Vundo virus and I can't install malawarebytes

jake_kelly · February 5, 2009

HI, please help!

System is Windows XP SP2. I have the Vundo virus and it won't let me install malawarebytes or update my antivirus and other spyware software. The antivirus has removed pieces of it, so that I don't get the pop-ups anymore about the fake antispyware stuff, but overall the virus is still very functional. HiJackThis log below (note, I did get an error when HijackThis ran, but I did still get a report.) Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:21:29 AM, on 2/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\DesktopAuthority\RaMaint.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\DesktopAuthority\DesktopAuthority.exe

C:\Program Files\DesktopAuthority\RAGui.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\GPS Pathfinder Office 3.10\conmgr.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\GPS Pathfinder Office 3.10\pfpjchgr.exe

C:\PROGRA~1\COMMON~1\Trimble\REMOTE~1\TRDMU.EXE

C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgscanx.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Documents and Settings\SW Employee\Desktop\hijackthis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.adp.com

O15 - Trusted Zone: *.arcata

O15 - Trusted Zone: *.davis

O15 - Trusted Zone: *.intranet

O15 - Trusted Zone: *.menehune

O15 - Trusted Zone: *.ripple

O15 - Trusted Zone: *.arcata (HKLM)

O15 - Trusted Zone: *.davis (HKLM)

O15 - Trusted Zone: *.intranet (HKLM)

O15 - Trusted Zone: *.menehune (HKLM)

O15 - Trusted Zone: *.ripple (HKLM)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O18 - Protocol: biblioscape - (no CLSID) - (no file)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: DAinit.dll,avgrsstx.dll

O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll

O23 - Service: ArcGIS License Manager - Unknown owner - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 11180 bytes

Tigger93 · February 6, 2009

Hi.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1

Link 2

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

jake_kelly · February 6, 2009

Hi: Thanks for the reply!

I can't run combofix.exe - installed on my desktop. I've tried in safe mode as well. Any suggestions on how to get around? Note that this si the same symptoms as when I try to run mbam.exe = nothing happens.

Thanks!

jake_kelly · February 6, 2009

I got ComboFix to run by renaming the .exe, so it is scanning now and hopefully I will have logs to post shortly!

jake_kelly · February 6, 2009

I just re-read your note, and saw the part about never renaming ComboFix, sorry about failing to follow instructions, not thinking with all my wits as frustration has really set in and I had forgot your instructions that I read many hours earlier.

Nevertheless, it ran, and I am posting a Combofix log and a Hijackthis log - I'll stay on ask as I wait for further instructions.

ComboFix 09-02-05.01 - SW Employee 2009-02-05 22:57:04.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.227 [GMT -8:00]

Running from: c:\documents and settings\SW Employee\Desktop\Trouble.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\SWEMPL~1\LOCALS~1\Temp\fs.dll

c:\windows\IE4 Error Log.txt

c:\windows\system32\autochk.dll

c:\windows\system32\bar\

c:\windows\system32\crypts.dll

c:\windows\system32\drivers\fad.sys

c:\windows\system32\drivers\TDSSmhlt.sys

c:\windows\system32\iehelper.dll

c:\windows\system32\TDSSbrsr.dll

c:\windows\system32\TDSScfum.dll

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSoiqh.dll

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\TDSSrhym.log

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSsihc.dll

c:\windows\system32\TDSStkdv.log

c:\windows\system32\twex.exe

c:\windows\system32\windows.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSSERV.SYS

-------\Legacy_TDSSSERV.SYS

-------\Legacy_NETSVCS_0X0

-------\Service_netsvcs_0x0

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-01 20:12 . 2009-02-01 20:12 22,016 --ahs---- c:\documents and settings\LocalService\protect.dll

2009-02-01 19:16 . 2009-02-01 19:16 22,016 --ahs---- c:\documents and settings\SW Employee\protect.dll

2009-02-01 12:25 . 2009-02-01 12:25 22,016 --ahs---- c:\windows\SYSTEM32\CONFIG\systemprofile\protect.dll

2009-01-27 22:03 . 2009-01-27 22:03 <DIR> d-------- C:\VundoFix Backups

2009-01-27 00:37 . 2009-02-05 20:18 <DIR> d----c--- c:\windows\SYSTEM32\DRVSTORE

2009-01-27 00:36 . 2009-02-05 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-26 23:39 . 2009-01-26 23:39 1,152 --a------ c:\windows\SYSTEM32\windrv.sys

2009-01-26 23:33 . 2009-01-26 23:33 <DIR> d-------- c:\program files\Common Files\Download Manager

2009-01-26 20:47 . 2009-01-26 20:47 <DIR> d-------- c:\program files\AVG

2009-01-26 20:47 . 2009-02-05 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\tyc

2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\Chasco

2009-01-26 20:45 . 2009-02-05 21:43 8,192 --a------ c:\documents and settings\brandon

2009-01-26 16:40 . 2009-02-05 22:54 <DIR> d--hs---- c:\windows\SYSTEM32\twain32

2009-01-26 16:39 . 2009-01-26 16:39 54,156 --ah----- c:\windows\QTFont.qfn

2009-01-26 16:39 . 2009-01-26 16:39 1,409 --a------ c:\windows\QTFont.for

2009-01-22 21:03 . 2009-01-22 21:04 <DIR> d-------- c:\program files\Google

2009-01-22 21:03 . 2009-02-04 00:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-06 07:03 --------- d-----w c:\program files\Symantec AntiVirus

2009-02-06 05:45 --------- d-----w c:\documents and settings\SW Employee\Application Data\Lavasoft

2009-02-06 04:00 --------- d-----w c:\program files\DesktopAuthority

2009-01-27 08:40 4,224 ----a-w c:\windows\system32\drivers\BEEP.SYS

2009-01-26 09:18 --------- d-----w c:\program files\PokerStars

2006-12-13 20:27 557,056 -c--a-w c:\documents and settings\SW Employee\GoToAssist_phone__319_en.exe

2006-04-13 22:20 62,176 -c--a-w c:\documents and settings\SW Employee\Application Data\GDIPFONTCACHEV1.DAT

2001-09-24 22:13 1,064,960 ----a-w c:\program files\Global Logger.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1200128]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 32881]

"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]

"Desktop Authority GUI"="c:\program files\DesktopAuthority\ragui.exe" [2004-06-09 409600]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-20 98304]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"CANON DR2080C SVC"="DR2KSVC.dll" [2002-12-11 c:\windows\SYSTEM32\DR2KSVC.DLL]

"PFO Check Settings"="pfochk.exe" [2005-04-18 c:\windows\pfochk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"autochk"="c:\docume~1\LOCALS~1\protect.dll" [2009-02-01 22016]

c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\

ChkDisk.dll [2009-02-05 22016]

c:\documents and settings\SW Employee\Start Menu\Programs\Startup\

ChkDisk.dll [2009-02-01 22016]

ChkDisk.lnk - c:\windows\SYSTEM32\rundll32.exe [2004-03-19 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-27 49254]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-09 110592]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-08-03 24576]

GPS Pathfinder Office Connection Manager.lnk - c:\program files\GPS Pathfinder Office 3.10\conmgr.exe [2007-02-14 65536]

GPS Pathfinder Office Project Changer.lnk - c:\program files\GPS Pathfinder Office 3.10\pfpjchgr.exe [2007-02-14 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2004-01-13 12:17 110592 c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=DAinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=

"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 DAInfo;Desktop Authority Kernel Information Provider;c:\program files\DesktopAuthority\rainfo.sys [2004-08-17 6528]

R2 DAMaint;Desktop Authority Maintenance Service;c:\program files\DesktopAuthority\ramaint.exe [2004-08-17 49152]

R2 DesktopAuthority;Desktop Authority Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [2004-08-17 1081344]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]

R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2006-08-22 316992]

R3 DAmirr;DAmirr;c:\windows\SYSTEM32\DRIVERS\DAmirr.sys [2004-08-17 3072]

R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [2003-02-14 59328]

S1 oxpar;%OXPAR.SVCDESC%;c:\windows\SYSTEM32\DRIVERS\oxpar.sys [2005-11-15 80128]

S2 ArcGIS License Manager;ArcGIS License Manager;c:\program files\ESRI\License\arcgis9x\lmgrd.exe [2006-09-17 467968]

S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wa301b.sys [1979-12-31 33847]

S3 Acpild3arap;Acpild3arap; [x]

S3 LxrSG20d;LxrSG20d;c:\windows\SYSTEM32\DRIVERS\LxrSG20d.sys [2004-09-17 68672]

S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]

S3 TrmbTS;TrimbleTS Driver (TrmbTS.sys);c:\windows\SYSTEM32\DRIVERS\TrmbTS.sys [2008-01-28 23040]

S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\SYSTEM32\DRIVERS\TRMUSB5K.SYS [2008-01-28 9881]

S3 USA19H;USA19H;c:\windows\SYSTEM32\DRIVERS\USA19H2k.sys [2007-03-13 727908]

S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\SYSTEM32\DRIVERS\USA19H2kp.sys [2007-03-13 44928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c97f10-99a6-11dd-a2f6-000e354e1ff8}]

\Shell\AutoRun\command - E:\Autorun.exe /run

\Shell\Shell00\Command - E:\Autorun.exe /run

\Shell\Shell01\Command - E:\Autorun.exe /action

\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{411d5470-af04-11dd-a311-000e354e1ff8}]

\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5efa840-cb26-11da-bb8a-006073eb272a}]

\Shell\AutoRun\command - SETUP.exe

.

Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-02-06 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 21:03]

.

- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll

HKLM-Run-bascstray - BascsTray.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uInternet Settings,ProxyOverride = 127.0.0.1;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: adp.com

Trusted Zone: arcata

Trusted Zone: davis

Trusted Zone: intranet

Trusted Zone: menehune

Trusted Zone: ripple

Trusted Zone: arcata

Trusted Zone: davis

Trusted Zone: intranet

Trusted Zone: menehune

Trusted Zone: ripple

FF - ProfilePath - c:\documents and settings\SW Employee\Application Data\Mozilla\Firefox\Profiles\9vldvxf5.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll

FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.adp.com

O15 - Trusted Zone: *.arcata

O15 - Trusted Zone: *.davis

O15 - Trusted Zone: *.intranet

O15 - Trusted Zone: *.menehune

O15 - Trusted Zone: *.ripple

O15 - Trusted Zone: *.arcata (HKLM)

O15 - Trusted Zone: *.davis (HKLM)

O15 - Trusted Zone: *.intranet (HKLM)

O15 - Trusted Zone: *.menehune (HKLM)

O15 - Trusted Zone: *.ripple (HKLM)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O18 - Protocol: biblioscape - (no CLSID) - (no file)

O20 - AppInit_DLLs: DAinit.dll