Tojan.Agent, MB detects it in userinit.exe (HJT Inc.)

February 4, 2009

Here is my HJT. Any help getting rid of Trojan.Agent in userinit.exe would be great, it is there everyscan. I am pretty sure this is a critical OS file though?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:38 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Icon Remover\IconRemover.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [icon Remover] C:\Program Files\Icon Remover\IconRemover.exe /hideapp
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\admini~1\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229187606882
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229187588901
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 6624 bytes

Thanks!

kahdah · February 4, 2009

Hello MBfan

Welcome to MalwareBytes.

=====================

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

================

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

February 4, 2009

Thanks for your help!

GMER didn't say anything about rootkits, so I just closed it. Attached are the Attach.txt and DDS.txt

Thanks again!

kahdah · February 4, 2009

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

Please download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of ntdll64.dll.
Select every instance of ntdll64.dll and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.

=====================

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:filesc:\docume~1\admini~1\locals~1\temp\ntdll64.dllc:\windows\system32\win32hlp.cnfc:\windows\system32\test.tttc:\windows\system32\998.exec:\windows\dmtoqpjt
:reg[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"=hex(7):"msv1_0"
:commands[emptytemp]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

===================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=========================

Please post these logs in your next reply:

Ot Move it log
Malware Bytes log
New dds log

February 4, 2009

MoveItLog

I did reboot, for some reason it still says it will delete on reboot. This is the only log in the folder

========== FILES ==========
File/Folder c:\docume~1\admini~1\locals~1\temp\ntdll64.dll not found.
c:\windows\system32\win32hlp.cnf moved successfully.
c:\windows\system32\test.ttt moved successfully.
c:\windows\system32\998.exe moved successfully.
c:\windows\dmtoqpjt moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_0Gl4gzdMFMr9cDmElGJk scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF337.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF364.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFDCD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFE18.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02042009_135241
Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_0Gl4gzdMFMr9cDmElGJk not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF337.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF364.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFDCD.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFE18.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\XUL.mfl moved successfully.

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 13:58:28.35 on Wed 02/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2788 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Icon Remover\IconRemover.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [icon Remover] c:\program files\icon remover\IconRemover.exe /hideapp
mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2008-12-17 33824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-17 38496]
S3 LoveDRIVER53;LoveDRIVER53;c:\documents and settings\owner\desktop\love_engine_0.2\love engine 0.2\loveliss.sys [2009-1-5 31488]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]
=============== Created Last 30 ================
2009-02-04 13:54 491 a------- c:\windows\system32\win32hlp.cnf
2009-02-04 13:52 <DIR> --d----- C:\_OTMoveIt
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-03 23:43 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-03 10:54 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-02-03 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:48 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\program files\Rosetta Stone
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-31 12:16 2,006 a------- c:\windows\system32\tmp.reg
2009-01-31 12:07 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:53 82,432 ----h--t c:\windows\system32\5e7504.dll
2009-01-15 14:53 82,432 ----h--t c:\windows\system32\57175b0.dll
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 14:45 82,432 ----h--t c:\windows\system32\1a9f280.dll
2009-01-15 14:45 82,432 ----h--t c:\windows\system32\10f3aa2c.dll
2009-01-15 14:43 82,432 ----h--t c:\windows\system32\34386752.dll
2009-01-15 14:43 82,432 ----h--t c:\windows\system32\1abd7a4a.dll
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-15 13:16 152,904 a------- c:\windows\system32\vghd.scr
2009-01-15 13:16 <DIR> --d----- c:\docume~1\owner\applic~1\vghd
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI
2009-01-06 16:56 <DIR> --d----- c:\docume~1\owner\applic~1\MozillaControl
2009-01-06 16:56 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:51 54,784 a------- c:\windows\system32\ieframe.oca
2009-01-06 16:49 29,184 a------- c:\windows\system32\msinet.oca
2009-01-06 16:47 115,920 a------- c:\windows\system32\msinet.ocx
==================== Find3M ====================
2009-01-31 12:07 125,440 a------- c:\windows\system32\userinit.exe
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-17 16:42 33,824 a------- c:\windows\system32\drivers\oreans32.sys
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-07 16:38 84,496 a------- c:\windows\system32\KemXML.dll
2008-11-07 16:38 117,264 a------- c:\windows\system32\KemWnd.dll
2008-11-07 16:38 145,936 a------- c:\windows\system32\KemUtil.dll
2008-11-07 16:38 170,512 a------- c:\windows\system32\kemutb.dll
2008-11-07 16:37 301,656 a------- c:\windows\system32\BtCoreIf.dll
============= FINISH: 13:58:50.32 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-02-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2008 11:41:13 AM
System Uptime: 2/4/2009 1:54:06 PM (0 hours ago)
Motherboard: MICRO-STAR INTERANTIONAL CO.,LTD | | MS-7367
Processor: AMD Athlon 64 X2 Dual Core Processor 4800+ | CPU 1 | 2494/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 122.525 GiB free.
D: is CDROM (CDFS)
E: is FIXED (FAT32) - 75 GiB total, 21.846 GiB free.
F: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP82: 2/4/2009 7:25:43 AM - viri_clean
RP83: 2/4/2009 7:27:06 AM - Installed AVG Free 8.0
==== Installed Programs ======================
.sol Editor 1.1.0.1
010 Editor 3.0.3
32 Bit HP CIO Components Installer
Ad-Aware
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Stock Photos 1.0
AIO_Scan
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
CDDRV_Installer
Cheat Engine 5.4
Combat Arms
Condition Zero
CorelDRAW Graphics Suite X4
CorelDRAW Graphics Suite X4 - Capture
CorelDRAW Graphics Suite X4 - Content
CorelDRAW Graphics Suite X4 - Draw
CorelDRAW Graphics Suite X4 - Filters
CorelDRAW Graphics Suite X4 - FontNav
CorelDRAW Graphics SUite X4 - ICA
CorelDRAW Graphics Suite X4 - IPM
CorelDRAW Graphics Suite X4 - Lang EN
CorelDRAW Graphics Suite X4 - PP
CorelDRAW Graphics Suite X4 - VBA
CorelDRAW® Graphics Suite X4
CorelDRAW® Graphics Suite X4 - Windows Shell Extension
Counter-Strike
Counter-Strike: Source
DAEMON Tools
Day of Defeat: Source
Delta Force: Xtreme
DHPinger
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DJ_AIO_Software_min
F.E.A.R. 2: Project Origin Single-player Demo
FileZilla Client 3.1.6
FileZilla Server (remove only)
Flash Decompiler Trillix
Game Extractor 2.0
GamesBar 2.0.1.12
Greatis

kahdah · February 5, 2009

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

February 5, 2009

Awesome! I think it took care of the userinit infection, and even replaced it with a clean version. Here it the log.

ComboFix 09-02-04.04 - Owner 2009-02-05 10:36:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2854 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AutoRun.inf
c:\windows\system32\tmp.reg
c:\windows\system32\win32hlp.cnf
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.
2009-02-04 13:52 . 2009-02-04 13:52 <DIR> d-------- C:\_OTMoveIt
2009-02-04 11:54 . 2009-02-04 11:54 250 --a------ c:\windows\gmer.ini
2009-02-03 23:43 . 2009-02-03 23:20 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-03 10:59 . 2009-02-03 10:59 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:54 . 2009-02-03 10:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-02-03 10:50 . 2009-02-04 07:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 15:09 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d-------- c:\program files\Lavasoft
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-02 14:48 . 2009-02-02 14:48 <DIR> d-------- c:\documents and settings\Owner\Application Data\Corel
2009-02-02 14:48 . 2009-02-02 14:48 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 14:48 . 2009-02-02 14:48 88 -r-hs---- c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\program files\Common Files\Protexis
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-02-02 14:38 . 2009-02-02 14:38 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-02 14:36 . 2009-02-02 14:36 <DIR> d-------- c:\program files\Corel
2009-02-02 14:26 . 2009-02-02 14:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 07:57 . 2009-02-02 07:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 . 2009-02-03 11:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 12:37 . 2009-02-01 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-01 12:36 . 2009-02-01 12:36 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-01 12:34 . 2009-02-01 12:34 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-01 12:34 . 2009-02-01 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-01 12:32 . 2009-02-01 12:32 <DIR> d-------- c:\program files\VirusTotalUploader
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Purple Ghost Software, Inc
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Purple Ghost Software, Inc
2009-01-31 12:44 . 2009-01-31 12:44 <DIR> d-------- c:\program files\Purple Ghost
2009-01-30 17:06 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-01-30 17:05 . 2009-01-30 17:05 <DIR> d-------- c:\program files\Realtek
2009-01-30 17:05 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-01-30 17:05 . 2008-10-27 18:12 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-29 14:20 . 2009-01-29 14:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Teeworlds
2009-01-28 07:54 . 2009-01-28 07:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Rogue
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 15:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-23 15:47 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-18 13:50 . 2009-01-18 13:58 <DIR> d-------- c:\program files\Visual Assist X
2009-01-18 13:41 . 2009-01-18 13:41 <DIR> d-------- c:\program files\Greatis
2009-01-15 14:53 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\5e7504.dll
2009-01-15 14:53 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\57175b0.dll
2009-01-15 14:45 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1a9f280.dll
2009-01-15 14:45 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\10f3aa2c.dll
2009-01-15 14:45 . 2009-01-15 14:56 0 --a------ c:\windows\system32\drivers\EagleNt.sys
2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\34386752.dll
2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1abd7a4a.dll
2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin
2009-01-15 13:16 . 2009-01-15 13:33 <DIR> d-------- c:\documents and settings\Owner\Application Data\vghd
2009-01-15 13:16 . 2009-01-15 13:16 152,904 --a------ c:\windows\system32\vghd.scr
2009-01-15 13:03 . 2009-01-15 13:03 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2009-01-13 08:37 . 2008-06-20 06:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 . 2008-06-20 12:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 . 2008-06-20 06:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 . 2008-06-20 12:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 . 2009-01-20 17:31 1,733 --a------ c:\windows\TSearch.INI
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\documents and settings\Owner\Application Data\MozillaControl
2009-01-06 16:51 . 2009-01-06 16:51 54,784 --a------ c:\windows\system32\ieframe.oca
2009-01-06 16:49 . 2009-01-06 16:49 29,184 --a------ c:\windows\system32\msinet.oca
2009-01-06 16:47 . 2009-01-06 16:47 115,920 --a------ c:\windows\system32\msinet.ocx
2009-01-05 00:34 . 2009-01-22 11:49 754 --a------ c:\windows\WORDPAD.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 20:51 --------- d-----w c:\program files\Steam
2009-02-04 18:53 --------- d-----w c:\documents and settings\Owner\Application Data\Orbit
2009-02-01 20:23 --------- d-----w c:\program files\Cheat Engine
2009-01-31 17:25 --------- d-----w c:\program files\CCleaner
2009-01-31 17:13 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 16:02 --------- d-----w c:\program files\Novalogic
2009-01-29 20:46 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-01-22 16:22 --------- d-----w c:\program files\IDA
2009-01-18 18:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-17 19:01 --------- d-----w c:\documents and settings\Owner\Application Data\VisualAssist
2009-01-16 00:14 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-01-16 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 03:19 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 03:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-05 03:18 --------- d-----w c:\program files\HP
2009-01-05 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-05 02:56 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 02:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-05 02:50 --------- d-----w c:\program files\Xfire
2009-01-02 23:55 182,200 ----a-w c:\windows\system32\drivers\UsbSnoop.sys
2008-12-30 03:35 --------- d-----w c:\program files\iPhoneBrowser
2008-12-30 01:53 --------- d-----w c:\program files\Sol Edit
2008-12-30 01:33 --------- d-----w c:\program files\SourceTec
2008-12-30 01:33 --------- d-----w c:\program files\Common Files\SourceTec
2008-12-30 01:32 --------- d-----w c:\program files\GamesBar
2008-12-30 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2008-12-26 20:40 --------- d-----w c:\program files\Oberon Media
2008-12-26 07:26 --------- d-----w c:\documents and settings\All Users\Application Data\Souptoys
2008-12-26 06:06 --------- d-----w c:\program files\010 Editor v3
2008-12-26 05:02 --------- d-----w c:\documents and settings\Owner\Application Data\Logitech
2008-12-26 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-26 04:54 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-26 04:53 --------- d-----w c:\program files\Logitech
2008-12-26 04:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 04:12 --------- d-----w c:\documents and settings\Owner\Application Data\TeamViewer
2008-12-26 04:11 --------- d-----w c:\program files\TeamViewer
2008-12-26 04:08 --------- d-----w c:\program files\RSP OGG Vorbis Player .Net 1.0.0
2008-12-26 01:03 --------- d-----w c:\program files\Common Files\Adobe
2008-12-26 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-26 00:49 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-25 23:30 182 ----a-w c:\documents and settings\Owner\Application Data\SnapiiHistory.dat
2008-12-25 23:12 --------- d-----w c:\program files\Common Files\Oberon Media
2008-12-25 21:04 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-25 20:59 --------- d-----w c:\documents and settings\Owner\Application Data\Activision
2008-12-25 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2008-12-25 20:54 --------- d-----w c:\program files\D-Tools
2008-12-25 18:23 --------- d-----w c:\program files\Mars
2008-12-25 18:23 --------- d-----w c:\program files\DIFX
2008-12-25 17:30 --------- d-----w c:\program files\Activision
2008-12-25 07:07 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-25 07:06 --------- d-----w c:\program files\QuickTime
2008-12-25 06:59 --------- d-----w c:\program files\iTunes
2008-12-25 06:59 --------- d-----w c:\program files\iPod
2008-12-25 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 00:28 --------- d-----w c:\program files\Game Extractor
2008-12-24 23:31 --------- d-----w c:\program files\IrfanView
2008-12-24 21:54 --------- d-----w c:\program files\Souptoys
2008-12-24 21:30 --------- d-----w c:\program files\BreakPoint Software
2008-12-24 20:33 --------- d-----w c:\documents and settings\Owner\Application Data\Souptoys
2008-12-24 19:17 --------- d-----w c:\program files\Teamspeak2_RC2
2008-12-24 17:32 --------- d-----w c:\documents and settings\Owner\Application Data\teamspeak2
2008-12-22 18:46 --------- d-----w c:\program files\Common Files\Apple
2008-12-21 06:28 --------- d-----w c:\program files\Screenie
2008-12-21 06:27 --------- d-----w c:\documents and settings\Owner\Application Data\Screenie
2008-12-21 04:31 --------- d-----w c:\program files\Wide Angle Software
2008-12-20 19:29 --------- d-----w c:\program files\Oni
2008-12-20 15:06 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-20 06:06 --------- d-----w c:\program files\Swiigle
2008-12-20 06:02 --------- d-----w c:\program files\Eltima Software
2008-12-20 04:11 --------- d-----w c:\program files\Bonjour
2008-12-20 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-20 04:10 --------- d-----w c:\program files\Apple Software Update
2008-12-20 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-19 19:04 --------- d-----w c:\documents and settings\Owner\Application Data\Datarescue
2008-12-19 01:04 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-12-19 00:32 --------- d-----w c:\program files\DivX
2008-12-18 20:22 --------- d-----w c:\program files\RocketDock
2008-12-18 17:35 --------- d-----w c:\program files\Orbitdownloader
2008-12-18 16:20 --------- d-----w c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-18 16:19 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-17 21:51 --------- d-----w c:\program files\FileZilla Server
2008-12-17 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-12-17 21:42 33,824 ----a-w c:\windows\system32\drivers\oreans32.sys
2008-12-17 19:27 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-17 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 16:56 --------- d-----w c:\program files\PE Explorer
2008-12-17 16:56 --------- d-----w c:\documents and settings\Owner\Application Data\PE Explorer
2008-12-16 19:03 --------- d-----w c:\program files\Yahoo!
2008-12-16 18:08 --------- d-----w c:\program files\Icon Remover
2008-12-16 18:08 --------- d-----w c:\documents and settings\Owner\Application Data\Icon Remover
2008-12-16 17:58 --------- d-----w c:\program files\Everstrike Software
2008-12-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Icon Remover"="c:\program files\Icon Remover\IconRemover.exe" [2008-03-25 742400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-03 509784]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 13:58 495616 c:\program files\RocketDock\RocketDock.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-15 20:40 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\half-life\\hl.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Visual Studio 2008\\Projects\\ChatServer\\ChatServer\\bin\\Debug\\ChatServer.exe"=
"c:\\Program Files\\IDA\\idag.exe"=
"c:\\Program Files\\IDA\\idag64.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BHD\\DFBHD.EXE"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-02 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 LoveDRIVER53;LoveDRIVER53;c:\documents and settings\Owner\Desktop\Love_Engine_0.2\Love Engine 0.2\loveliss.sys [2009-01-05 31488]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-01-02 182200]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2009-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-03 23:19]
2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Framework Windows - frmwrk32.exe
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 10:41:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-05 10:44:07 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-02-05 15:44:05
Pre-Run: 140,132,442,112 bytes free
Post-Run: 140,424,409,088 bytes free
351 --- E O F --- 2009-01-15 18:06:55

I am a little worried about stuff like

c:\windows\system32\34386752.dll

2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1abd7a4a.dll

2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin

and other random.dll names

as well as this.

c:\windows\system32\drivers\Lbd.sys

Thanks, this is really helping me!

kahdah · February 6, 2009

c:\windows\system32\drivers\Lbd.sys < this is related to Adaware and is safe some of the others we will have to check out.

=================

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste them in one at a time)

c:\windows\system32\dllcache\userinit.exe

c:\windows\sbacknt.bin

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

=============

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::c:\windows\system32\34386752.dllc:\windows\system32\1abd7a4a.dllc:\windows\system32\5e7504.dllc:\windows\system32\57175b0.dllc:\windows\system32\1a9f280.dllc:\windows\system32\10f3aa2c.dllc:\windows\system32\vghd.scrc:\documents and settings\All Users\Application Data\A81B14F4A2.sys
Folder::c:\documents and settings\Owner\Application Data\vghd

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt
File scanning results

February 6, 2009

Here is ComboFix Log.

ComboFix 09-02-04.04 - Owner 2009-02-05 19:24:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2547 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090205-1] *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
FILE ::
c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
c:\windows\system32\10f3aa2c.dll
c:\windows\system32\1a9f280.dll
c:\windows\system32\1abd7a4a.dll
c:\windows\system32\34386752.dll
c:\windows\system32\57175b0.dll
c:\windows\system32\5e7504.dll
c:\windows\system32\vghd.scr
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
c:\documents and settings\Owner\Application Data\vghd
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backabout.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backcalendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backcollection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdelete.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdownload_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdownload_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backenterpassword.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\background.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backplaylists.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backregister_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backregister_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backscreensaver.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backsettings_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backsettings_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backwarnbox.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backwarnbox_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_small.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_small_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_products.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_skins.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\calendar_comingsoon.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\calendar_nocard.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\checkbox.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_about.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_calendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_collection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_downloads.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_settings.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_settings2.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\empty_girl.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\favorite.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\favorite_selected.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\list_disabled.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\list_enabled.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\logo.BMP
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\plus.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\radio.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\register_sticker.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00001.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00003.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00004.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00005.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr1.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr3.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr4.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr5.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\slider.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\Thumbs.db
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tip_background.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_button.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_button_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_check_off.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_check_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_close.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_about.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_calendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_collection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_downloads.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_settings.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_settings2.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\vgirl.pack
c:\windows\system32\10f3aa2c.dll
c:\windows\system32\1a9f280.dll
c:\windows\system32\1abd7a4a.dll
c:\windows\system32\34386752.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\57175b0.dll
c:\windows\system32\5e7504.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vghd.scr
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.
2009-02-05 18:04 . 2009-02-05 18:22 5,491 --a------ C:\dfx.rtf
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sunbelt
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2009-02-05 15:04 . 2009-02-05 15:04 <DIR> d-------- c:\program files\Sunbelt Software
2009-02-05 15:04 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2009-02-05 14:27 . 2009-02-05 18:11 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-05 14:26 . 2009-02-05 14:27 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-05 14:26 . 2009-02-05 14:26 <DIR> d-------- c:\program files\AVG
2009-02-05 14:26 . 2009-02-05 14:26 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-05 14:26 . 2009-02-05 14:26 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-05 14:26 . 2009-02-05 14:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-05 12:17 . 2009-02-05 12:17 <DIR> d-------- c:\program files\Alwil Software
2009-02-05 11:23 . 2009-02-05 11:38 2,204 --a------ c:\windows\evpovqfm
2009-02-04 11:54 . 2009-02-04 11:54 250 --a------ c:\windows\gmer.ini
2009-02-03 10:59 . 2009-02-03 10:59 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:50 . 2009-02-05 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 15:09 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d-------- c:\program files\Lavasoft
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2009-02-02 14:48 . 2009-02-02 14:48 <DIR> d-------- c:\documents and settings\Owner\Application Data\Corel
2009-02-02 14:48 . 2009-02-02 14:48 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\program files\Common Files\Protexis
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-02-02 14:38 . 2009-02-02 14:38 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-02 14:36 . 2009-02-02 14:36 <DIR> d-------- c:\program files\Corel
2009-02-02 14:26 . 2009-02-02 14:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 07:57 . 2009-02-02 07:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 . 2009-02-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 12:37 . 2009-02-01 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-01 12:36 . 2009-02-01 12:36 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-01 12:34 . 2009-02-01 12:34 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-01 12:34 . 2009-02-01 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-01 12:32 . 2009-02-01 12:32 <DIR> d-------- c:\program files\VirusTotalUploader
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Purple Ghost Software, Inc
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Purple Ghost Software, Inc
2009-01-31 12:44 . 2009-01-31 12:44 <DIR> d-------- c:\program files\Purple Ghost
2009-01-30 17:06 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-01-30 17:05 . 2009-01-30 17:05 <DIR> d-------- c:\program files\Realtek
2009-01-30 17:05 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-01-30 17:05 . 2008-10-27 18:12 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-29 14:20 . 2009-01-29 14:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Teeworlds
2009-01-28 07:54 . 2009-01-28 07:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Rogue
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 15:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-23 15:47 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-18 13:50 . 2009-01-18 13:58 <DIR> d-------- c:\program files\Visual Assist X
2009-01-18 13:41 . 2009-01-18 13:41 <DIR> d-------- c:\program files\Greatis
2009-01-15 14:45 . 2009-01-15 14:56 0 --a------ c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin
2009-01-15 13:03 . 2009-01-15 13:03 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2009-01-13 08:37 . 2008-06-20 06:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 . 2008-06-20 12:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 . 2008-06-20 06:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 . 2008-06-20 12:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 . 2009-01-20 17:31 1,733 --a------ c:\windows\TSearch.INI
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\documents and settings\Owner\Application Data\MozillaControl
2009-01-06 16:51 . 2009-01-06 16:51 54,784 --a------ c:\windows\system32\ieframe.oca
2009-01-06 16:49 . 2009-01-06 16:49 29,184 --a------ c:\windows\system32\msinet.oca
2009-01-06 16:47 . 2009-01-06 16:47 115,920 --a------ c:\windows\system32\msinet.ocx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 23:56 --------- d-----w c:\program files\Steam
2009-02-05 23:01 33,824 ----a-w c:\windows\system32\drivers\oreans32.sys
2009-02-05 16:38 --------- d-----w c:\documents and settings\Owner\Application Data\Orbit
2009-02-05 16:07 --------- d-----w c:\program files\Common Files\Adobe
2009-02-01 20:23 --------- d-----w c:\program files\Cheat Engine
2009-01-31 17:25 --------- d-----w c:\program files\CCleaner
2009-01-31 17:13 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 16:02 --------- d-----w c:\program files\Novalogic
2009-01-29 20:46 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-01-22 16:22 --------- d-----w c:\program files\IDA
2009-01-18 18:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-17 19:01 --------- d-----w c:\documents and settings\Owner\Application Data\VisualAssist
2009-01-16 00:14 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-01-16 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 03:19 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 03:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-05 03:18 --------- d-----w c:\program files\HP
2009-01-05 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-05 02:56 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 02:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-05 02:50 --------- d-----w c:\program files\Xfire
2009-01-02 23:55 182,200 ----a-w c:\windows\system32\drivers\UsbSnoop.sys
2008-12-30 03:35 --------- d-----w c:\program files\iPhoneBrowser
2008-12-30 01:53 --------- d-----w c:\program files\Sol Edit
2008-12-30 01:33 --------- d-----w c:\program files\SourceTec
2008-12-30 01:33 --------- d-----w c:\program files\Common Files\SourceTec
2008-12-30 01:32 --------- d-----w c:\program files\GamesBar
2008-12-30 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2008-12-26 20:40 --------- d-----w c:\program files\Oberon Media
2008-12-26 07:26 --------- d-----w c:\documents and settings\All Users\Application Data\Souptoys
2008-12-26 06:06 --------- d-----w c:\program files\010 Editor v3
2008-12-26 05:02 --------- d-----w c:\documents and settings\Owner\Application Data\Logitech
2008-12-26 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-26 04:54 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-26 04:53 --------- d-----w c:\program files\Logitech
2008-12-26 04:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 04:12 --------- d-----w c:\documents and settings\Owner\Application Data\TeamViewer
2008-12-26 04:11 --------- d-----w c:\program files\TeamViewer
2008-12-26 04:08 --------- d-----w c:\program files\RSP OGG Vorbis Player .Net 1.0.0
2008-12-26 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-26 00:49 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-25 23:30 182 ----a-w c:\documents and settings\Owner\Application Data\SnapiiHistory.dat
2008-12-25 23:12 --------- d-----w c:\program files\Common Files\Oberon Media
2008-12-25 21:04 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-25 20:59 --------- d-----w c:\documents and settings\Owner\Application Data\Activision
2008-12-25 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2008-12-25 20:54 --------- d-----w c:\program files\D-Tools
2008-12-25 18:23 --------- d-----w c:\program files\Mars
2008-12-25 18:23 --------- d-----w c:\program files\DIFX
2008-12-25 17:30 --------- d-----w c:\program files\Activision
2008-12-25 07:07 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-25 07:06 --------- d-----w c:\program files\QuickTime
2008-12-25 06:59 --------- d-----w c:\program files\iTunes
2008-12-25 06:59 --------- d-----w c:\program files\iPod
2008-12-25 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 00:28 --------- d-----w c:\program files\Game Extractor
2008-12-24 23:31 --------- d-----w c:\program files\IrfanView
2008-12-24 21:54 --------- d-----w c:\program files\Souptoys
2008-12-24 21:30 --------- d-----w c:\program files\BreakPoint Software
2008-12-24 20:33 --------- d-----w c:\documents and settings\Owner\Application Data\Souptoys
2008-12-24 19:17 --------- d-----w c:\program files\Teamspeak2_RC2
2008-12-24 17:32 --------- d-----w c:\documents and settings\Owner\Application Data\teamspeak2
2008-12-22 18:46 --------- d-----w c:\program files\Common Files\Apple
2008-12-21 06:28 --------- d-----w c:\program files\Screenie
2008-12-21 06:27 --------- d-----w c:\documents and settings\Owner\Application Data\Screenie
2008-12-21 04:31 --------- d-----w c:\program files\Wide Angle Software
2008-12-20 19:29 --------- d-----w c:\program files\Oni
2008-12-20 15:06 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-20 06:06 --------- d-----w c:\program files\Swiigle
2008-12-20 06:02 --------- d-----w c:\program files\Eltima Software
2008-12-20 04:11 --------- d-----w c:\program files\Bonjour
2008-12-20 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-20 04:10 --------- d-----w c:\program files\Apple Software Update
2008-12-20 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-19 19:04 --------- d-----w c:\documents and settings\Owner\Application Data\Datarescue
2008-12-19 01:04 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-12-19 00:32 --------- d-----w c:\program files\DivX
2008-12-18 20:22 --------- d-----w c:\program files\RocketDock
2008-12-18 17:35 --------- d-----w c:\program files\Orbitdownloader
2008-12-18 16:20 --------- d-----w c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-18 16:19 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-17 21:51 --------- d-----w c:\program files\FileZilla Server
2008-12-17 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-12-17 19:27 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-17 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 16:56 --------- d-----w c:\program files\PE Explorer
2008-12-17 16:56 --------- d-----w c:\documents and settings\Owner\Application Data\PE Explorer
2008-12-16 19:03 --------- d-----w c:\program files\Yahoo!
2008-12-16 18:08 --------- d-----w c:\program files\Icon Remover
2008-12-16 18:08 --------- d-----w c:\documents and settings\Owner\Application Data\Icon Remover
2008-12-16 17:58 --------- d-----w c:\program files\Everstrike Software
2008-12-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.
((((((((((((((((((((((((((((( SnapShot@2009-02-05_10.43.38.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 20:04:49 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
+ 2009-02-05 20:04:49 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2009-02-05 20:04:49 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
- 2009-02-04 12:33:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-05 16:18:16 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 12:33:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-05 16:18:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 12:33:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 16:18:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-02-05 19:26:31 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-10-23 09:09:24 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
+ 2008-10-28 21:28:12 65,320 ----a-w c:\windows\system32\sbbd.exe
+ 2006-01-09 14:36:06 40,960 ----a-w c:\windows\system32\swsc.exe
+ 2007-01-10 22:03:04 493,400 ----a-w c:\windows\system32\XceedZip.dll
+ 2009-02-06 00:29:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 14:26 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Icon Remover]
--a------ 2008-03-25 20:45 742400 c:\program files\Icon Remover\IconRemover.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 13:58 495616 c:\program files\RocketDock\RocketDock.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-15 20:40 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\half-life\\hl.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Visual Studio 2008\\Projects\\ChatServer\\ChatServer\\bin\\Debug\\ChatServer.exe"=
"c:\\Program Files\\IDA\\idag.exe"=
"c:\\Program Files\\IDA\\idag64.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BHD\\DFBHD.EXE"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-02 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-05 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-05 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-05 107272]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-02-05 202928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-05 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-05 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-01-02 182200]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2009-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{6E992806-9974-4EBC-A6F9-8235A5022CC0} - (no file)
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:31:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-05 19:34:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 00:33:58
ComboFix2.txt 2009-02-05 15:44:08
Pre-Run: 140,858,634,240 bytes free
Post-Run: 140,960,313,344 bytes free
604 --- E O F --- 2009-01-15 18:06:55

Here is the scan of userinit.exe, by jotti

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

And, userinit.exe by virustotal

a-squared 4.0.0.93 2009.02.05 -
AhnLab-V3 5.0.0.2 2009.02.05 -
AntiVir 7.9.0.74 2009.02.05 -
Authentium 5.1.0.4 2009.02.05 -
Avast 4.8.1281.0 2009.02.05 -
AVG 8.0.0.229 2009.02.05 -
BitDefender 7.2 2009.02.06 -
CAT-QuickHeal 10.00 2009.02.05 -
ClamAV 0.94.1 2009.02.05 -
Comodo 965 2009.02.05 -
DrWeb 4.44.0.09170 2009.02.06 -
eSafe 7.0.17.0 2009.02.05 -
eTrust-Vet 31.6.6344 2009.02.06 -
F-Prot 4.4.4.56 2009.02.05 -
F-Secure 8.0.14470.0 2009.02.06 -
Fortinet 3.117.0.0 2009.02.06 -
GData 19 2009.02.06 -
Ikarus T3.1.1.45.0 2009.02.05 -
K7AntiVirus 7.10.620 2009.02.05 -
Kaspersky 7.0.0.125 2009.02.06 -
McAfee 5516 2009.02.04 -
McAfee+Artemis 5516 2009.02.04 -
Microsoft 1.4306 2009.02.05 -
NOD32 3831 2009.02.05 -
Norman 6.00.02 2009.02.05 -
nProtect 2009.1.8.0 2009.02.05 -
Panda 9.5.1.2 2009.02.05 -
PCTools 4.4.2.0 2009.02.05 -
Prevx1 V2 2009.02.06 -
Rising 21.15.30.00 2009.02.05 -
SecureWeb-Gateway 6.7.6 2009.02.05 -
Sophos 4.38.0 2009.02.06 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.06 -
TheHacker 6.3.1.5.247 2009.02.05 -
TrendMicro 8.700.0.1004 2009.02.05 -
VBA32 3.12.8.12 2009.02.05 -
ViRobot 2009.2.5.1591 2009.02.05 -
VirusBuster 4.5.11.0 2009.02.06 -

This has a me a little worried.

sbacknt.bin by virustotal

a-squared 4.0.0.93 2009.02.05 -
AhnLab-V3 5.0.0.2 2009.02.05 -
AntiVir 7.9.0.74 2009.02.05 -
Authentium 5.1.0.4 2009.02.05 -
Avast 4.8.1281.0 2009.02.05 -
AVG 8.0.0.229 2009.02.05 -
BitDefender 7.2 2009.02.06 -
CAT-QuickHeal 10.00 2009.02.05 -
ClamAV 0.94.1 2009.02.05 -
Comodo 965 2009.02.05 -
DrWeb 4.44.0.09170 2009.02.06 -
eSafe 7.0.17.0 2009.02.05 -
eTrust-Vet 31.6.6344 2009.02.06 -
F-Prot 4.4.4.56 2009.02.05 -
F-Secure 8.0.14470.0 2009.02.06 -
Fortinet 3.117.0.0 2009.02.06 -
GData 19 2009.02.06 -
Ikarus T3.1.1.45.0 2009.02.05 -
K7AntiVirus 7.10.620 2009.02.05 -
Kaspersky 7.0.0.125 2009.02.06 -
McAfee 5516 2009.02.04 -
McAfee+Artemis 5516 2009.02.04 -
Microsoft 1.4306 2009.02.05 -
NOD32 3831 2009.02.05 -
Norman 6.00.02 2009.02.05 -
nProtect 2009.1.8.0 2009.02.05 -
Panda 9.5.1.2 2009.02.05 -
PCTools 4.4.2.0 2009.02.05 -
Prevx1 V2 2009.02.06 -
Rising 21.15.30.00 2009.02.05 -
SecureWeb-Gateway 6.7.6 2009.02.05 -
Sophos 4.38.0 2009.02.06 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.06 -
TheHacker 6.3.1.5.247 2009.02.05 -
TrendMicro 8.700.0.1004 2009.02.05 -
VBA32 3.12.8.12 2009.02.05 -
ViRobot 2009.2.5.1591 2009.02.05 -
VirusBuster 4.5.11.0 2009.02.06 -

sbacknt.bin by jotti

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing

2009-02-05 11:23 . 2009-02-05 11:38 2,204 --a------ c:\windows\evpovqfm

I don't know if this is of any help, but whenever I click Next page on google, or google somthing. Firefox loads stuff from

v1.adwarefeed.com

Thanks for your continued support! I will keep checking in on the hour .

-MBFan

February 6, 2009

Sorry for the double post.

I just want to point out the the only time I get redirected is when I click google search results. Maybe this helps.

kahdah · February 6, 2009

Hi it appears that you now have 2 antivirus programs please uninstall Avast or AVG whichever you prefer as it actually lowers your protection to do that.

Plus they will conflict with each other.

==========================

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:filesc:\documents and settings\All Users\Application Data\~0c:\windows\evpovqfm
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

===================================

After that update Malwarebytes then run another quick scan and remove what it finds then post hat log and the OT MOve it log and an new dds log as well.

February 6, 2009

Moveit

========== FILES ==========
c:\documents and settings\All Users\Application Data\~0 moved successfully.
c:\windows\evpovqfm moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02062009_075019

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 7:52:09.51 on Fri 02/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2699 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [sBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-2-5 202928]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-17 38496]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]
=============== Created Last 30 ================
2009-02-06 07:50 <DIR> --d----- C:\_OTMoveIt
2009-02-06 07:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
2009-02-06 07:39 <DIR> --d----- c:\program files\G4box
2009-02-05 23:08 685,056 a------- c:\windows\isRS-000.tmp
2009-02-05 21:12 <DIR> --d----- C:\Binaries
2009-02-05 21:09 164 a------- C:\install.dat
2009-02-05 18:04 5,491 a------- C:\dfx.rtf
2009-02-05 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-02-05 15:06 <DIR> --d----- c:\docume~1\owner\applic~1\Sunbelt
2009-02-05 15:04 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-02-05 15:04 <DIR> --d----- c:\program files\Sunbelt Software
2009-02-05 14:26 <DIR> --d----- c:\program files\AVG
2009-02-05 10:33 <DIR> --d----- C:\cmdcons
2009-02-05 10:32 161,792 a------- c:\windows\SWREG.exe
2009-02-05 10:32 98,816 a------- c:\windows\sed.exe
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI
==================== Find3M ====================
2009-02-05 18:01 33,824 a------- c:\windows\system32\drivers\oreans32.sys
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll
============= FINISH: 7:52:52.59 ===============

Malware bytes quick scan was clean.

I am still getting redirected, the google links will sometimes take me to clickfruad, hotjobs, xp-police, etc.

This arouses my attention.

2009-02-06 07:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys

2009-02-05 23:08 685,056 a------- c:\windows\isRS-000.tmp

I don't know how this stuff comes back, the ONLY site I have been going to is here to check for replies.

Hopefully we can continue the fight!

Thanks a ton

kahdah · February 6, 2009

You are welcome I am very stubborn and more stubborn than any malware so I will not be going any where

==========================================

Do the redirects happen only in Firefox or both Ie and Firefox?

======================

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:filesc:\docume~1\alluse~1\applic~1\A81B14F4A2.sysc:\windows\isRS-000.tmpC:\install.datc:\windows\system32\drivers\oreans32.sys
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

===================================

POst a new dds log please and the Ot Move it log.

February 6, 2009

Moveit log...

========== FILES ==========
c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys moved successfully.
File/Folder c:\windows\isRS-000.tmp not found.
C:\install.dat moved successfully.
c:\windows\system32\drivers\oreans32.sys moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02062009_080620

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 8:07:02.06 on Fri 02/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2795 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [sBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-2-6 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-2-5 202928]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-2-6 69168]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 Engine;Engine;c:\documents and settings\owner\desktop\stripper_v207ht\stripper_v207ht\engine.sys [2009-2-6 36352]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]
=============== Created Last 30 ================
2009-02-06 08:03 69,168 a------- c:\windows\system32\drivers\sbapifs.sys
2009-02-06 08:03 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-02-06 07:50 <DIR> --d----- C:\_OTMoveIt
2009-02-06 07:39 <DIR> --d----- c:\program files\G4box
2009-02-05 21:12 <DIR> --d----- C:\Binaries
2009-02-05 18:04 5,491 a------- C:\dfx.rtf
2009-02-05 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-02-05 15:06 <DIR> --d----- c:\docume~1\owner\applic~1\Sunbelt
2009-02-05 15:04 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-02-05 15:04 <DIR> --d----- c:\program files\Sunbelt Software
2009-02-05 14:26 <DIR> --d----- c:\program files\AVG
2009-02-05 10:33 <DIR> --d----- C:\cmdcons
2009-02-05 10:32 161,792 a------- c:\windows\SWREG.exe
2009-02-05 10:32 98,816 a------- c:\windows\sed.exe
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI
==================== Find3M ====================
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll
============= FINISH: 8:07:36.60 ===============

It seems to only redirect in FF.

Thanks

-MBF

kahdah · February 6, 2009

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

February 6, 2009

Here is the log.

GooredFix v1.83 by jpshortstuff
Log created at 08:21 on 06/02/2009 running Option #1 (Owner)
Firefox version 3.0.5 (en-US)
=====Suspect Goored Entries=====
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

It is time for class I will be back at about 10est to check. Thanks!

kahdah · February 6, 2009

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

==============================================

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

February 6, 2009

Attached is the log file. I also ran the cleaner.

Thanks alot!

Report.html

kahdah · February 7, 2009

Hi you are welcome, are you familiar with this program?

Love Engine 0.2

Also this file?

cmdow.exe

and this:

DLLDump\DLLDump.exe

February 7, 2009

I do know what the first one is, and I use it. Have in the past with no issues, I doubt its that.

The second two, no clue what they are.

February 7, 2009

My mistake, the DLLDump was a programming exercise of a class of mine. It is unlikley it is infected.

kahdah · February 7, 2009

I would like a second opinion please.

Please run a BitDefender Online Scan

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.

February 7, 2009

Thank you, I will do it Monday when I get back to my rig. Thanks for your continued support, and for not giving up

kahdah · February 7, 2009

No problem and you are welcome.

February 9, 2009

I would like a second opinion please.
Please run a BitDefender Online Scan
Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.

'

Hi, I could not find the online scanner. Did the link change?

Tojan.Agent, MB detects it in userinit.exe (HJT Inc.)

Recommended Posts

Guest MBfan

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Link to post

Share on other sites

Guest MBfan

Link to post

Share on other sites

Recently Browsing 0 members

Important Information