Blue screen

[Fatboyjim]

Hi, I picked up some malware and I came here to try download the spybot for a fix. I first tried dowloading spybot, that will not install/run, same for HJT (blue screen). I have managed to download and run ERUNT as per the instructions here.

Where do I go from here?

 

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

 

[Fatboyjim]

Thank you! I guess one problem is the Explorer.EXE here? I have seen this mentioned on another thread while browsing.

_____


DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 23:15:10.10 on 22/07/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.493 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\James\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\James\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\users\james\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: NameServer = 85.255.112.84,85.255.112.80
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1
TCP: {6C33A269-D555-4759-9815-FE13DA5B46AB} = 85.255.112.84,85.255.112.80
TCP: {6CCE0C17-EFCB-4B30-AC8C-2E5E49CCED1E} = 85.255.112.84,85.255.112.80
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\w7qne9e8.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\james\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-16 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-07-21 23:52 <DIR> --d----- c:\program files\Trend Micro
2009-07-21 19:50 <DIR> --d----- c:\users\james\appdata\roaming\Folding@home-x86
2009-07-21 19:50 <DIR> --d----- c:\program files\Folding@home
2009-07-21 19:19 <DIR> --d----- c:\users\james\appdata\roaming\AVG8
2009-07-14 23:32 339,968 a------- c:\windows\system32\pythoncom25.dll
2009-07-14 23:32 114,688 a------- c:\windows\system32\pywintypes25.dll
2009-07-14 23:32 2,117,632 a------- c:\windows\system32\python25.dll
2009-07-14 23:32 1,332,197 a------- c:\windows\system32\pythondll.zip
2009-07-14 20:22 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 20:22 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 20:22 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 20:22 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-13 01:48 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-07-22 00:20 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-22 00:20 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 00:20 51,200 a------- c:\windows\inf\infpub.dat
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-30 13:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 13:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-19 19:22 56 a---h--- c:\programdata\ezsidmv.dat
2009-04-19 19:22 56 a---h--- c:\progra~2\ezsidmv.dat
2008-12-24 16:09 464 a------- c:\users\james\appdata\roaming\wklnhst.dat
2008-12-03 19:36 174 a--sh--- c:\program files\desktop.ini
2008-12-03 19:27 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-01 17:13 22,328 a------- c:\users\james\appdata\roaming\PnkBstrK.sys
2008-11-10 13:42 61,224 a------- c:\users\james\GoToAssistDownloadHelper.exe
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:15:56.03 ===============

 

[Fatboyjim]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 08/09/2008 22:15:56
System Uptime: 22/07/2009 11:35:24 (12 hours ago)

Motherboard: Dell Inc. | | 0RY007
Processor: Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz | Socket 775 | 1800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 136.091 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.337 GiB free.
E: is CDROM (UDF)
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6500s-1
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

RP411: 21/07/2009 19:48:59 - Installed Folding@home-x86
RP412: 22/07/2009 00:18:26 - Removed Nokia Connectivity Cable Driver
RP413: 22/07/2009 12:20:54 - Scheduled Checkpoint

==== Installed Programs ======================

AAC Decoder
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
Adobe Shockwave Player
AGEIA PhysX v7.11.13
Amazing Adventures: The Lost Tomb Demo
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
Belkin 54g USB Network Adapter
Bonjour
Call of Duty(R) - World at War(TM) 1.1 Patch
CDCheck
Choice Guard
Dell Color Printer 725
Dell Resource CD
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Download Manager 2.3.7
ERUNT 1.1j
FirstClass® Client
FlashLynx Video Download Software
FLV to AVI 1.2
Folding@home-x86
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToAssist 8.0.0.514
Gravitron 2
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) PRO Network Connections 12.1.11.0
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Junk Mail filter update
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
MobileMe Control Panel
Mozilla Firefox (3.5)
MSN Toolbar
MSVCRT
MSXML 4.0 SP2 (KB954430)
NCH Toolbox
NVIDIA Drivers
OpenAL
PangYa_Eu (Goa)
PC Connectivity Solution
Peggle Deluxe Demo
Pixillion Image Converter
Prism Video Converter
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Sky Broadband
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 9
Spotify
Steam
Switch Sound File Converter
System Requirements Lab
Team Fortress 2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.762
VideoPad Video Editor
VLC media player 1.0.0
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
Xvid 1.2.1 final uninstall
Zuma Deluxe Demo

==== End Of File ===========================

 

[Fatboyjim]

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 23:35:19
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 860A12E8 ZwEnumerateKey
Code 860AF320 ZwFlushInstructionCache
Code 8609F2BD IofCallDriver
Code 86121526 IofCompleteRequest
Code 860AF2E5 ZwSaveKey
Code 860B13C5 ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 82046FE2 5 Bytes JMP 8612152B
.text ntkrnlpa.exe!ZwSaveKey 82063664 5 Bytes JMP 860AF2EA
.text ntkrnlpa.exe!ZwSaveKeyEx 82063678 5 Bytes JMP 860B13CA
.text ntkrnlpa.exe!IofCallDriver 820C8F6F 5 Bytes JMP 8609F2C2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821BF30B 5 Bytes JMP 860AF324
PAGE ntkrnlpa.exe!ZwEnumerateKey 82214BA2 5 Bytes JMP 860A12EC

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

 

[Blade81]

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.



Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[Fatboyjim]

I can't seem to run ComboFix. I downloaded to desktop, shut firefox down, turned off windows firewall and defender. I assume the malware is preventing it running? Anything else I can try?

 

[Blade81]

Hi,

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix*from any of the links below. You must*rename it (to Fatboyjim.exe for example) before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe*& follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a dds.txt log*so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

[Fatboyjim]

ComboFix 09-07-22.05 - James 23/07/2009 15:18.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.241 [GMT 1:00]
Running from: c:\users\James\Desktop\fatboy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\System32\drivers\ESQULdfqswbhvinndpkoxmsnqopuvigcwrppv.sys
c:\windows\system32\ESQULaupxibbxmepujibsnmbjwtiitmxyssuf.dll
c:\windows\system32\ESQULevskieesifrskppqytkyhlqwthqcttpc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 14:26 . 2009-07-23 16:00 -------- d-----w- c:\users\James\AppData\Local\temp
2009-07-23 07:59 . 2009-07-23 08:01 -------- d-----w- c:\program files\QuickTime
2009-07-22 09:39 . 2009-07-22 09:39 2338816 ----a-w- c:\users\James\AppData\Roaming\Folding@home-x86\FahCore_78.exe
2009-07-21 23:11 . 2009-07-21 23:12 -------- d-----w- c:\program files\ERUNT
2009-07-21 22:52 . 2009-07-21 22:52 -------- d-----w- c:\program files\Trend Micro
2009-07-21 18:50 . 2009-07-21 18:50 10134 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-07-21 18:50 . 2009-07-22 09:40 -------- d-----w- c:\users\James\AppData\Roaming\Folding@home-x86
2009-07-21 18:50 . 2009-07-21 18:50 -------- d-----w- c:\program files\Folding@home
2009-07-21 18:19 . 2009-07-21 18:19 -------- d-----w- c:\users\James\AppData\Roaming\AVG8
2009-07-15 22:26 . 2009-07-15 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-07-15 22:26 . 2009-07-15 22:26 390664 ------w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg4\realplayer11gold.exe
2009-07-14 22:32 . 2009-07-14 22:32 339968 ----a-w- c:\windows\system32\pythoncom25.dll
2009-07-14 22:32 . 2009-07-14 22:32 114688 ----a-w- c:\windows\system32\pywintypes25.dll
2009-07-14 22:32 . 2009-07-14 22:32 2117632 ----a-w- c:\windows\system32\python25.dll
2009-07-14 22:32 . 2008-09-16 16:26 1332197 ----a-w- c:\windows\system32\pythondll.zip
2009-07-14 19:22 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 19:22 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 19:22 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-14 19:22 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 00:52 . 2009-07-21 10:31 -------- d-----w- c:\users\James\AppData\Roaming\vlc
2009-07-13 00:48 . 2009-07-13 00:48 -------- d-----w- c:\program files\VideoLAN
2009-07-03 22:26 . 2009-07-03 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg3\realplayer11gold.exe
2009-06-24 22:26 . 2009-06-24 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 12:56 . 2008-11-20 01:19 -------- d-----w- c:\progra~2\Google Updater
2009-07-23 08:06 . 2008-11-24 15:09 -------- d-----w- c:\program files\Dl_cats
2009-07-22 23:06 . 2008-09-08 21:21 9052 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2009-07-22 10:44 . 2008-12-03 16:22 -------- d-----w- c:\program files\Steam
2009-07-21 22:52 . 2009-04-13 16:30 -------- d-----w- c:\users\James\AppData\Roaming\Azureus
2009-07-21 20:32 . 2009-05-17 18:56 -------- d-----w- c:\users\James\AppData\Roaming\Spotify
2009-07-21 10:12 . 2009-06-03 23:44 -------- d-----w- c:\program files\Safari
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iTunes
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iPod
2009-07-21 10:00 . 2008-09-10 17:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 23:35 . 2008-09-19 09:41 -------- d-----w- c:\program files\Google
2009-07-15 00:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-07 23:17 . 2009-05-19 15:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-07 23:11 . 2008-09-19 20:55 -------- d-----w- c:\program files\DivX
2009-07-03 08:50 . 2008-12-03 16:22 -------- d-----w- c:\program files\Common Files\Steam
2009-07-01 00:17 . 2008-11-28 18:04 -------- d-----w- c:\progra~2\NVIDIA
2009-06-12 22:26 . 2009-06-12 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
2009-06-11 09:58 . 2008-09-08 21:22 70176 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-11 00:57 . 2008-10-08 20:49 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-11 00:53 . 2008-09-18 18:40 -------- d-----w- c:\program files\Microsoft Works
2009-06-01 08:47 . 2009-06-01 08:47 10684866 ----a-w- c:\users\James\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2009-05-09 05:50 . 2009-06-10 09:21 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 09:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 12:37 . 2009-06-11 00:23 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-06-11 00:23 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-23 11:06 . 2009-07-08 19:21 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 39408]
"Google Update"="c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-23 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"DLCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-07 198160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-11-10 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{00959EC7-4F1A-46C8-8F1C-835D1A321ECF}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{1FCBE58F-FAAE-4C8B-89B5-CCEB9B23CE17}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{8A5EC9C1-2B83-4EEF-BBD8-340A83A9A9EB}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{100EA001-4DC7-42C5-8C25-E2562960174A}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A0734E26-240B-47FB-A8A8-CE0BA2410556}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A7E16BD1-FB93-4C89-BCEB-35197B727D01}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3574BE00-D7EE-4C9E-BE10-8975DF05C358}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{48A64B4E-30B2-4EFD-A172-A0943CFFBA7E}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{10D33C52-660E-4078-9BC8-B84A6381E2A0}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{52211553-D631-4C63-BD60-8B0D035D6773}"= UDP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{14297CAD-C931-441E-8CFE-84446BBB8AD0}"= TCP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{81C22815-E219-4726-B91D-C53142B5198F}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{DE4A24E2-D746-485A-9239-B8876795E862}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{8C8D0F2D-4F93-4AF0-AF9E-F7DC6FA3397C}"= UDP:c:\windows\System32\PnkBstrA.exenkBstrA
"{96A634F0-3F73-4C2A-90DD-B042B2520D22}"= TCP:c:\windows\System32\PnkBstrA.exenkBstrA
"{81BBB98F-5CAC-4438-90D7-4B2036100D46}"= UDP:c:\windows\System32\PnkBstrB.exenkBstrB
"{264A7B61-8BE1-4D2C-9F43-093ED3F3227B}"= TCP:c:\windows\System32\PnkBstrB.exenkBstrB
"{E79EE1C4-1246-4380-A828-35FAED385786}"= UDP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{FFE765E4-A161-4D2B-81B2-D0D23E640E41}"= TCP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{129AC2B5-2733-4585-8BEC-993CBD50817C}"= UDP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{BCCFE4D9-9A6D-4A9E-9A59-19D53E23A3E3}"= TCP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{5C530BCD-5F54-447A-8B57-2B845A5BC11E}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{319975AC-6D86-4763-A6C2-B16AB8F53F3E}"= UDP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B95C72E6-539A-42D7-9C05-2EBCABDCCAB1}"= TCP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B768E137-7E8B-4FBD-8096-F9371D9819D0}"= UDP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{8DBC5050-87DB-431E-AB43-52A5B95E308B}"= TCP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{F3529703-A70F-419A-B820-C135C47AA8F2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7D3E943B-E742-41DF-A59D-6B031220EC8E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E3BD7469-F26B-4DA6-8213-B5C74900B87C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{6B8FEDB0-1858-48FF-A5F3-B14E745CAB65}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{71B9F956-DCE1-41C9-9989-3C2B7D981F3F}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= UDP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"UDP Query User{C36D8D4A-A815-418D-A0F6-18A410BFEB68}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= TCP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"{E8156A9B-A436-4ABD-BBDD-DC1B84EC324C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A62CF99B-8FBF-44A0-8C3B-F57B20FF34BF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{749E1008-B574-4E3C-B814-9FDF945D1DA1}"= UDP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"{9F78C368-213C-44A0-B0A0-70412E35C71D}"= TCP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"TCP Query User{7406BEF0-4F68-4846-A4B4-6BDED48228F7}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{97AD382F-28C8-4FBC-95DD-3862EF9FEBF3}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{7B829B41-1CA5-4733-932C-9CF2FA8AF657}c:\\program files\\goa\\gunbound\\gunbound.gme"= UDP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"UDP Query User{08C02C24-5909-4637-AD5D-334901606D15}c:\\program files\\goa\\gunbound\\gunbound.gme"= TCP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"TCP Query User{03F7385F-12CE-4374-A68B-0490C669E588}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{5FC9D651-F776-48C0-AA5B-04C4D440F091}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{C959DBC4-5275-4348-AC19-F43A3A7F3F1F}c:\\program files\\spotify\\spotify.exe"= UDP:c:\program files\spotify\spotify.exe:Spotify
"UDP Query User{1D2233DB-2DF0-4613-B818-0E11889EDE5C}c:\\program files\\spotify\\spotify.exe"= TCP:c:\program files\spotify\spotify.exe:Spotify
"TCP Query User{E4AD4DC4-4199-4C5E-A908-C520D696F99B}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"UDP Query User{AA8398EA-959C-48D3-98AC-C03C23518947}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"{65D262BF-AD48-4814-91EA-A5BEEB125143}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{942100DF-35F6-46E8-B40A-3D02CDA65BF6}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"TCP Query User{89765598-5C3A-45F9-AB1F-4700DB743E5F}c:\\program files\\videolan\\vlc\\vlc.exe"= UDP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{4DCDC5D0-87C1-408A-923C-F550A2D774A0}c:\\program files\\videolan\\vlc\\vlc.exe"= TCP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"{A07042AD-28F9-4DAE-8057-86005242E815}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{468A21D0-E39B-4DFB-A6BB-415581952D1E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 06:17 77824]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [30/03/2009 16:28 1533808]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/07/2009 00:11 133104]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [18/02/2009 05:53 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\w7qne9e8.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\James\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 17:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\dlcfcoms.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\users\James\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-23 17:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-23 16:06

Pre-Run: 150,523,625,472 bytes free
Post-Run: 150,455,529,472 bytes free

292 --- E O F --- 2009-07-15 00:58

 

[Blade81]

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus/Vuze
LimeWire


I'd like you to read this thread.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red) if still exist.


After that:

Uninstall this vulnerable Java:
Java(TM) 6 Update 7


Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\James\AppData\Roaming\Azureus
c:\program files\vuze
c:\program files\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{100EA001-4DC7-42C5-8C25-E2562960174A}"=-
"{A0734E26-240B-47FB-A8A8-CE0BA2410556}"=-
"TCP Query User{7406BEF0-4F68-4846-A4B4-6BDED48228F7}c:\\program files\\vuze\\azureus.exe"=-
"UDP Query User{97AD382F-28C8-4FBC-95DD-3862EF9FEBF3}c:\\program files\\vuze\\azureus.exe"=-
"TCP Query User{03F7385F-12CE-4374-A68B-0490C669E588}c:\\program files\\vuze\\azureus.exe"=-
"UDP Query User{5FC9D651-F776-48C0-AA5B-04C4D440F091}c:\\program files\\vuze\\azureus.exe"=-

DDS::
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into fatboy.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[Fatboyjim]

DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 18:43:03.81 on 23/07/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.316 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\James\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Explorer.exe
C:\Users\James\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\users\james\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1

================= FIREFOX ===================

FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\w7qne9e8.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\james\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-16 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-07-23 17:00 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-23 15:13 219,648 a------- c:\windows\PEV.exe
2009-07-23 15:13 161,792 a------- c:\windows\SWREG.exe
2009-07-23 15:13 98,816 a------- c:\windows\sed.exe
2009-07-21 23:52 <DIR> --d----- c:\program files\Trend Micro
2009-07-21 19:50 <DIR> --d----- c:\users\james\appdata\roaming\Folding@home-x86
2009-07-21 19:50 <DIR> --d----- c:\program files\Folding@home
2009-07-21 19:19 <DIR> --d----- c:\users\james\appdata\roaming\AVG8
2009-07-21 11:21 4 a------- c:\windows\system32\ESQULzcounter
2009-07-14 23:32 339,968 a------- c:\windows\system32\pythoncom25.dll
2009-07-14 23:32 114,688 a------- c:\windows\system32\pywintypes25.dll
2009-07-14 23:32 2,117,632 a------- c:\windows\system32\python25.dll
2009-07-14 23:32 1,332,197 a------- c:\windows\system32\pythondll.zip
2009-07-14 20:22 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 20:22 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 20:22 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 20:22 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-13 01:48 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-07-22 00:20 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-22 00:20 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 00:20 51,200 a------- c:\windows\inf\infpub.dat
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 22:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 22:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 22:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 22:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 22:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-30 13:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 13:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-19 19:22 56 a---h--- c:\programdata\ezsidmv.dat
2009-04-19 19:22 56 a---h--- c:\progra~2\ezsidmv.dat
2008-12-24 16:09 464 a------- c:\users\james\appdata\roaming\wklnhst.dat
2008-12-03 19:36 174 a--sh--- c:\program files\desktop.ini
2008-12-03 19:27 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-01 17:13 22,328 a------- c:\users\james\appdata\roaming\PnkBstrK.sys
2008-11-10 13:42 61,224 a------- c:\users\james\GoToAssistDownloadHelper.exe
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:43:39.43 ===============

 

[Fatboyjim]

I removed Azureus yesterday as that is where the problem came from. I may have something to do with limewire in the windows.old.000 folder (i have not used it since window reinstall). I cannot delete the windows old folder though :sad:. Access is denied.

I've gone into the roaming/appdata folder and removed the azureus folder there. I will not use this or P2P again..


ComboFix 09-07-23.01 - James 23/07/2009 19:10.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.270 [GMT 1:00]
Running from: c:\users\James\Desktop\fatboy.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 18:19 . 2009-07-23 18:19 -------- d-----w- c:\users\James\AppData\Local\temp
2009-07-23 07:59 . 2009-07-23 08:01 -------- d-----w- c:\program files\QuickTime
2009-07-22 09:39 . 2009-07-22 09:39 2338816 ----a-w- c:\users\James\AppData\Roaming\Folding@home-x86\FahCore_78.exe
2009-07-21 23:11 . 2009-07-21 23:12 -------- d-----w- c:\program files\ERUNT
2009-07-21 22:52 . 2009-07-21 22:52 -------- d-----w- c:\program files\Trend Micro
2009-07-21 18:50 . 2009-07-21 18:50 10134 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-07-21 18:50 . 2009-07-22 09:40 -------- d-----w- c:\users\James\AppData\Roaming\Folding@home-x86
2009-07-21 18:50 . 2009-07-21 18:50 -------- d-----w- c:\program files\Folding@home
2009-07-21 18:19 . 2009-07-21 18:19 -------- d-----w- c:\users\James\AppData\Roaming\AVG8
2009-07-21 09:49 . 2009-07-21 09:49 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-15 22:26 . 2009-07-15 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-07-15 22:26 . 2009-07-15 22:26 390664 ------w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg4\realplayer11gold.exe
2009-07-14 22:32 . 2009-07-14 22:32 339968 ----a-w- c:\windows\system32\pythoncom25.dll
2009-07-14 22:32 . 2009-07-14 22:32 114688 ----a-w- c:\windows\system32\pywintypes25.dll
2009-07-14 22:32 . 2009-07-14 22:32 2117632 ----a-w- c:\windows\system32\python25.dll
2009-07-14 22:32 . 2008-09-16 16:26 1332197 ----a-w- c:\windows\system32\pythondll.zip
2009-07-14 19:22 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 19:22 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 19:22 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-14 19:22 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 00:52 . 2009-07-21 10:31 -------- d-----w- c:\users\James\AppData\Roaming\vlc
2009-07-13 00:48 . 2009-07-13 00:48 -------- d-----w- c:\program files\VideoLAN
2009-07-03 22:26 . 2009-07-03 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg3\realplayer11gold.exe
2009-06-24 22:26 . 2009-06-24 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 18:01 . 2008-09-19 18:27 -------- d-----w- c:\program files\Java
2009-07-23 12:56 . 2008-11-20 01:19 -------- d-----w- c:\programdata\Google Updater
2009-07-23 08:06 . 2008-11-24 15:09 -------- d-----w- c:\program files\Dl_cats
2009-07-22 23:06 . 2008-09-08 21:21 9052 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2009-07-22 10:44 . 2008-12-03 16:22 -------- d-----w- c:\program files\Steam
2009-07-21 20:32 . 2009-05-17 18:56 -------- d-----w- c:\users\James\AppData\Roaming\Spotify
2009-07-21 10:12 . 2009-06-03 23:44 -------- d-----w- c:\program files\Safari
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iTunes
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iPod
2009-07-21 10:00 . 2008-09-10 17:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 23:35 . 2008-09-19 09:41 -------- d-----w- c:\program files\Google
2009-07-15 00:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-07 23:17 . 2009-05-19 15:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-07 23:11 . 2008-09-19 20:55 -------- d-----w- c:\program files\DivX
2009-07-03 08:50 . 2008-12-03 16:22 -------- d-----w- c:\program files\Common Files\Steam
2009-07-01 00:17 . 2008-11-28 18:04 -------- d-----w- c:\programdata\NVIDIA
2009-06-17 01:25 . 2009-05-15 11:45 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-06-12 22:26 . 2009-06-12 22:26 390664 ----a-w- c:\users\James\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
2009-06-11 09:58 . 2008-09-08 21:22 70176 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-11 00:57 . 2008-10-08 20:49 -------- d-----w- c:\programdata\Microsoft Help
2009-06-11 00:53 . 2008-09-18 18:40 -------- d-----w- c:\program files\Microsoft Works
2009-05-13 15:07 . 2009-01-06 09:06 8192 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2009-05-13 15:07 . 2009-01-06 09:06 61440 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-13 15:07 . 2009-01-06 09:06 10240 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2009-05-09 05:50 . 2009-06-10 09:21 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 09:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 12:37 . 2009-06-11 00:23 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-06-11 00:23 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-23 11:06 . 2009-07-08 19:21 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-23_16.00.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 10:22 . 2009-07-23 17:33 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-07-15 23:47 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-23 18:09 . 2009-07-23 18:09 6225920 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-06-03 03:01 . 2009-07-23 17:33 35595095 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 39408]
"Google Update"="c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-23 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"DLCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-07 198160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-11-10 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{00959EC7-4F1A-46C8-8F1C-835D1A321ECF}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{1FCBE58F-FAAE-4C8B-89B5-CCEB9B23CE17}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{8A5EC9C1-2B83-4EEF-BBD8-340A83A9A9EB}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{A7E16BD1-FB93-4C89-BCEB-35197B727D01}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3574BE00-D7EE-4C9E-BE10-8975DF05C358}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{48A64B4E-30B2-4EFD-A172-A0943CFFBA7E}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{10D33C52-660E-4078-9BC8-B84A6381E2A0}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{52211553-D631-4C63-BD60-8B0D035D6773}"= UDP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{14297CAD-C931-441E-8CFE-84446BBB8AD0}"= TCP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{81C22815-E219-4726-B91D-C53142B5198F}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{DE4A24E2-D746-485A-9239-B8876795E862}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{8C8D0F2D-4F93-4AF0-AF9E-F7DC6FA3397C}"= UDP:c:\windows\System32\PnkBstrA.exenkBstrA
"{96A634F0-3F73-4C2A-90DD-B042B2520D22}"= TCP:c:\windows\System32\PnkBstrA.exenkBstrA
"{81BBB98F-5CAC-4438-90D7-4B2036100D46}"= UDP:c:\windows\System32\PnkBstrB.exenkBstrB
"{264A7B61-8BE1-4D2C-9F43-093ED3F3227B}"= TCP:c:\windows\System32\PnkBstrB.exenkBstrB
"{E79EE1C4-1246-4380-A828-35FAED385786}"= UDP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{FFE765E4-A161-4D2B-81B2-D0D23E640E41}"= TCP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{129AC2B5-2733-4585-8BEC-993CBD50817C}"= UDP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{BCCFE4D9-9A6D-4A9E-9A59-19D53E23A3E3}"= TCP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{5C530BCD-5F54-447A-8B57-2B845A5BC11E}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{319975AC-6D86-4763-A6C2-B16AB8F53F3E}"= UDP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B95C72E6-539A-42D7-9C05-2EBCABDCCAB1}"= TCP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B768E137-7E8B-4FBD-8096-F9371D9819D0}"= UDP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{8DBC5050-87DB-431E-AB43-52A5B95E308B}"= TCP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{F3529703-A70F-419A-B820-C135C47AA8F2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7D3E943B-E742-41DF-A59D-6B031220EC8E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E3BD7469-F26B-4DA6-8213-B5C74900B87C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{6B8FEDB0-1858-48FF-A5F3-B14E745CAB65}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{71B9F956-DCE1-41C9-9989-3C2B7D981F3F}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= UDP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"UDP Query User{C36D8D4A-A815-418D-A0F6-18A410BFEB68}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= TCP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"{E8156A9B-A436-4ABD-BBDD-DC1B84EC324C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A62CF99B-8FBF-44A0-8C3B-F57B20FF34BF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{749E1008-B574-4E3C-B814-9FDF945D1DA1}"= UDP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"{9F78C368-213C-44A0-B0A0-70412E35C71D}"= TCP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"TCP Query User{7B829B41-1CA5-4733-932C-9CF2FA8AF657}c:\\program files\\goa\\gunbound\\gunbound.gme"= UDP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"UDP Query User{08C02C24-5909-4637-AD5D-334901606D15}c:\\program files\\goa\\gunbound\\gunbound.gme"= TCP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"TCP Query User{C959DBC4-5275-4348-AC19-F43A3A7F3F1F}c:\\program files\\spotify\\spotify.exe"= UDP:c:\program files\spotify\spotify.exe:Spotify
"UDP Query User{1D2233DB-2DF0-4613-B818-0E11889EDE5C}c:\\program files\\spotify\\spotify.exe"= TCP:c:\program files\spotify\spotify.exe:Spotify
"TCP Query User{E4AD4DC4-4199-4C5E-A908-C520D696F99B}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"UDP Query User{AA8398EA-959C-48D3-98AC-C03C23518947}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"{65D262BF-AD48-4814-91EA-A5BEEB125143}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{942100DF-35F6-46E8-B40A-3D02CDA65BF6}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"TCP Query User{89765598-5C3A-45F9-AB1F-4700DB743E5F}c:\\program files\\videolan\\vlc\\vlc.exe"= UDP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{4DCDC5D0-87C1-408A-923C-F550A2D774A0}c:\\program files\\videolan\\vlc\\vlc.exe"= TCP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"{A07042AD-28F9-4DAE-8057-86005242E815}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{468A21D0-E39B-4DFB-A6BB-415581952D1E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 06:17 77824]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [30/03/2009 16:28 1533808]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/07/2009 00:11 133104]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [18/02/2009 05:53 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

--- Other Services/Drivers In Memory ---

*Deregistered* - inyafakj

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 14:36]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 21:55]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 21:55]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-377813271-3552046511-1237239662-1000Core.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-23 20:58]

2009-07-23 c:\windows\Tasks\User_Feed_Synchronization-{15627CF8-B66C-415E-B4D9-B0755B9EE6C0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-19 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\w7qne9e8.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\James\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 19:19
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-23 19:26
ComboFix-quarantined-files.txt 2009-07-23 18:26
ComboFix2.txt 2009-07-23 16:06

Pre-Run: 150,570,164,224 bytes free
Post-Run: 150,492,241,920 bytes free

282 --- E O F --- 2009-07-15 00:58

 

[Blade81]

I shall get back to this when Kaspersky report is ready

 

[Fatboyjim]

It got to about 97% after 4 hours then froze last night! I'm deleting old windows now and will remove other stuff then will try again today! Some things are fixed already though I can see a difference .

 

[Fatboyjim]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 24, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 24, 2009 13:23:18
Records in database: 2525581
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 117855
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:13:17


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\ESQULaupxibbxmepujibsnmbjwtiitmxyssuf.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\Windows\System32\ESQULevskieesifrskppqytkyhlqwthqcttpc.dll.vir Infected: Packed.Win32.Tdss.w 1

The selected area was scanned.

 

[Fatboyjim]

DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 15:29:53.93 on 24/07/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.338 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\James\AppData\Local\temp\jkos-James\binaries\ScanningProcess.exe
C:\Users\James\AppData\Local\temp\jkos-James\binaries\ScanningProcess.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\James\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1

================= FIREFOX ===================

FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\w7qne9e8.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-07-23 19:26 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-23 19:08 219,648 a------- c:\windows\PEV.exe
2009-07-23 19:08 161,792 a------- c:\windows\SWREG.exe
2009-07-23 19:08 98,816 a------- c:\windows\sed.exe
2009-07-21 23:52 <DIR> --d----- c:\program files\Trend Micro
2009-07-21 19:50 <DIR> --d----- c:\users\james\appdata\roaming\Folding@home-x86
2009-07-21 19:50 <DIR> --d----- c:\program files\Folding@home
2009-07-21 11:21 4 a------- c:\windows\system32\ESQULzcounter
2009-07-14 23:32 339,968 a------- c:\windows\system32\pythoncom25.dll
2009-07-14 23:32 114,688 a------- c:\windows\system32\pywintypes25.dll
2009-07-14 23:32 2,117,632 a------- c:\windows\system32\python25.dll
2009-07-14 23:32 1,332,197 a------- c:\windows\system32\pythondll.zip
2009-07-14 20:22 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 20:22 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 20:22 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 20:22 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-13 01:48 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-07-22 00:20 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-22 00:20 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 00:20 51,200 a------- c:\windows\inf\infpub.dat
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-30 13:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 13:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-19 19:22 56 a---h--- c:\programdata\ezsidmv.dat
2009-04-19 19:22 56 a---h--- c:\progra~2\ezsidmv.dat
2008-12-24 16:09 464 a------- c:\users\james\appdata\roaming\wklnhst.dat
2008-12-03 19:36 174 a--sh--- c:\program files\desktop.ini
2008-12-03 19:27 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-01 17:13 22,328 a------- c:\users\james\appdata\roaming\PnkBstrK.sys
2008-11-10 13:42 61,224 a------- c:\users\james\GoToAssistDownloadHelper.exe
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:30:50.87 ===============

 

[Fatboyjim]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 08/09/2008 22:15:56
System Uptime: 24/07/2009 10:16:33 (5 hours ago)

Motherboard: Dell Inc. | | 0RY007
Processor: Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz | Socket 775 | 1200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 170.355 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.341 GiB free.
E: is CDROM (UDF)
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6500s-1
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

RP414: 23/07/2009 00:31:37 - Installed
RP415: 23/07/2009 00:32:33 - Removed QuickTime
RP416: 23/07/2009 08:58:38 - Installed QuickTime
RP417: 23/07/2009 18:59:42 - Removed Java(TM) 6 Update 7
RP418: 24/07/2009 10:21:00 - Windows Update
RP419: 24/07/2009 11:16:17 - Removed Adobe Reader 9.1.2.
RP420: 24/07/2009 11:20:35 - Removed Microsoft Silverlight
RP421: 24/07/2009 11:23:47 - Removed Safari
RP422: 24/07/2009 11:27:25 - Removed QuickTime
RP423: 24/07/2009 11:43:48 - Installed
RP424: 24/07/2009 11:45:48 - Removed MSN Toolbar
RP425: 24/07/2009 11:50:31 - Removed Spelling Dictionaries Support For Adobe Reader 9.
RP426: 24/07/2009 11:52:37 - Installed
RP427: 24/07/2009 11:52:54 - Installed
RP428: 24/07/2009 12:13:59 - Installed
RP429: 24/07/2009 12:14:14 - Installed
RP430: 24/07/2009 12:20:27 - Installed
RP431: 24/07/2009 12:21:33 - Installed
RP432: 24/07/2009 12:39:13 - Removed QuickTime

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
AGEIA PhysX v7.11.13
Amazing Adventures: The Lost Tomb Demo
Apple Mobile Device Support
Apple Software Update
Belkin 54g USB Network Adapter
Bonjour
Call of Duty(R) - World at War(TM) 1.1 Patch
Choice Guard
Dell Color Printer 725
Dell Resource CD
Digital Line Detect
FlashLynx Video Download Software
Folding@home-x86
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) PRO Network Connections 12.1.11.0
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.5.1)
MSVCRT
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
OpenAL
PC Connectivity Solution
Peggle Deluxe Demo
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Sky Broadband
Sonic Activation Module
Steam
Team Fortress 2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
Zuma Deluxe Demo

==== Event Viewer Messages From Past Week ========

24/07/2009 10:17:33, Error: EventLog [6008] - The previous system shutdown at 01:27:35 on 24/07/2009 was unexpected.
23/07/2009 15:24:09, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
23/07/2009 15:13:52, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the PEVSystemStart service to connect.
23/07/2009 15:13:50, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
23/07/2009 11:32:41, Error: EventLog [6008] - The previous system shutdown at 11:30:48 on 23/07/2009 was unexpected.
23/07/2009 08:50:44, Error: Microsoft-Windows-PrintSpooler [6161] - The document Microsoft Word - JRCV.doc, owned by James, failed to print on printer Dell Color Printer 725. Try to print the document again, or restart the print spooler. Data type: LEMF. Size of the spool file in bytes: 935504. Number of bytes printed: 0. Total number of pages in the document: 3. Number of pages printed: 0. Client computer: \\JAMES. Win32 error code returned by the print processor: 0. The operation completed successfully.
23/07/2009 08:48:47, Error: EventLog [6008] - The previous system shutdown at 08:46:57 on 23/07/2009 was unexpected.
22/07/2009 11:35:49, Error: EventLog [6008] - The previous system shutdown at 11:34:11 on 22/07/2009 was unexpected.
22/07/2009 11:24:11, Error: EventLog [6008] - The previous system shutdown at 11:22:16 on 22/07/2009 was unexpected.
22/07/2009 00:05:18, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service has not been started.
22/07/2009 00:03:42, Error: EventLog [6008] - The previous system shutdown at 00:01:52 on 22/07/2009 was unexpected.
21/07/2009 23:56:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
21/07/2009 23:56:03, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
21/07/2009 23:55:27, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
21/07/2009 23:55:27, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
21/07/2009 23:55:22, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/07/2009 23:55:16, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
21/07/2009 23:55:16, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
21/07/2009 23:55:12, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
21/07/2009 23:54:00, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
21/07/2009 23:54:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
21/07/2009 23:53:59, Error: EventLog [6008] - The previous system shutdown at 23:51:57 on 21/07/2009 was unexpected.
21/07/2009 11:26:15, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The RPC server is unavailable.
21/07/2009 11:26:15, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The RPC server is unavailable.
21/07/2009 11:25:03, Error: Microsoft-Windows-TaskScheduler [412] - Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147549183. User Action: restart task scheduler service.
21/07/2009 11:24:54, Error: EventLog [6008] - The previous system shutdown at 11:23:25 on 21/07/2009 was unexpected.
21/07/2009 10:56:30, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.
21/07/2009 10:56:30, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
21/07/2009 10:55:31, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

 

[Blade81]

Seems like Kaspersky found only quarantined objects. Good, those will be cleaned in final stage


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

File::
c:\windows\system32\ESQULzcounter

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into fatboy.exe
Then post the resultant log & a fresh dds.txt log. How's the system running?

 

[Fatboyjim]

combofix

ComboFix 09-07-23.04 - James 24/07/2009 19:14.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.462 [GMT 1:00]
Running from: c:\users\James\Desktop\fatboy.exe
Command switches used :: c:\users\James\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\ESQULzcounter"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ESQULzcounter

.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 18:19 . 2009-07-24 18:19 -------- d-----w- c:\users\James\AppData\Local\temp
2009-07-24 11:39 . 2006-12-14 09:00 110592 ----a-w- c:\users\James\AppData\Roaming\U3\temp\cleanup.exe
2009-07-24 11:16 . 2007-02-12 16:46 3096576 ---ha-w- c:\users\James\AppData\Roaming\U3\temp\Launchpad Removal.exe
2009-07-24 11:15 . 2009-07-24 18:07 -------- d-----w- c:\users\James\AppData\Roaming\U3
2009-07-24 10:14 . 2009-07-24 10:17 -------- d-----w- c:\users\James\AppData\Local\Adobe
2009-07-24 09:22 . 2009-07-24 10:28 -------- d-----w- c:\users\James\AppData\Local\Apple Computer
2009-07-23 18:31 . 2009-07-23 18:31 -------- d-----w- c:\windows\Sun
2009-07-22 09:39 . 2009-07-22 09:39 2338816 ----a-w- c:\users\James\AppData\Roaming\Folding@home-x86\FahCore_78.exe
2009-07-21 22:52 . 2009-07-21 22:52 -------- d-----w- c:\program files\Trend Micro
2009-07-21 18:50 . 2009-07-21 18:50 10134 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-07-21 18:50 . 2009-07-21 18:50 98477 ----a-r- c:\users\James\AppData\Roaming\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-07-21 18:50 . 2009-07-22 09:40 -------- d-----w- c:\users\James\AppData\Roaming\Folding@home-x86
2009-07-21 18:50 . 2009-07-21 18:50 -------- d-----w- c:\program files\Folding@home
2009-07-21 09:49 . 2009-07-21 09:49 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-14 22:32 . 2009-07-14 22:32 339968 ----a-w- c:\windows\system32\pythoncom25.dll
2009-07-14 22:32 . 2009-07-14 22:32 114688 ----a-w- c:\windows\system32\pywintypes25.dll
2009-07-14 22:32 . 2009-07-14 22:32 2117632 ----a-w- c:\windows\system32\python25.dll
2009-07-14 22:32 . 2008-09-16 16:26 1332197 ----a-w- c:\windows\system32\pythondll.zip
2009-07-14 19:22 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 19:22 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 19:22 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-14 19:22 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 00:48 . 2009-07-13 00:48 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 11:35 . 2008-09-19 20:27 -------- d-----w- c:\program files\Real
2009-07-24 10:21 . 2008-12-03 16:22 -------- d-----w- c:\program files\Steam
2009-07-23 18:01 . 2008-09-19 18:27 -------- d-----w- c:\program files\Java
2009-07-23 12:56 . 2008-11-20 01:19 -------- d-----w- c:\programdata\Google Updater
2009-07-23 08:06 . 2008-11-24 15:09 -------- d-----w- c:\program files\Dl_cats
2009-07-22 23:06 . 2008-09-08 21:21 9052 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iTunes
2009-07-21 10:00 . 2008-09-10 17:48 -------- d-----w- c:\program files\iPod
2009-07-21 10:00 . 2008-09-10 17:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-15 00:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-03 08:50 . 2008-12-03 16:22 -------- d-----w- c:\program files\Common Files\Steam
2009-07-01 00:17 . 2008-11-28 18:04 -------- d-----w- c:\programdata\NVIDIA
2009-06-17 01:25 . 2009-05-15 11:45 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-06-11 09:58 . 2008-09-08 21:22 70176 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-11 00:57 . 2008-10-08 20:49 -------- d-----w- c:\programdata\Microsoft Help
2009-05-13 15:07 . 2009-01-06 09:06 8192 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2009-05-13 15:07 . 2009-01-06 09:06 61440 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-13 15:07 . 2009-01-06 09:06 10240 ----a-w- c:\programdata\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2009-05-09 05:50 . 2009-06-10 09:21 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 09:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-04-30 12:37 . 2009-06-11 00:23 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-06-11 00:23 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-23 11:06 . 2009-07-08 19:21 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-07-23_16.00.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-02 13:05 . 2009-07-23 14:19 60928 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-07-24 09:22 60928 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-08 21:23 . 2009-07-24 09:22 14390 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-377813271-3552046511-1237239662-1000_UserData.bin
- 2008-10-18 18:27 . 2009-06-10 08:54 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-24 14:32 . 2009-07-24 14:32 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-24 14:04 . 2009-07-24 14:04 89102 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
- 2008-09-08 22:41 . 2009-02-26 01:02 89102 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
- 2006-11-02 13:02 . 2009-07-23 12:56 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-07-24 10:35 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-07-24 10:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-07-23 12:56 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-23 14:29 . 2009-07-24 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-23 14:29 . 2009-07-23 14:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-23 14:29 . 2009-07-24 09:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-23 14:29 . 2009-07-23 14:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-23 17:33 . 2009-06-30 11:31 101376 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22895_none_8405f92d60197b7e\iecompat.dll
+ 2009-07-23 17:33 . 2009-06-30 03:37 101376 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18805_none_83ddad9446b2dd62\iecompat.dll
- 2006-11-02 10:33 . 2009-07-16 20:26 599942 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-07-24 11:17 599942 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-07-24 11:17 105448 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-07-16 20:26 105448 c:\windows\System32\perfc009.dat
- 2009-03-19 19:17 . 2009-07-23 10:39 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-03-19 19:17 . 2009-07-24 10:35 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 13:02 . 2009-07-23 12:56 819200 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-07-24 10:35 819200 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-28 13:21 . 2007-02-28 13:21 131472 c:\windows\Downloaded Program Files\msgrchkr.dll
- 2007-02-28 14:21 . 2007-02-28 14:21 131472 c:\windows\Downloaded Program Files\msgrchkr.dll
+ 2007-02-28 13:21 . 2007-02-28 13:21 130472 c:\windows\Downloaded Program Files\MineSweeper.dll
- 2007-02-22 23:41 . 2007-02-22 23:41 304544 c:\windows\Downloaded Program Files\MessengerStatsPAClient.dll
+ 2007-02-22 22:41 . 2007-02-22 22:41 304544 c:\windows\Downloaded Program Files\MessengerStatsPAClient.dll
- 2006-11-02 10:22 . 2009-07-15 23:47 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-07-24 09:22 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-24 18:12 . 2009-07-24 18:14 6225920 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-02-02 17:07 . 2009-02-02 17:07 1914440 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2009-06-03 03:01 . 2009-07-23 17:33 35595095 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"DLCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-07 198160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-11-10 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{00959EC7-4F1A-46C8-8F1C-835D1A321ECF}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{1FCBE58F-FAAE-4C8B-89B5-CCEB9B23CE17}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{8A5EC9C1-2B83-4EEF-BBD8-340A83A9A9EB}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{A7E16BD1-FB93-4C89-BCEB-35197B727D01}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3574BE00-D7EE-4C9E-BE10-8975DF05C358}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{48A64B4E-30B2-4EFD-A172-A0943CFFBA7E}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{10D33C52-660E-4078-9BC8-B84A6381E2A0}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{52211553-D631-4C63-BD60-8B0D035D6773}"= UDP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{14297CAD-C931-441E-8CFE-84446BBB8AD0}"= TCP:c:\windows\System32\dlcfcoms.exe:Lexmark Communications System
"{81C22815-E219-4726-B91D-C53142B5198F}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{DE4A24E2-D746-485A-9239-B8876795E862}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlcfpswx.exerinter Status Window
"{8C8D0F2D-4F93-4AF0-AF9E-F7DC6FA3397C}"= UDP:c:\windows\System32\PnkBstrA.exenkBstrA
"{96A634F0-3F73-4C2A-90DD-B042B2520D22}"= TCP:c:\windows\System32\PnkBstrA.exenkBstrA
"{81BBB98F-5CAC-4438-90D7-4B2036100D46}"= UDP:c:\windows\System32\PnkBstrB.exenkBstrB
"{264A7B61-8BE1-4D2C-9F43-093ED3F3227B}"= TCP:c:\windows\System32\PnkBstrB.exenkBstrB
"{E79EE1C4-1246-4380-A828-35FAED385786}"= UDP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{FFE765E4-A161-4D2B-81B2-D0D23E640E41}"= TCP:c:\program files\Steam\steamapps\common\zuma deluxe\Zuma.exe:Zuma Deluxe
"{129AC2B5-2733-4585-8BEC-993CBD50817C}"= UDP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{BCCFE4D9-9A6D-4A9E-9A59-19D53E23A3E3}"= TCP:c:\program files\Steam\steamapps\common\peggle deluxe\Peggle.exeeggle Deluxe
"{5C530BCD-5F54-447A-8B57-2B845A5BC11E}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{319975AC-6D86-4763-A6C2-B16AB8F53F3E}"= UDP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B95C72E6-539A-42D7-9C05-2EBCABDCCAB1}"= TCP:c:\program files\Steam\steamapps\common\gravitron2\Gravitron2.exe:Gravitron 2
"{B768E137-7E8B-4FBD-8096-F9371D9819D0}"= UDP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{8DBC5050-87DB-431E-AB43-52A5B95E308B}"= TCP:c:\program files\Steam\steamapps\common\amazing adventures the lost tomb\AmazingAdventures.exe:Amazing Adventures: The Lost Tomb
"{F3529703-A70F-419A-B820-C135C47AA8F2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7D3E943B-E742-41DF-A59D-6B031220EC8E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E3BD7469-F26B-4DA6-8213-B5C74900B87C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{6B8FEDB0-1858-48FF-A5F3-B14E745CAB65}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{71B9F956-DCE1-41C9-9989-3C2B7D981F3F}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= UDP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"UDP Query User{C36D8D4A-A815-418D-A0F6-18A410BFEB68}c:\\program files\\novalogic\\delta force black hawk down\\update.exe"= TCP:c:\program files\novalogic\delta force black hawk down\update.exe:UPDATE
"{E8156A9B-A436-4ABD-BBDD-DC1B84EC324C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A62CF99B-8FBF-44A0-8C3B-F57B20FF34BF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{749E1008-B574-4E3C-B814-9FDF945D1DA1}"= UDP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"{9F78C368-213C-44A0-B0A0-70412E35C71D}"= TCP:c:\program files\Microsoft Games\Age of Empires III\age3.exe:Age of Empires III
"TCP Query User{7B829B41-1CA5-4733-932C-9CF2FA8AF657}c:\\program files\\goa\\gunbound\\gunbound.gme"= UDP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"UDP Query User{08C02C24-5909-4637-AD5D-334901606D15}c:\\program files\\goa\\gunbound\\gunbound.gme"= TCP:c:\program files\goa\gunbound\gunbound.gme:GunBound
"TCP Query User{C959DBC4-5275-4348-AC19-F43A3A7F3F1F}c:\\program files\\spotify\\spotify.exe"= UDP:c:\program files\spotify\spotify.exe:Spotify
"UDP Query User{1D2233DB-2DF0-4613-B818-0E11889EDE5C}c:\\program files\\spotify\\spotify.exe"= TCP:c:\program files\spotify\spotify.exe:Spotify
"TCP Query User{E4AD4DC4-4199-4C5E-A908-C520D696F99B}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"UDP Query User{AA8398EA-959C-48D3-98AC-C03C23518947}c:\\program files\\steam\\steamapps\\jamster1981\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\jamster1981\team fortress 2\hl2.exe:hl2
"{65D262BF-AD48-4814-91EA-A5BEEB125143}"= UDP:c:\program files\Kontiki\KService.exeelivery Manager Service
"{942100DF-35F6-46E8-B40A-3D02CDA65BF6}"= TCP:c:\program files\Kontiki\KService.exeelivery Manager Service
"TCP Query User{89765598-5C3A-45F9-AB1F-4700DB743E5F}c:\\program files\\videolan\\vlc\\vlc.exe"= UDP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{4DCDC5D0-87C1-408A-923C-F550A2D774A0}c:\\program files\\videolan\\vlc\\vlc.exe"= TCP:c:\program files\videolan\vlc\vlc.exe:VLC media player
"{A07042AD-28F9-4DAE-8057-86005242E815}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{468A21D0-E39B-4DFB-A6BB-415581952D1E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 06:17 77824]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [30/03/2009 16:28 1533808]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [18/02/2009 05:53 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\User_Feed_Synchronization-{15627CF8-B66C-415E-B4D9-B0755B9EE6C0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-19 11:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\w7qne9e8.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 19:19
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-24 19:22
ComboFix-quarantined-files.txt 2009-07-24 18:21
ComboFix2.txt 2009-07-23 18:26
ComboFix3.txt 2009-07-23 16:06

Pre-Run: 182,452,326,400 bytes free
Post-Run: 182,480,617,472 bytes free

278 --- E O F --- 2009-07-24 09:22

 

[Fatboyjim]

Dds

DDS (Ver_09-06-26.01) - NTFSx86
Run by James at 19:23:21.78 on 24/07/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1021.295 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {2043C3A7-1431-4D9E-8EE7-18B9421892D2} = 192.168.0.1

================= FIREFOX ===================

FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\w7qne9e8.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-2-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-07-24 19:22 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-24 19:13 <DIR> --ds---- C:\fatboy
2009-07-23 19:08 219,648 a------- c:\windows\PEV.exe
2009-07-23 19:08 161,792 a------- c:\windows\SWREG.exe
2009-07-23 19:08 98,816 a------- c:\windows\sed.exe
2009-07-21 23:52 <DIR> --d----- c:\program files\Trend Micro
2009-07-21 19:50 <DIR> --d----- c:\users\james\appdata\roaming\Folding@home-x86
2009-07-21 19:50 <DIR> --d----- c:\program files\Folding@home
2009-07-14 23:32 339,968 a------- c:\windows\system32\pythoncom25.dll
2009-07-14 23:32 114,688 a------- c:\windows\system32\pywintypes25.dll
2009-07-14 23:32 2,117,632 a------- c:\windows\system32\python25.dll
2009-07-14 23:32 1,332,197 a------- c:\windows\system32\pythondll.zip
2009-07-14 20:22 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-14 20:22 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-14 20:22 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-14 20:22 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-13 01:48 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-07-22 00:20 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-22 00:20 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 00:20 51,200 a------- c:\windows\inf\infpub.dat
2009-05-09 06:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 06:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-30 13:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 13:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-19 19:22 56 a---h--- c:\programdata\ezsidmv.dat
2009-04-19 19:22 56 a---h--- c:\progra~2\ezsidmv.dat
2008-12-24 16:09 464 a------- c:\users\james\appdata\roaming\wklnhst.dat
2008-12-03 19:36 174 a--sh--- c:\program files\desktop.ini
2008-12-03 19:27 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-01 17:13 22,328 a------- c:\users\james\appdata\roaming\PnkBstrK.sys
2008-11-10 13:42 61,224 a------- c:\users\james\GoToAssistDownloadHelper.exe
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:23:40.74 ===============