Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: My files are missing!!!

  1. #1
    Senior Member
    Join Date
    Jun 2008
    Posts
    101

    Unhappy My files are missing!!!

    OH My!!! Music, Pictures, Documents, all gone!
    First, let me say that I think it started when my desktop profile got corrupted and I deleted it and created another one. When I did that, some of my browsers Add on would not work (Non Compatible) including my Anti Virus program (Free AVG) I uninstalled it, thinking I could reinstall. It would get to a point and I would get this pop up that said something like " Windows could not complete the instal because of unauthorized or unrecognized hardware installation. I did it several times, never getting past that point. I tried to get another program, but the same message kept me from installing an Anti Virus program. I continued using the box without any protection (Only for one day!) then I get this message that my Hard drive has crashed and that I need to download this program to fix it. That's when I noticed all my programs were gone and my documents too. I did a system restore and the programs came back, but not my Documents! Oh man! My wife is gonna KILL me if I don't get her files back!!! Please, can you help me?
    DDS is posted, ATTACHED is attached. Running Spy-bot now. Will post if there is and infection that cannot be removed.

    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by Dad at 2:02:43 on 2011-07-03
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.293 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
    C:\WINDOWS\System32\snmp.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [<NO NAME>]
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
    Trusted Zone: trymedia.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    .
    =============== Created Last 30 ================
    .
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
    2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
    2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-06-16 01:01:22 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-06-11 22:12:10 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\local settings\application data\Apple
    2011-06-11 22:09:25 -------- d-----w- c:\program files\Amazon
    2011-06-06 21:51:31 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\FrostWire
    2011-06-06 21:49:51 -------- d-----w- c:\program files\FrostWire
    2011-06-06 17:55:30 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-06-06 17:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-06-04 00:35:03 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\.ehdc
    .
    ==================== Find3M ====================
    .
    2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 2:03:45.67 ===============

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    If help still needed post fresh dds logs, please.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Senior Member
    Join Date
    Jun 2008
    Posts
    101

    Default re:My Files are missing...

    Found the files. They were hidden. Had to change the properties to see them all again. But i still cannot download an anti-virus program. Here's the DDS log:

    DDS (Ver_2011-07-14.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by Dad at 16:36:53 on 2011-07-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.197 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} -
    uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
    BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
    TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
    EB: MasterCook Bar: {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: trymedia.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: NameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: ipp - <Clsid value has no data>
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: msdaipp - <Clsid value has no data>
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
    mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
    IFEO: Your Image File Name Here without a path - ntsd -d
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    .
    =============== Created Last 30 ================
    .
    2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
    2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
    2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-06-16 01:01:22 105472 ------w- c:\windows\system32\dllcache\mup.sys
    .
    ==================== Find3M ====================
    .
    2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 16:38:00.29 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    First, run this tool to make sure all files are properly visible now.


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Senior Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Combo Fix says that I'm still running AVG Free, but I cannot find it to disable it. I ran the scan anyway. Here's the results:

    ComboFix 11-07-15.03 - Dad 07/16/2011 16:13:11.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.342 [GMT -5:00]
    Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511
    c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511
    c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511.exe
    c:\documents and settings\Compaq_Administrator\Application Data\alot
    c:\documents and settings\Compaq_Administrator\WINDOWS
    c:\documents and settings\Dad.YOUR-4DACD0EA75\WINDOWS
    c:\documents and settings\DAD\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\lexie\Application Data\alot
    c:\documents and settings\lexie\WINDOWS
    c:\documents and settings\MOM\Application Data\alot
    c:\documents and settings\MOM\Application Data\alot\BrowserSearch\BrowserSearch.xml
    c:\documents and settings\MOM\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_0\Button_0.xml
    c:\documents and settings\MOM\Application Data\alot\Button_0\Button_0.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_1\Button_1.xml
    c:\documents and settings\MOM\Application Data\alot\Button_1\Button_1.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_2\Button_2.xml
    c:\documents and settings\MOM\Application Data\alot\Button_2\Button_2.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_3\Button_3.xml
    c:\documents and settings\MOM\Application Data\alot\Button_3\Button_3.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_4\Button_4.xml
    c:\documents and settings\MOM\Application Data\alot\Button_4\Button_4.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_5\Button_5.xml
    c:\documents and settings\MOM\Application Data\alot\Button_5\Button_5.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_6\Button_6.xml
    c:\documents and settings\MOM\Application Data\alot\Button_6\Button_6.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_7\Button_7.xml
    c:\documents and settings\MOM\Application Data\alot\Button_7\Button_7.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_8\Button_8.xml
    c:\documents and settings\MOM\Application Data\alot\Button_8\Button_8.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Button_9\Button_9.xml
    c:\documents and settings\MOM\Application Data\alot\Button_9\Button_9.xml.backup
    c:\documents and settings\MOM\Application Data\alot\configurator\configurator.xml
    c:\documents and settings\MOM\Application Data\alot\configurator\configurator.xml.backup
    c:\documents and settings\MOM\Application Data\alot\contextMenu\contextMenu.xml
    c:\documents and settings\MOM\Application Data\alot\contextMenu\contextMenu.xml.backup
    c:\documents and settings\MOM\Application Data\alot\ErrorSearch\ErrorSearch.xml
    c:\documents and settings\MOM\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
    c:\documents and settings\MOM\Application Data\alot\postInstallLayout\postInstallLayout.xml
    c:\documents and settings\MOM\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
    c:\documents and settings\MOM\Application Data\alot\products\products.xml
    c:\documents and settings\MOM\Application Data\alot\products\products.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
    c:\documents and settings\MOM\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_image_search.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_news_search.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_search_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_web_search.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_2\images\alot_configure.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_4\images\2989_icon.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_4\images\2989_icon.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_5\images\default_1923_default_1910_default_1510_www.bhg.com_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_5\images\default_1923_default_1910_default_1510_www.bhg.com_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_6\images\default_2113_default_1682_www.bhg.com_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_6\images\default_2113_default_1682_www.bhg.com_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_7\images\default_1105_alot_recipe_videos.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_7\images\default_1105_alot_recipe_videos.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_8\images\2065_icon.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_8\images\2065_icon.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Button_9\images\2827_icon.png
    c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_icon.png
    c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\domains.dat
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\alot_brand.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\alot_splitter.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\discover.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\intro_popup.png
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\spinner.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_caption.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
    c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
    c:\documents and settings\MOM\Application Data\alot\TimerManager\TimerManager.xml
    c:\documents and settings\MOM\Application Data\alot\TimerManager\TimerManager.xml.backup
    c:\documents and settings\MOM\Application Data\alot\toolbar.xml
    c:\documents and settings\MOM\Application Data\alot\toolbar.xml.backup
    c:\documents and settings\MOM\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
    c:\documents and settings\MOM\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
    c:\documents and settings\MOM\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
    c:\documents and settings\MOM\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
    c:\documents and settings\MOM\Application Data\alot\Updater\Updater.xml
    c:\documents and settings\MOM\Application Data\alot\Updater\Updater.xml.backup
    c:\documents and settings\MOM\WINDOWS
    c:\windows\system32\Cache
    c:\windows\system32\config\systemprofile\WINDOWS
    E:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
    2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
    2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
    2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
    2011-07-02 20:51 . 2011-07-03 06:32 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33 . 2011-07-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10(2)
    2011-07-01 03:59 . 2011-07-01 16:29 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38 . 2011-07-16 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    .
    c:\documents and settings\lexie\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    c:\documents and settings\DAD\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ 'autocheck autochk *'
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
    backup=c:\windows\pss\Pandora.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
    backup=c:\windows\pss\PinMcLnk.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-07-16 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
    .
    2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
    .
    2011-07-16 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
    HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
    Notify-avgrsstarter - avgrsstx.dll
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
    MSConfigStartUp-CleverKeys - c:\program files\Dictionary.com\CleverKeys\CK.exe
    MSConfigStartUp-Google Update - c:\documents and settings\DADs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
    MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
    AddRemove-AVG9Uninstall - c:\program files\AVG\AVG9\setup.exe
    AddRemove-SoftwareUpdUtility - c:\program files\Common Files\Software Update Utility\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-16 16:33
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1296)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Avaya\Avaya one-X Communicator\QosServM.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\System32\snmp.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-16 16:38:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-16 21:38
    .
    Pre-Run: 111,137,021,952 bytes free
    Post-Run: 111,935,500,288 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - E9F88083414F87609BA94A83301BFC01

    DDS Log:

    DDS (Ver_2011-07-14.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by Dad at 16:42:09 on 2011-07-16
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.260 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
    BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: trymedia.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: NameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: ipp - <Clsid value has no data>
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: msdaipp - <Clsid value has no data>
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
    mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
    IFEO: Your Image File Name Here without a path - ntsd -d
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    .
    =============== Created Last 30 ================
    .
    2011-07-16 21:04:21 -------- d-sha-r- C:\cmdcons
    2011-07-16 21:00:51 98816 ----a-w- c:\windows\sed.exe
    2011-07-16 21:00:51 256000 ----a-w- c:\windows\PEV.exe
    2011-07-16 21:00:51 208896 ----a-w- c:\windows\MBR.exe
    2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
    2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
    2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
    2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    .
    ==================== Find3M ====================
    .
    2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 16:42:22.15 ===============

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Try to uninstall AVG remnants with removal tool for it.


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Folder::
    c:\Program Files\FrostWire
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.



    Uninstall your current Adobe shockwave player and get the fresh one here if needed.



    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 26.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



    * Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is UNchecked.
    • Click Scan
    • Wait for the scan to finish.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Senior Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Sorry about the delay. I ran the AVG removal tool several times, but Combo says it's still active. I ran the fix with the CFScript, but I didn't save the report. The box rebooted and I lost it! Ran it again and did the ESET scan. Here are the reports:

    ComboFix 11-07-17.03 - Dad 07/18/2011 1:04.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.372 [GMT -5:00]
    Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-18 05:48 . 2011-07-18 05:48 -------- d-----w- c:\program files\ESET
    2011-07-18 05:44 . 2011-07-18 05:44 -------- d-----w- c:\program files\Common Files\Java
    2011-07-18 05:44 . 2011-07-18 05:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-18 03:53 . 2011-07-18 03:53 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
    2011-07-18 03:53 . 2011-07-18 03:54 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
    2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
    2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
    2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
    2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
    2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33 . 2011-07-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10(2)
    2011-07-01 03:59 . 2011-07-01 16:29 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38 . 2011-07-16 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-18 05:43 . 2010-05-05 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-16_21.33.45 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-07-18 05:30 . 2011-07-18 05:30 87951 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    + 2011-06-10 14:01 . 2011-06-10 14:01 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
    - 2011-03-24 10:34 . 2011-03-24 10:34 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
    + 2011-06-10 13:47 . 2011-06-10 13:47 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
    + 2011-06-10 13:47 . 2011-06-10 13:47 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
    - 2011-03-24 10:34 . 2011-03-24 10:34 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 12288 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
    + 2011-07-18 05:30 . 2011-07-18 05:30 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
    + 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
    + 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
    + 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
    + 2011-07-18 05:44 . 2011-07-18 05:43 157472 c:\windows\system32\javaws.exe
    + 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\javaw.exe
    - 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\javaw.exe
    + 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\java.exe
    - 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\java.exe
    + 2011-06-10 13:47 . 2011-06-10 13:47 279992 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
    + 2011-06-10 14:01 . 2011-06-10 14:01 113664 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
    + 2011-06-13 08:49 . 2011-06-13 08:49 545208 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1160626.exe
    + 2011-06-10 14:03 . 2011-06-10 14:03 433664 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 364544 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
    + 2011-06-10 13:51 . 2011-06-10 13:51 989184 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
    + 2011-06-10 14:03 . 2011-06-10 14:03 892416 c:\windows\system32\Adobe\Shockwave 11\gi.dll
    + 2011-06-10 14:01 . 2011-06-10 14:01 541696 c:\windows\system32\Adobe\Shockwave 11\Control.dll
    + 2011-06-13 08:50 . 2011-06-13 08:50 112568 c:\windows\system32\Adobe\Director\SWDNLD.EXE
    + 2011-06-13 08:50 . 2011-06-13 08:50 279480 c:\windows\system32\Adobe\Director\SwDir.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 145920 c:\windows\system32\Adobe\Director\np32dsw.dll
    + 2011-07-18 05:30 . 2011-07-18 05:30 430592 c:\windows\Installer\d8070.msi
    + 2011-07-18 05:44 . 2011-07-18 05:44 203776 c:\windows\Installer\262d1.msi
    + 2011-07-18 05:43 . 2011-07-18 05:43 675840 c:\windows\Installer\262cb.msi
    - 2011-03-24 10:34 . 2011-03-24 10:34 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
    + 2011-06-10 13:47 . 2011-06-10 13:47 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
    + 2011-06-10 13:53 . 2011-06-10 13:53 1732608 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\documents and settings\lexie\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    c:\documents and settings\DAD\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ 'autocheck autochk *'
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
    backup=c:\windows\pss\Pandora.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
    backup=c:\windows\pss\PinMcLnk.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-07-18 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
    .
    2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
    .
    2011-07-18 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-18 01:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2536)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-07-18 01:20:29
    ComboFix-quarantined-files.txt 2011-07-18 06:20
    ComboFix2.txt 2011-07-18 05:22
    ComboFix3.txt 2011-07-16 21:38
    .
    Pre-Run: 111,722,295,296 bytes free
    Post-Run: 111,719,706,624 bytes free
    .
    - - End Of File - - 48F548E327F3994E60C6AE860475EFF6

    ESET log:
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511.exe.vir a variant of Win32/Kryptik.OIE trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Dad.YOUR-4DACD0EA75\Application Data\Sayp\imob.exe.vir a variant of Win32/Kryptik.PCQ trojan
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP447\A0039571.exe a variant of Win32/Kryptik.PVI trojan
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP447\A0039574.exe a variant of Win32/Kryptik.PVI trojan
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP471\A0041762.exe a variant of Win32/Kryptik.OIE trojan
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP472\A0042292.exe a variant of Win32/Kryptik.PCQ trojan
    E:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
    E:\I386\APPS\APP17286\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

    DDS Log:
    DDS (Ver_2011-07-14.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Dad at 13:01:46 on 2011-07-18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.190 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled*
    .
    ============== Running Processes ================
    .
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
    BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: trymedia.com
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: NameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: ipp - <Clsid value has no data>
    Handler: msdaipp - <Clsid value has no data>
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
    mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
    IFEO: Your Image File Name Here without a path - ntsd -d
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
    .
    =============== Created Last 30 ================
    .
    2011-07-18 05:48:04 -------- d-----w- c:\program files\ESET
    2011-07-18 05:44:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-18 03:53:55 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\local settings\application data\Identities
    2011-07-18 03:53:51 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Ijewmu
    2011-07-16 21:04:21 -------- d-sha-r- C:\cmdcons
    2011-07-16 21:00:51 98816 ----a-w- c:\windows\sed.exe
    2011-07-16 21:00:51 256000 ----a-w- c:\windows\PEV.exe
    2011-07-16 21:00:51 208896 ----a-w- c:\windows\MBR.exe
    2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
    2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
    2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
    2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
    2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    .
    ==================== Find3M ====================
    .
    2011-07-18 05:43:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 13:02:44.93 ===============

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Since Norton doesn't seem to be installed anymore either it's recommended to remove its remnants with removal tool.


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    DirLook::
    c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
    c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
    Folder::
    c:\documents and settings\all users\application data\AVG10(2)
    c:\windows\system32\drivers\AVG(2)
    c:\documents and settings\all users\application data\MFAData
    DDS::
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log. How's the system running now?
    Last edited by Blade81; 2011-07-18 at 23:29.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Senior Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    I keep getting these 'Windows" updates. I know I need them every now and then, however I'm getting them at each shut down. Is that normal!
    Here's the Combo Log:

    ComboFix 11-07-17.03 - Dad 07/18/2011 23:25:32.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.428 [GMT -5:00]
    Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\all users\application data\AVG10(2)
    c:\documents and settings\all users\application data\AVG10(2)\Chjw(2)\d60849070848e7d7.dat
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjw.log
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjw.log.lock
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjwsrv.log
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjwsrv.log.lock
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgldr.log
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgldr.log.lock
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgrs.log
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgrs.log.lock
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgtdi.log
    c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgtdi.log.lock
    c:\documents and settings\all users\application data\MFAData
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-033831.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-035540.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-042630.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-044128.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-045354.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-161943.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110716-205514.log
    c:\documents and settings\all users\application data\MFAData\logs\mfa-20110716-205558.log
    c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-033831.log
    c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-042630.log
    c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-044128.log
    c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-161943.log
    c:\documents and settings\all users\application data\MFAData\logs\msi-20110716-205558.log
    c:\documents and settings\all users\application data\MFAData\mfaurlconf.ini
    c:\documents and settings\all users\application data\MFAData\mkt\hi\dm_marketing_message-hi.html
    c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
    c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
    c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
    c:\documents and settings\all users\application data\MFAData\mkt\hi\Toolbar_wotoolbar.html
    c:\documents and settings\all users\application data\MFAData\mkt\res\LinkScanner-style.css
    c:\documents and settings\all users\application data\MFAData\mkt\res\LinkScanner.jpg
    c:\documents and settings\all users\application data\MFAData\mkt\res\OK.png
    c:\documents and settings\all users\application data\MFAData\mkt\res\Smart-Scanning.jpg
    c:\documents and settings\all users\application data\MFAData\mkt\res\SmartScanning-style.css
    c:\documents and settings\all users\application data\MFAData\mkt\res\Social-Networking.jpg
    c:\documents and settings\all users\application data\MFAData\mkt\res\SocialNetworking-style.css
    c:\documents and settings\all users\application data\MFAData\mkt\res\Toolbar-Selected.jpg
    c:\documents and settings\all users\application data\MFAData\mkt\res\Toolbar-Unselected.jpg
    c:\documents and settings\all users\application data\MFAData\mkt\res\ToolbarSelected-style.css
    c:\documents and settings\all users\application data\MFAData\mkt\res\ToolbarUnselected-style.css
    c:\documents and settings\all users\application data\MFAData\mkt\us\dm_marketing_message-en-us.html
    c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_LinkScanner.html
    c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
    c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_Social-Networking.html
    c:\documents and settings\all users\application data\MFAData\mkt\us\Toolbar_wotoolbar.html
    c:\documents and settings\all users\application data\MFAData\pack\avg10infoavi.ctf
    c:\documents and settings\all users\application data\MFAData\pack\avg10infooi.ctf
    c:\documents and settings\all users\application data\MFAData\pack\avg10infowin.ctf
    c:\documents and settings\all users\application data\MFAData\pack\Avgx86.msi
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10antirkx1388ru.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10antivirx1388zm.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10avgx1388bi.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10avgx1390fi.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10avisx1388jc.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10basex1388zl.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10emailsx1388yq.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10guix1388nk.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10idatx1388hy.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10idpx1388wf.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10lng_usx1388qx.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10onlnscx1388ib.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10resshldx1388lb.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10srchsrfx1388ig.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10sshttpbx1388cu.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10tdidrvx1388nr.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10toolbarx1388ap.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10tuneupx1388nq.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10update2x1388qy.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10updatex1388km.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\f10xplx1388qs.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_lic8dn.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_mis36je.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_mps31dn.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_lic8mi.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_mis36lo.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_mps31xa.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\poi10ppc2_lic8ql.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\poi10ppc2_mis36or.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10alertmgx1388ru.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10antirkx1388qr.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10antivirx1388hj.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10avgx1388ah.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10basex1388lj.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10corex1516ro.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10emailsx1388sb.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10guix1388zp.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10idatx1388rg.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10idpx1388uh.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10lng_usx1388nr.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10onlnscx1388sb.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10rdstx1388um.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10resshldx1388oy.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10srchsrfx1388ws.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10sshttpbx1388ur.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10tdidrvx1388xw.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10tuneupx1388uy.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10update2x1388qs.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10updatex1388nq.bin
    c:\documents and settings\all users\application data\MFAData\pack\bins\w10xplx1388tf.bin
    c:\documents and settings\all users\application data\MFAData\pack\cnet_mis.mdf
    c:\documents and settings\all users\application data\MFAData\pack\cnet_mps.mdf
    c:\documents and settings\all users\application data\MFAData\pack\lic.mdf
    c:\documents and settings\all users\application data\MFAData\public_installation_log.xml
    c:\documents and settings\all users\application data\MFAData\public_installation_log_resume.xml
    c:\documents and settings\all users\application data\MFAData\SelfUpd\avgmfapx.exe
    c:\documents and settings\all users\application data\MFAData\SelfUpd\avgmfarx.dll
    c:\documents and settings\all users\application data\MFAData\SelfUpd\avgntdumpx.exe
    c:\documents and settings\all users\application data\MFAData\SelfUpd\avgrunasx.exe
    c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10mfa1390b1388ep.bin
    c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10mfa1390mu.bin
    c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10upd1390b1388gj.bin
    c:\documents and settings\all users\application data\MFAData\SelfUpd\compat.ini
    c:\documents and settings\all users\application data\MFAData\SelfUpd\htmlayout.dll
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_cz.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_da.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_es.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_fr.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ge.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_hu.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_id.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_in.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_it.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_jp.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ko.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ms.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_nl.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pb.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pl.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pt.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ru.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sc.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sk.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sp.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_tr.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_us.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_zh.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\license_zt.htm
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaconf.txt
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfacz.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfada.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaes.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfafr.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfage.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfahu.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaid.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfain.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfait.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfajp.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfako.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfams.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfanl.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapb.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapl.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapt.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaru.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfasc.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfask.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfasp.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfatr.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaus.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfavera.txt
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaverx.txt
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfazh.lns
    c:\documents and settings\all users\application data\MFAData\SelfUpd\mfazt.lns
    c:\documents and settings\all users\application data\MFAData\state.dat
    c:\windows\system32\drivers\AVG(2)
    c:\windows\system32\drivers\AVG(2)\iavichjw.avm
    c:\windows\system32\drivers\AVG(2)\incavi.avm
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-18 05:48 . 2011-07-18 05:48 -------- d-----w- c:\program files\ESET
    2011-07-18 05:44 . 2011-07-18 05:44 -------- d-----w- c:\program files\Common Files\Java
    2011-07-18 05:44 . 2011-07-18 05:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-18 03:53 . 2011-07-18 03:53 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
    2011-07-18 03:53 . 2011-07-18 03:54 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
    2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
    2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
    2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
    2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
    2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
    2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
    2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
    2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-18 05:43 . 2010-05-05 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
    2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
    2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu ----
    .
    2011-07-18 03:54 . 2011-07-18 04:34 17442 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu\fimeo.tuh
    2010-09-04 09:38 . 2011-07-18 03:53 426 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu\fimeo.tuh.0
    .
    ---- Directory of c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities ----
    .
    2011-07-18 03:53 . 2011-07-18 03:53 76500 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Sent Items.dbx
    2011-07-18 03:53 . 2011-07-18 03:53 9656 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Offline.dbx
    2011-07-18 03:53 . 2011-07-18 03:53 75204 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Folders.dbx
    2011-07-18 03:53 . 2011-07-18 03:53 142036 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Inbox.dbx
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-16_21.33.45 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-07-18 05:30 . 2011-07-18 05:30 87951 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    + 2011-06-10 14:01 . 2011-06-10 14:01 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
    - 2011-03-24 10:34 . 2011-03-24 10:34 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
    + 2011-06-10 13:47 . 2011-06-10 13:47 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
    + 2011-06-10 13:47 . 2011-06-10 13:47 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
    - 2011-03-24 10:34 . 2011-03-24 10:34 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 12288 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
    + 2011-07-18 05:30 . 2011-07-18 05:30 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
    + 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
    + 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
    + 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
    + 2011-07-18 05:44 . 2011-07-18 05:43 157472 c:\windows\system32\javaws.exe
    + 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\javaw.exe
    - 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\javaw.exe
    + 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\java.exe
    - 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\java.exe
    + 2011-06-10 13:47 . 2011-06-10 13:47 279992 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
    + 2011-06-10 14:01 . 2011-06-10 14:01 113664 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
    + 2011-06-13 08:49 . 2011-06-13 08:49 545208 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1160626.exe
    + 2011-06-10 14:03 . 2011-06-10 14:03 433664 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 364544 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
    + 2011-06-10 13:51 . 2011-06-10 13:51 989184 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
    + 2011-06-10 14:03 . 2011-06-10 14:03 892416 c:\windows\system32\Adobe\Shockwave 11\gi.dll
    + 2011-06-10 14:01 . 2011-06-10 14:01 541696 c:\windows\system32\Adobe\Shockwave 11\Control.dll
    + 2011-06-13 08:50 . 2011-06-13 08:50 112568 c:\windows\system32\Adobe\Director\SWDNLD.EXE
    + 2011-06-13 08:50 . 2011-06-13 08:50 279480 c:\windows\system32\Adobe\Director\SwDir.dll
    + 2011-06-10 14:02 . 2011-06-10 14:02 145920 c:\windows\system32\Adobe\Director\np32dsw.dll
    + 2011-07-18 05:30 . 2011-07-18 05:30 430592 c:\windows\Installer\d8070.msi
    + 2011-07-18 05:44 . 2011-07-18 05:44 203776 c:\windows\Installer\262d1.msi
    + 2011-07-18 05:43 . 2011-07-18 05:43 675840 c:\windows\Installer\262cb.msi
    - 2011-03-24 10:34 . 2011-03-24 10:34 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
    + 2011-06-10 13:47 . 2011-06-10 13:47 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
    + 2011-06-10 13:53 . 2011-06-10 13:53 1732608 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\documents and settings\lexie\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    c:\documents and settings\DAD\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ 'autocheck autochk *'
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
    path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
    backup=c:\windows\pss\Pandora.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
    path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
    backup=c:\windows\pss\PinMcLnk.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\WINDOWS\\system32\\javaw.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
    "c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    2011-07-19 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
    .
    2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
    .
    2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
    .
    2011-07-19 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=14196
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: trymedia.com
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-18 23:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
    .
    Completion time: 2011-07-18 23:42:16
    ComboFix-quarantined-files.txt 2011-07-19 04:42
    ComboFix2.txt 2011-07-18 06:20
    ComboFix3.txt 2011-07-18 05:22
    ComboFix4.txt 2011-07-16 21:38
    .
    Pre-Run: 111,723,745,280 bytes free
    Post-Run: 111,731,519,488 bytes free
    .
    - - End Of File - - 6778EEEB377433496ACC24465FDBD4A7

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Delete c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu folder.


    I keep getting these 'Windows" updates. I know I need them every now and then, however I'm getting them at each shut down. Is that normal!
    All important updates offered by Windows Update should be installed asap. Have you installed them? Please install all important updates offered and see if you still get same ones after that.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •