tmp
    2010-11-28 01:56:08 0 ----a-w- c:\windows\system32\FAPF3.tmp
    2010-11-28 01:56:07 0 ----a-w- c:\windows\system32\FAPF1.tmp
    2010-11-28 01:56:03 0 ----a-w- c:\windows\system32\FAPEF.tmp
    2010-11-28 01:51:01 0 ----a-w- c:\windows\system32\FAPEC.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE7.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE4.tmp
    2010-11-28 01:50:53 0 ----a-w- c:\windows\system32\FAPE2.tmp
    2010-11-28 01:50:32 0 ----a-w- c:\windows\system32\FAPD9.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD7.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD5.tmp
    2010-11-28 01:50:20 0 ----a-w- c:\windows\system32\FAPD3.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPD1.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPCF.tmp
    2010-11-28 01:49:42 0 ----a-w- c:\windows\system32\FAPCC.tmp

    ============= FINISH: 15:10:33.31 ===============

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    Post fresh dds logs + old ComboFix log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Dec 2010
    Posts
    13

    Default

    Thank you. I uninstalled utorrent, and below is my new DDS log. It was too many characters to include the ComboFix log, so I've attached it and also the DDS attach.txt. If it's easier for me to do another post with separate logs just let me know. Thanks again.

    DDS log:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 17:40:02.98 on Tue 01/04/2011
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.697 [GMT -7:00]


    ============== Running Processes ===============

    C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
    C:\Program Files\Google\Update\GoogleUpdate.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
    uPolicies-system: huuipbxzyjxjlyqlrnmrTaskMgr = 0 (0x0)
    IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
    Trusted Zone: trymedia.com
    DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
    DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/a/f/b/afba1967-2025-49da-8356-bc4132038945/VirtualEarth3D.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\d9y2cq1r.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b11a7d6&v=6.010.006.004&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
    FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\d9y2cq1r.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
    FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\d9y2cq1r.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\microsoft research\hd view\nphdview.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: FavLoc: {472f4ef0-a825-11da-a746-0800200c9a66} - %profile%\extensions\{472f4ef0-a825-11da-a746-0800200c9a66}
    FF - Ext: Google Bookmarks for Firefox: {473f9a20-ce5a-11da-a94d-0800200c9a66} - %profile%\extensions\{473f9a20-ce5a-11da-a94d-0800200c9a66}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Sothink Web Video Downloader for Firefox: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08} - %profile%\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
    FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
    FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-7 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-7 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-7 243024]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-9-21 327000]
    R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-6-2 194304]
    S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
    S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-23 136176]
    S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-30 16968]
    S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]
    S4 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
    S4 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]

    =============== Created Last 30 ================

    2010-12-31 21:15:22 98816 ----a-w- c:\windows\sed.exe
    2010-12-31 21:15:22 89088 ----a-w- c:\windows\MBR.exe
    2010-12-31 21:15:22 256512 ----a-w- c:\windows\PEV.exe
    2010-12-31 21:15:22 161792 ----a-w- c:\windows\SWREG.exe
    2010-12-31 21:15:08 -------- d-----w- C:\NewCF
    2010-12-31 20:35:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-31 20:06:34 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\AVG8
    2010-12-31 00:37:42 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
    2010-12-31 00:37:39 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
    2010-12-31 00:32:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-12-31 00:26:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-12-31 00:09:11 -------- d-----w- c:\program files\Bonjour
    2010-12-15 03:24:31 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Garmin
    2010-12-15 02:52:13 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\GARMIN_Corp
    2010-12-15 02:30:46 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\GARMIN
    2010-12-14 23:57:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\GARMIN
    2010-12-14 23:57:28 -------- d-----w- c:\program files\Garmin GPS Plugin
    2010-12-14 23:55:48 9344 ----a-w- c:\windows\system32\drivers\grmnusb.sys
    2010-12-14 23:55:47 18304 ----a-w- c:\windows\system32\drivers\grmngen.sys
    2010-12-14 23:55:29 -------- d-----w- C:\Garmin
    2010-12-14 23:55:27 -------- d-----w- c:\program files\Garmin

    ==================== Find3M ====================

    2010-11-30 00:44:12 3818105 ----a-w- C:\ComboFix.exe
    2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46D.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46A.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP462.tmp
    2010-11-29 00:31:23 0 ----a-w- c:\windows\system32\FAP453.tmp
    2010-11-29 00:25:55 0 ----a-w- c:\windows\system32\FAP450.tmp
    2010-11-29 00:24:49 0 ----a-w- c:\windows\system32\FAP443.tmp
    2010-11-29 00:24:48 0 ----a-w- c:\windows\system32\FAP42A.tmp
    2010-11-29 00:24:47 0 ----a-w- c:\windows\system32\FAP41F.tmp
    2010-11-29 00:24:46 0 ----a-w- c:\windows\system32\FAP41D.tmp
    2010-11-28 23:19:22 0 ----a-w- c:\windows\system32\FAP40D.tmp
    2010-11-28 23:19:21 0 ----a-w- c:\windows\system32\FAP40B.tmp
    2010-11-28 23:14:15 0 ----a-w- c:\windows\system32\FAP408.tmp
    2010-11-28 23:10:05 0 ----a-w- c:\windows\system32\FAP404.tmp
    2010-11-28 23:08:43 0 ----a-w- c:\windows\system32\FAP402.tmp
    2010-11-28 23:08:03 0 ----a-w- c:\windows\system32\FAP3FF.tmp
    2010-11-28 23:08:00 0 ----a-w- c:\windows\system32\FAP3FD.tmp
    2010-11-28 23:07:55 0 ----a-w- c:\windows\system32\FAP3FB.tmp
    2010-11-28 23:07:54 0 ----a-w- c:\windows\system32\FAP3F8.tmp
    2010-11-28 23:07:47 0 ----a-w- c:\windows\system32\FAP3F6.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F4.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F1.tmp
    2010-11-28 23:06:30 0 ----a-w- c:\windows\system32\FAP3EF.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3EB.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3E8.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E6.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E4.tmp
    2010-11-28 23:06:03 0 ----a-w- c:\windows\system32\FAP3E1.tmp
    2010-11-28 23:06:02 0 ----a-w- c:\windows\system32\FAP3DF.tmp
    2010-11-28 23:05:56 0 ----a-w- c:\windows\system32\FAP3DD.tmp
    2010-11-28 23:03:53 0 ----a-w- c:\windows\system32\FAP3DB.tmp
    2010-11-28 23:03:37 0 ----a-w- c:\windows\system32\FAP3D9.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3D1.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3CF.tmp
    2010-11-28 22:41:02 0 ----a-w- c:\windows\system32\FAP3CD.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A9.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A7.tmp
    2010-11-28 20:08:23 0 ----a-w- c:\windows\system32\FAP3A5.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A3.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A1.tmp
    2010-11-28 20:02:51 0 ----a-w- c:\windows\system32\FAP39D.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP39B.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP397.tmp
    2010-11-28 19:59:09 0 ----a-w- c:\windows\system32\FAP38E.tmp
    2010-11-28 19:59:05 0 ----a-w- c:\windows\system32\FAP383.tmp
    2010-11-28 19:59:04 0 ----a-w- c:\windows\system32\FAP37A.tmp
    2010-11-28 19:58:26 0 ----a-w- c:\windows\system32\FAP378.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP364.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP35E.tmp
    2010-11-28 19:57:53 0 ----a-w- c:\windows\system32\FAP351.tmp
    2010-11-28 19:57:47 0 ----a-w- c:\windows\system32\FAP34F.tmp
    2010-11-28 19:57:45 0 ----a-w- c:\windows\system32\FAP34B.tmp
    2010-11-28 19:56:04 0 ----a-w- c:\windows\system32\FAP345.tmp
    2010-11-28 19:37:06 0 ----a-w- c:\windows\system32\FAP334.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP30B.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP306.tmp
    2010-11-28 16:25:39 0 ----a-w- c:\windows\system32\FAP300.tmp
    2010-11-28 16:25:38 0 ----a-w- c:\windows\system32\FAP2FC.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2E6.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2D5.tmp
    2010-11-28 16:25:23 0 ----a-w- c:\windows\system32\FAP2CE.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2C7.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2B2.tmp
    2010-11-28 16:25:16 0 ----a-w- c:\windows\system32\FAP2AD.tmp
    2010-11-28 16:25:14 0 ----a-w- c:\windows\system32\FAP2A1.tmp
    2010-11-28 07:36:19 0 ----a-w- c:\windows\system32\FAP1D8.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1B4.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1AF.tmp
    2010-11-28 07:36:15 0 ----a-w- c:\windows\system32\FAP1A8.tmp
    2010-11-28 07:36:13 0 ----a-w- c:\windows\system32\FAP19C.tmp
    2010-11-28 07:35:18 0 ----a-w- c:\windows\system32\FAP199.tmp
    2010-11-28 07:34:29 0 ----a-w- c:\windows\system32\FAP18C.tmp
    2010-11-28 07:33:41 0 ----a-w- c:\windows\system32\FAP179.tmp
    2010-11-28 07:33:39 0 ----a-w- c:\windows\system32\FAP176.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP16D.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP169.tmp
    2010-11-28 07:32:12 0 ----a-w- c:\windows\system32\FAP167.tmp
    2010-11-28 07:28:36 0 ----a-w- c:\windows\system32\FAP162.tmp
    2010-11-28 07:28:34 0 ----a-w- c:\windows\system32\FAP160.tmp
    2010-11-28 01:57:17 0 ----a-w- c:\windows\system32\FAPFF.tmp
    2010-11-28 01:56:59 0 ----a-w- c:\windows\system32\FAPFD.tmp
    2010-11-28 01:56:44 0 ----a-w- c:\windows\system32\FAPFB.tmp
    2010-11-28 01:56:18 0 ----a-w- c:\windows\system32\FAPF7.tmp
    2010-11-28 01:56:09 0 ----a-w- c:\windows\system32\FAPF5.tmp
    2010-11-28 01:56:08 0 ----a-w- c:\windows\system32\FAPF3.tmp
    2010-11-28 01:56:07 0 ----a-w- c:\windows\system32\FAPF1.tmp
    2010-11-28 01:56:03 0 ----a-w- c:\windows\system32\FAPEF.tmp
    2010-11-28 01:51:01 0 ----a-w- c:\windows\system32\FAPEC.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE7.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE4.tmp
    2010-11-28 01:50:53 0 ----a-w- c:\windows\system32\FAPE2.tmp
    2010-11-28 01:50:32 0 ----a-w- c:\windows\system32\FAPD9.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD7.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD5.tmp
    2010-11-28 01:50:20 0 ----a-w- c:\windows\system32\FAPD3.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPD1.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPCF.tmp
    2010-11-28 01:49:42 0 ----a-w- c:\windows\system32\FAPCC.tmp

    ============= FINISH: 17:42:00.84 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Upload these files to http://www.virustotal.com and post back the results or links to the results:
    c:\windows\system32\winlogon.exe
    c:\windows\explorer.exe
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Dec 2010
    Posts
    13

    Default

    Here are the winlogon.exe results from virustotal:
    http://www.virustotal.com/file-scan/...5fc-1294274771

    And the explorer.exe results:
    http://www.virustotal.com/file-scan/...199-1294275479

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Upload these files to Virustotal and post back the results like you did with the files above:
    c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
    c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Dec 2010
    Posts
    13

    Default

    Here they are -

    For c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe:
    http://www.virustotal.com/file-scan/...b1e-1294456329

    For c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe:
    http://www.virustotal.com/file-scan/...455-1294456582

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    FCopy::
    c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe|c:\windows\system32\winlogon.exe
    c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe|c:\windows\explorer.exe
    DDS::
    uPolicies-system: huuipbxzyjxjlyqlrnmrTaskMgr = 0 (0x0)
    Folder::
    c:\Program Files\uTorrent
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Uninstall old Adobe Reader versions and get the latest one (9.4 + 9.4.1 update or Adobe Reader X if offered) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


    Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 23.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    * Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is UNchecked.
    • Click Scan
    • Wait for the scan to finish.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Dec 2010
    Posts
    13

    Default

    Thanks. Here are the results of everything you told me to do:

    ---When following the instructions for dragging the script to the combofix executable, I get a lot of errors. The first one is:

    32788R22FWJFW\iexplore.exe is not a valid Win32 application

    I can only select OK, and when I do, the same message continues to come back, though the executable changes\alternates between the following:

    FireFox.exe
    hidec.exe
    PEV.exe
    NircmdB.exe
    NIRCMD.exe

    A total of about 50 error messages come up before they stop. Towards the end, the the blue ComboFix command prompt comes up, only "Access is denied" shows, then the window disappears.
    If you need any screen shots or more info on this just let me know.


    --I uninstalled Adobe Reader and installed version X
    --I uninstalled Adobe Flash Player and installed version 10.1.102.64
    --I removed older version Java components and updated to the latest version (jre-6u23-windows-i586)
    --Eset's log:

    C:\Documents and Settings\All Users\Application Data\SafeReturner\Quarantine\explorer.exe.vir Win32/Bamital.EC trojan
    C:\Documents and Settings\All Users\Application Data\SafeReturner\Quarantine\winlogon.exe.vir Win32/Bamital.EC trojan
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan
    C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-182a8173.zip probably a variant of Win32/Agent.IFZWEVY trojan
    C:\Documents and Settings\HP_Administrator\Desktop\LimewireDownloads\mmmbop remix.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Local Settings\Application Data\692926503.dll.vir a variant of Win32/Kryptik.DJM trojan
    C:\WINDOWS\explorer.exe Win32/Bamital.EC trojan
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EC trojan
    C:\WINDOWS\system32\drivers\etc\hosts.20100422-234048.backup Win32/Qhost trojan
    Operating memory Win32/Bamital.EC trojan

    --DDS Log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 15:40:13.42 on Sat 01/08/2011
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.255 [GMT -7:00]


    ============== Running Processes ===============

    C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
    TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
    uPolicies-system: huuipbxzyjxjlyqlrnmrTaskMgr = 0 (0x0)
    IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
    Trusted Zone: trymedia.com
    DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
    DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/a/f/b/afba1967-2025-49da-8356-bc4132038945/VirtualEarth3D.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\d9y2cq1r.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b11a7d6&v=6.010.006.004&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
    FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\d9y2cq1r.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
    FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\d9y2cq1r.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\microsoft research\hd view\nphdview.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: FavLoc: {472f4ef0-a825-11da-a746-0800200c9a66} - %profile%\extensions\{472f4ef0-a825-11da-a746-0800200c9a66}
    FF - Ext: Google Bookmarks for Firefox: {473f9a20-ce5a-11da-a94d-0800200c9a66} - %profile%\extensions\{473f9a20-ce5a-11da-a94d-0800200c9a66}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Sothink Web Video Downloader for Firefox: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08} - %profile%\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
    FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
    FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-7 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-7 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-7 243024]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2010-9-21 327000]
    R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2010-1-27 5248]
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-6-2 194304]
    S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
    S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-23 136176]
    S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-30 16968]
    S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\toolbarbroker.exe --> c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [?]
    S4 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
    S4 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]

    =============== Created Last 30 ================

    2011-01-08 17:30:31 -------- d-----w- c:\program files\ESET
    2011-01-08 17:22:25 -------- d-s---w- C:\ComboFix
    2011-01-08 17:20:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-08 17:20:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-08 17:20:56 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2010-12-31 21:15:08 -------- d-----w- C:\NewCF
    2010-12-31 20:35:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-31 20:06:34 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\AVG8
    2010-12-31 00:37:42 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
    2010-12-31 00:37:41 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
    2010-12-31 00:37:40 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
    2010-12-31 00:37:39 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
    2010-12-31 00:32:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-12-31 00:26:01 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-12-31 00:26:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-12-31 00:09:11 -------- d-----w- c:\program files\Bonjour
    2010-12-15 03:24:31 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Garmin
    2010-12-15 02:52:13 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\GARMIN_Corp
    2010-12-15 02:30:46 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\GARMIN
    2010-12-14 23:57:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\GARMIN
    2010-12-14 23:57:28 -------- d-----w- c:\program files\Garmin GPS Plugin
    2010-12-14 23:55:48 9344 ----a-w- c:\windows\system32\drivers\grmnusb.sys
    2010-12-14 23:55:47 18304 ----a-w- c:\windows\system32\drivers\grmngen.sys
    2010-12-14 23:55:29 -------- d-----w- C:\Garmin
    2010-12-14 23:55:27 -------- d-----w- c:\program files\Garmin

    ==================== Find3M ====================

    2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
    2010-11-30 00:44:12 3818105 ----a-w- C:\ComboFix.exe
    2010-11-30 00:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-30 00:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46D.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP46A.tmp
    2010-11-29 00:31:26 0 ----a-w- c:\windows\system32\FAP462.tmp
    2010-11-29 00:31:23 0 ----a-w- c:\windows\system32\FAP453.tmp
    2010-11-29 00:25:55 0 ----a-w- c:\windows\system32\FAP450.tmp
    2010-11-29 00:24:49 0 ----a-w- c:\windows\system32\FAP443.tmp
    2010-11-29 00:24:48 0 ----a-w- c:\windows\system32\FAP42A.tmp
    2010-11-29 00:24:47 0 ----a-w- c:\windows\system32\FAP41F.tmp
    2010-11-29 00:24:46 0 ----a-w- c:\windows\system32\FAP41D.tmp
    2010-11-28 23:19:22 0 ----a-w- c:\windows\system32\FAP40D.tmp
    2010-11-28 23:19:21 0 ----a-w- c:\windows\system32\FAP40B.tmp
    2010-11-28 23:14:15 0 ----a-w- c:\windows\system32\FAP408.tmp
    2010-11-28 23:10:05 0 ----a-w- c:\windows\system32\FAP404.tmp
    2010-11-28 23:08:43 0 ----a-w- c:\windows\system32\FAP402.tmp
    2010-11-28 23:08:03 0 ----a-w- c:\windows\system32\FAP3FF.tmp
    2010-11-28 23:08:00 0 ----a-w- c:\windows\system32\FAP3FD.tmp
    2010-11-28 23:07:55 0 ----a-w- c:\windows\system32\FAP3FB.tmp
    2010-11-28 23:07:54 0 ----a-w- c:\windows\system32\FAP3F8.tmp
    2010-11-28 23:07:47 0 ----a-w- c:\windows\system32\FAP3F6.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F4.tmp
    2010-11-28 23:06:31 0 ----a-w- c:\windows\system32\FAP3F1.tmp
    2010-11-28 23:06:30 0 ----a-w- c:\windows\system32\FAP3EF.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3EB.tmp
    2010-11-28 23:06:27 0 ----a-w- c:\windows\system32\FAP3E8.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E6.tmp
    2010-11-28 23:06:26 0 ----a-w- c:\windows\system32\FAP3E4.tmp
    2010-11-28 23:06:03 0 ----a-w- c:\windows\system32\FAP3E1.tmp
    2010-11-28 23:06:02 0 ----a-w- c:\windows\system32\FAP3DF.tmp
    2010-11-28 23:05:56 0 ----a-w- c:\windows\system32\FAP3DD.tmp
    2010-11-28 23:03:53 0 ----a-w- c:\windows\system32\FAP3DB.tmp
    2010-11-28 23:03:37 0 ----a-w- c:\windows\system32\FAP3D9.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3D1.tmp
    2010-11-28 22:41:03 0 ----a-w- c:\windows\system32\FAP3CF.tmp
    2010-11-28 22:41:02 0 ----a-w- c:\windows\system32\FAP3CD.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A9.tmp
    2010-11-28 20:08:42 0 ----a-w- c:\windows\system32\FAP3A7.tmp
    2010-11-28 20:08:23 0 ----a-w- c:\windows\system32\FAP3A5.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A3.tmp
    2010-11-28 20:08:20 0 ----a-w- c:\windows\system32\FAP3A1.tmp
    2010-11-28 20:02:51 0 ----a-w- c:\windows\system32\FAP39D.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP39B.tmp
    2010-11-28 20:02:47 0 ----a-w- c:\windows\system32\FAP397.tmp
    2010-11-28 19:59:09 0 ----a-w- c:\windows\system32\FAP38E.tmp
    2010-11-28 19:59:05 0 ----a-w- c:\windows\system32\FAP383.tmp
    2010-11-28 19:59:04 0 ----a-w- c:\windows\system32\FAP37A.tmp
    2010-11-28 19:58:26 0 ----a-w- c:\windows\system32\FAP378.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP364.tmp
    2010-11-28 19:58:22 0 ----a-w- c:\windows\system32\FAP35E.tmp
    2010-11-28 19:57:53 0 ----a-w- c:\windows\system32\FAP351.tmp
    2010-11-28 19:57:47 0 ----a-w- c:\windows\system32\FAP34F.tmp
    2010-11-28 19:57:45 0 ----a-w- c:\windows\system32\FAP34B.tmp
    2010-11-28 19:56:04 0 ----a-w- c:\windows\system32\FAP345.tmp
    2010-11-28 19:37:06 0 ----a-w- c:\windows\system32\FAP334.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP30B.tmp
    2010-11-28 16:25:41 0 ----a-w- c:\windows\system32\FAP306.tmp
    2010-11-28 16:25:39 0 ----a-w- c:\windows\system32\FAP300.tmp
    2010-11-28 16:25:38 0 ----a-w- c:\windows\system32\FAP2FC.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2E6.tmp
    2010-11-28 16:25:26 0 ----a-w- c:\windows\system32\FAP2D5.tmp
    2010-11-28 16:25:23 0 ----a-w- c:\windows\system32\FAP2CE.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2C7.tmp
    2010-11-28 16:25:17 0 ----a-w- c:\windows\system32\FAP2B2.tmp
    2010-11-28 16:25:16 0 ----a-w- c:\windows\system32\FAP2AD.tmp
    2010-11-28 16:25:14 0 ----a-w- c:\windows\system32\FAP2A1.tmp
    2010-11-28 07:36:19 0 ----a-w- c:\windows\system32\FAP1D8.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1B4.tmp
    2010-11-28 07:36:16 0 ----a-w- c:\windows\system32\FAP1AF.tmp
    2010-11-28 07:36:15 0 ----a-w- c:\windows\system32\FAP1A8.tmp
    2010-11-28 07:36:13 0 ----a-w- c:\windows\system32\FAP19C.tmp
    2010-11-28 07:35:18 0 ----a-w- c:\windows\system32\FAP199.tmp
    2010-11-28 07:34:29 0 ----a-w- c:\windows\system32\FAP18C.tmp
    2010-11-28 07:33:41 0 ----a-w- c:\windows\system32\FAP179.tmp
    2010-11-28 07:33:39 0 ----a-w- c:\windows\system32\FAP176.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP16D.tmp
    2010-11-28 07:32:15 0 ----a-w- c:\windows\system32\FAP169.tmp
    2010-11-28 07:32:12 0 ----a-w- c:\windows\system32\FAP167.tmp
    2010-11-28 07:28:36 0 ----a-w- c:\windows\system32\FAP162.tmp
    2010-11-28 07:28:34 0 ----a-w- c:\windows\system32\FAP160.tmp
    2010-11-28 01:57:17 0 ----a-w- c:\windows\system32\FAPFF.tmp
    2010-11-28 01:56:59 0 ----a-w- c:\windows\system32\FAPFD.tmp
    2010-11-28 01:56:44 0 ----a-w- c:\windows\system32\FAPFB.tmp
    2010-11-28 01:56:18 0 ----a-w- c:\windows\system32\FAPF7.tmp
    2010-11-28 01:56:09 0 ----a-w- c:\windows\system32\FAPF5.tmp
    2010-11-28 01:56:08 0 ----a-w- c:\windows\system32\FAPF3.tmp
    2010-11-28 01:56:07 0 ----a-w- c:\windows\system32\FAPF1.tmp
    2010-11-28 01:56:03 0 ----a-w- c:\windows\system32\FAPEF.tmp
    2010-11-28 01:51:01 0 ----a-w- c:\windows\system32\FAPEC.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE7.tmp
    2010-11-28 01:51:00 0 ----a-w- c:\windows\system32\FAPE4.tmp
    2010-11-28 01:50:53 0 ----a-w- c:\windows\system32\FAPE2.tmp
    2010-11-28 01:50:32 0 ----a-w- c:\windows\system32\FAPD9.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD7.tmp
    2010-11-28 01:50:27 0 ----a-w- c:\windows\system32\FAPD5.tmp
    2010-11-28 01:50:20 0 ----a-w- c:\windows\system32\FAPD3.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPD1.tmp
    2010-11-28 01:50:17 0 ----a-w- c:\windows\system32\FAPCF.tmp

    ============= FINISH: 15:42:00.70 ===============

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please try to run ComboFix with the script in safe mode.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •