Jump to content

Recommended Posts

First time posting on this forum so please be gentle on me if I've not done something in the right order. Used your excellent software for a few weeks and works fine but keeps reporting a Trojan.agent and although it removes it OK it comes back on every scan. Use AVG and other tools but doesn't show on these. MalwareBytes log and Hjack log below. Really frustrating me this one and could do with your help. Cheers Steve

Malwarebytes' Anti-Malware 1.36

Database version: 1952

Windows 5.1.2600 Service Pack 2

09/04/2009 19:37:22

mbam-log-2009-04-09 (19-37-07).txt

Scan type: Quick Scan

Objects scanned: 111954

Time elapsed: 1 hour(s), 1 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJACK LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:05:08, on 09/04/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Camera Assistant Software for ViewSonic\traybar.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Camera Assistant Software for ViewSonic\CEC_MAIN.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\KEM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Yuuguu\jre\bin\javaw.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

C:\PROGRA~1\OFFICE11\OUTLOOK.EXE

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\NoAdware\NoAdware5.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>;*.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [uSIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for ViewSonic\traybar.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.20\RivaTuner.exe" /S

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.20\RivaTuner.exe" /T

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Startup: Yuuguu.lnk = C:\Program Files\Yuuguu\jre\bin\javaw.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://sell-vehicle.ebay.co.uk/images/eps/...l_v1-0-3-50.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...018/flashax.cab

O18 - Protocol: bw+0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw+0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw-0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw-0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw00 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw00s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw10 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw10s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw20 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw20s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw30 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw30s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw40 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw40s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw50 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw50s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw60 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw60s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw70 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw70s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw80 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw80s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw90 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw90s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwa0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwa0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwb0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwb0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwc0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwc0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwd0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwd0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwe0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwe0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwf0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwf0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwg0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwh0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwh0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwi0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwi0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwj0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwj0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwk0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwk0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwl0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwl0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwm0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwm0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwn0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwn0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwo0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwo0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwp0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwp0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwq0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwq0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwr0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwr0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bws0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bws0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwt0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwt0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwu0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwu0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwv0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwv0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bww0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bww0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwx0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwx0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwy0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwy0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwz0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwz0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: offline-8876480 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: RDM+ - C:\Program Files\RDM+\notify.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--

End of file - 21784 bytes

Link to post
Share on other sites

  • Staff

Hi,

It appears that your userinit got infected. We'll deal with thatas well - but first we need to fix some entries in HijackThis..

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

I see you have the Zonealarm Spyblocker Toolbar installed. This toolbar is powered by Ask.com - and not recommended. I suggest you uninstall the Toolbar.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - Startup: Yuuguu.lnk = C:\Program Files\Yuuguu\jre\bin\javaw.exe

O18 - Protocol: bw+0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw+0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw-0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw-0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw00 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw00s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw10 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw10s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw20 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw20s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw30 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw30s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw40 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw40s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw50 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw50s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw60 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw60s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw70 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw70s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw80 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw80s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw90 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bw90s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwa0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwa0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwb0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwb0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwc0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwc0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwd0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwd0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwe0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwe0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwf0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwf0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwg0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwh0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwh0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwi0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwi0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwj0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwj0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwk0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwk0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwl0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwl0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwm0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwm0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwn0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwn0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwo0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwo0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwp0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwp0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwq0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwq0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwr0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwr0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bws0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bws0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwt0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwt0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwu0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwu0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwv0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwv0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bww0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bww0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwx0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwx0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwy0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwy0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwz0 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: bwz0s - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

O18 - Protocol: offline-8876480 - {8C5CEB04-7AE0-43CC-8C38-DA026E4F950D} - (no file)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Please allow it to install the Recovery console, because that's a really important step in order to fix this.

Link to post
Share on other sites

Firstly,

Many thanks for such a great and fast response. Truly excellent support. Did everything you advised and log is below. Only thing of note is that when installing the windows recovery console it got to 100% and sat there for 25 minutes doing nothing. I closed it restarting combofix and everything went fine this time round although it didnt ask me if I wanted to create a recovery console so assumed it must have made one first time around.

THe userinit would add up to being an issue as AVG kept saying there was an issue with this and I see from the log it looks like this has been addressed.

Do I need to do anything else.

ComboFix 09-04-04.01 - FAAC 2009-04-10 13:32:18.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.433 [GMT 1:00]

Running from: c:\documents and settings\FAAC\My Documents\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FW: ZoneAlarm Firewall *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\FAAC\Application Data\inst.exe

c:\documents and settings\FAAC\x.exe

c:\windows\system32\404Fix.exe

c:\windows\system32\au3305adc.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\WINDOWS

----- BITS: Possible infected sites -----

hxxp://str2int.uz.ua

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\i386\USERINIT.EXE

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

.

2009-04-09 08:54 . 2009-04-09 08:54 325,640 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys

2009-04-09 08:54 . 2009-04-09 08:54 108,552 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys

2009-04-09 08:54 . 2009-04-09 08:54 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll

2009-04-09 08:53 . 2009-04-10 11:05 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg

2009-04-09 00:07 . 2009-04-09 17:30 <DIR> d-------- c:\program files\RegCure

2009-04-08 22:16 . 2009-04-09 00:05 <DIR> d-------- c:\program files\XoftSpySE

2009-04-08 21:02 . 2009-04-08 21:02 <DIR> d-------- c:\program files\AskBarDis

2009-04-01 17:42 . 2009-04-01 17:42 <DIR> d-------- c:\program files\DigiDNA

2009-04-01 17:42 . 2009-04-01 17:51 <DIR> d-------- c:\documents and settings\FAAC\Application Data\DiskAid

2009-04-01 11:14 . 2009-04-08 21:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-01 11:14 . 2009-04-01 11:14 <DIR> d-------- c:\documents and settings\FAAC\Application Data\Malwarebytes

2009-04-01 11:14 . 2009-04-01 11:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-01 11:14 . 2009-04-06 15:32 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-04-01 11:14 . 2009-04-06 15:32 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-04-01 10:48 . 2009-04-01 10:48 <DIR> d-------- c:\program files\Trend Micro

2009-03-31 18:36 . 2009-03-31 18:36 <DIR> d-------- c:\program files\LibUSB-Win32

2009-03-31 18:36 . 2007-03-20 11:33 43,520 --a------ c:\windows\SYSTEM32\libusb0.dll

2009-03-31 18:36 . 2007-03-20 11:33 28,672 --a------ c:\windows\SYSTEM32\DRIVERS\libusb0.sys

2009-03-31 18:32 . 2009-02-15 21:54 933,888 --a------ c:\windows\SYSTEM32\SENXPCTL.OCX

2009-03-31 18:32 . 2009-02-25 23:43 65,536 --a------ c:\windows\SYSTEM32\device.OCX

2009-03-31 18:32 . 2009-02-17 04:23 32,768 --a------ c:\windows\SYSTEM32\Bar.OCX

2009-03-31 18:31 . 2009-03-31 18:34 <DIR> d-------- c:\program files\QuickFreedom

2009-03-27 09:40 . 2009-04-01 10:33 1,896,749 --a------ c:\windows\SYSTEM32\uactmp.db

2009-03-25 09:23 . 2009-03-25 09:23 414,144 --a------ c:\windows\SYSTEM32\UACbvpyfvkt.db

2009-03-24 20:21 . 2004-08-04 05:00 24,576 --a------ c:\windows\SYSTEM32\stus.exe

2009-03-21 22:42 . 2009-03-22 01:00 <DIR> d-------- c:\documents and settings\FAAC\IGC

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-10 12:14 --------- d-----w c:\program files\McAfee

2009-04-10 12:14 --------- d-----w c:\program files\Common Files\McAfee

2009-04-10 12:14 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-04-10 12:09 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-04-10 12:07 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com

2009-04-10 10:03 --------- d-----w c:\documents and settings\FAAC\Application Data\skypePM

2009-04-09 20:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-04-09 14:39 --------- d-----w c:\documents and settings\FAAC\Application Data\dvdcss

2009-04-09 14:36 --------- d-----w c:\documents and settings\FAAC\Application Data\UseNeXT

2009-04-09 12:28 --------- d-----w c:\program files\NoAdware

2009-04-09 07:53 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-03-26 21:44 --------- d-----w c:\program files\William Hill Poker

2009-03-11 15:26 --------- d-----w c:\documents and settings\FAAC\Application Data\Skype

2009-02-25 17:49 --------- d-----w c:\program files\AviSynth 2.5

2009-02-10 19:28 --------- d-----w c:\program files\Boilsoft Video Joiner

2008-11-24 22:37 47,360 ----a-w c:\documents and settings\FAAC\Application Data\pcouffin.sys

2008-11-24 22:22 81,920 ----a-w c:\documents and settings\FAAC\Application Data\ezpinst.exe

2007-01-30 11:26 56,912 ----a-w c:\documents and settings\FAAC\g2mdlhlpx.exe

2008-04-22 13:13 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-04-22 13:13 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-04-22 13:13 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-04-22 13:13 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-04-22 13:13 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 1169776]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 1945960]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 149024]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-12-10 110592]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-11-11 86016]

"USIUDF_Eject_Monitor"="c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 81920]

"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 151552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-23 185896]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]

"Camera Assistant Software"="c:\program files\Camera Assistant Software for ViewSonic\traybar.exe" [2007-08-20 774144]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-23 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-01-17 66864]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-05-25 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RDM+]

2008-04-13 12:43 61440 c:\program files\RDM+\notify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-04-09 08:54 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]

2005-11-21 20:22 135168 c:\windows\SYSTEM32\RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MSACM.CEGSM"= mobilev.acm

"vidc.dvsd"= dvc.dll

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]

backup=c:\windows\pss\Device Detector 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mosadl.exe.lnk]

backup=c:\windows\pss\mosadl.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FAAC^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\FAAC\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^FAAC^Start Menu^Programs^Startup^MagicDisc.lnk]

backup=c:\windows\pss\MagicDisc.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mosadl

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2007-04-03 23:29 165784 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

--a------ 2004-12-06 01:05 127035 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

--------- 2004-10-12 16:54 57344 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

--a------ 2004-12-10 20:44 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a------ 2004-12-10 20:44 110592 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]

--a------ 2006-11-01 01:04 321088 c:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2004-11-11 17:10 4583424 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2004-11-11 17:10 86016 c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF3 Registry Controller]

--a------ 2005-04-29 02:58 106496 c:\program files\ScanSoft\PDF Professional 3.0\registrycontroller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-10-14 14:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

--a------ 2004-01-26 11:38 866816 c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]

--a------ 2002-10-21 17:32 421888 c:\progra~1\FREESE~1\bin\win2k\tidslmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

-ra------ 2003-09-30 00:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STManager]

--------- 2003-10-16 13:25 118784 c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2003-11-19 17:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-04-20 08:29 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TIxDSL]

--a------ 2002-10-21 17:32 421888 c:\progra~1\FREESE~1\bin\win2k\tidslmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2008-10-23 10:22 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a------ 2004-01-07 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]

--a------ 2004-12-23 18:27 81920 c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

--a------ 2004-06-08 12:31 29696 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-12-05 02:41 1626112 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UleadBurningHelper"=2 (0x2)

"StarWindService"=2 (0x2)

"SiteAdvisor Service"=2 (0x2)

"ServiceLayer"=3 (0x3)

"ose"=3 (0x3)

"nmservice"=2 (0x2)

"nmraapache"=3 (0x3)

"DSBrokerService"=3 (0x3)

"Adobe LM Service"=3 (0x3)

"MSK80Service"=2 (0x2)

"MPS9"=2 (0x2)

"MpfService"=2 (0x2)

"McSysmon"=2 (0x2)

"McShield"=2 (0x2)

"McRedirector"=2 (0x2)

"McProxy"=2 (0x2)

"mcpromgr"=2 (0x2)

"McODS"=2 (0x2)

"McNASvc"=2 (0x2)

"mcmscsvc"=2 (0x2)

"mcmispupdmgr"=3 (0x3)

"McAfee HackerWatch Service"=2 (0x2)

"Emproxy"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Documents and Settings\\FAAC\\My Documents\\Program Downloads\\SopCast\\SopCast.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=

"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\devolo\\informer\\devinf.exe"=

"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6100:TCP"= 6100:TCP:ppLive

"8008:UDP"= 8008:UDP:ppLive

"4464:TCP"= 4464:TCP:ppLive

"7007:UDP"= 7007:UDP:ppLive

"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-04-09 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2009-04-09 108552]

R1 LUMDriver;LUMDriver;c:\windows\SYSTEM32\DRIVERS\LUMDriver.sys [2006-10-13 14912]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]

R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\plcndis5.sys [2004-05-17 17280]

R3 AtmElan;ATM Emulated LAN;c:\windows\SYSTEM32\DRIVERS\ATMLANE.SYS [2004-08-04 55936]

R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [2008-04-15 31896]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\SYSTEM32\DRIVERS\libusb0.sys [2009-03-31 28672]

S2 0045241239365339mcinstcleanup;McAfee Application Installer Cleanup (0045241239365339);c:\docume~1\FAAC\LOCALS~1\Temp\004524~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\FAAC\LOCALS~1\Temp\004524~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 EZWRIT3;EZWRIT3;c:\windows\SYSTEM32\DRIVERS\ezwrit3.sys [2006-03-04 12672]

S3 APLOADER;APLOADER;c:\windows\SYSTEM32\DRIVERS\ApLoader.SYS [2006-03-04 21376]

S3 AtmLane;ATM LAN Emulation;c:\windows\SYSTEM32\DRIVERS\ATMLANE.SYS [2004-08-04 55936]

S3 Freeserve;TIDSLInstaller Device Driver;c:\windows\SYSTEM32\DRIVERS\instl.sys [2005-05-25 11878]

S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\SYSTEM32\DRIVERS\k600bus.sys [2005-11-30 52384]

S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\SYSTEM32\DRIVERS\k600mgmt.sys [2005-05-11 79248]

S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\SYSTEM32\DRIVERS\k600obex.sys [2005-05-11 77072]

S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\PLCMPR5.SYS --> c:\windows\system32\PLCMPR5.SYS [?]

S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\SYSTEM32\DRIVERS\rcblan.sys [2008-04-30 39704]

S3 SampleScanner;Ultima2000 Scanner;c:\windows\SYSTEM32\DRIVERS\GT680X.SYS [2006-01-07 18120]

S3 TIAu5Bt;Copperjet ADSL modem Boot Device;c:\windows\SYSTEM32\DRIVERS\tiau5bt.sys [2005-05-25 11775]

S3 TIAU5CO;Copperjet ADSL modem connecting with Freeserve Broadband;c:\windows\SYSTEM32\DRIVERS\tiau5co.sys [2005-05-25 57093]

.

Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-04-03 c:\windows\Tasks\FAAC scan and fix.job

- c:\program files\AMUST\Registry Cleaner\RegCleaner.exe [2005-11-21 20:22]

2009-04-10 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-11-27 19:55]

2009-04-08 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-11-27 19:55]

2009-04-10 c:\windows\Tasks\XoftSpySE 2.job

- c:\program files\XoftSpySE\XoftSpy.exe [2009-04-01 14:54]

2009-04-08 c:\windows\Tasks\XoftSpySE.job

- c:\program files\XoftSpySE\XoftSpy.exe [2009-04-01 14:54]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exe

HKLM-Run-RivaTunerStartupDaemon - c:\program files\RivaTuner v2.20\RivaTuner.exe

HKLM-Run-RivaTuner - c:\program files\RivaTuner v2.20\RivaTuner.exe

HKLM-Run-Cleanup - c:\program files\mcafee.com\shared\mcappins.exe

MSConfigStartUp-McAfee QuickClean Imonitor - c:\program files\McAfee\McAfee QuickClean\Plguni.exe

MSConfigStartUp-MSKAGENTEXE - c:\program files\McAfee\MSK\MskAgent.exe

MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uLocal Page = \blank.htm

mStart Page = hxxp://www.google.co.uk

mSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

uInternet Settings,ProxyOverride = localhost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\OFFICE11\EXCEL.EXE/3000

IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100

Trusted Zone: musicmatch.com

Trusted Zone: musicmatch.com

DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab

DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} - hxxp://203.233.205.66:8080/help/EzAutoLoginProj1.cab

DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC}

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-10 13:41:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 1698 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

  • Staff

Hi,

This is much better... almost done!

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorkiller]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Navigate to and delete the following files:

c:\windows\SYSTEM32\uactmp.db

c:\windows\SYSTEM32\UACbvpyfvkt.db

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Also, can you explain what this program is?: c:\program files\RDM+\notify.dll

Do you know it?

Link to post
Share on other sites

All done as instructed.

THE RDM+ was some remote PC software I installed a while back but removed it now as no longer need to access my PC remotely.

Have to say that my PC is much, much faster and just ran Malware s/w and took 6 mins to look at system as opposed to 35 mins before and this time found nothing..

I am upgrading my software to the paid version as you deserve it..simply the best support I have had from any vendor-promot, efficient and above all effective. Keep up the good work and I'll recommend this s/w to all my friends.

Thanks again.

Steve

Hi,

This is much better... almost done!

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Navigate to and delete the following files:

c:\windows\SYSTEM32\uactmp.db

c:\windows\SYSTEM32\UACbvpyfvkt.db

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Also, can you explain what this program is?: c:\program files\RDM+\notify.dll

Do you know it?

Link to post
Share on other sites

  • Staff

Glad I could help. :D

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.