Obstinate Worm:Win32/rimecud!inf on removable drive

Marius · May 27, 2010

Hello,

One of my kids borrowed my Iomega 250 Gig external drive & brought it back with several guests on it, especially Worm:Win32/rimecud!inf

I have scanned the drive with MBAM but the virus keeps popping up every few minutes as autorun.inf on the Iomega's root directory and then trying to infect the computer.

How can I get rid of it permanently?

Many thanks,

Marius

Blade81 · May 28, 2010

Hi,

1. Download Flash_Disinfector and save it to desktop.

2. After downloading, double-click on Flash_Disinfector to run it.

3. Just follow the prompts and continue until it begin scanning.

4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.

5. It will scan removable drives, wait for the scan to finish. Done.

---

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop. Post them back to your topic.

Marius · May 28, 2010

Hi Blade81,

Many thanks for your assistance.

I am attaching attach.txt as a zipped file.

Below is DDS.txt.

Best wishes,

Marius

--------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Marius at 18:03:54.29 on 2010/05/28

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1033.18.1022.211 [GMT 2:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\cahizoofes.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe

c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\apps\Powercinema\PCMService.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\BtUsrBdg.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\BTSetBootKey.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Norton SystemWorks\NswUiTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

C:\WINDOWS\system32\quuwytty.exe

C:\Program Files\Lexmark 1200 Series\lxczbmon.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\quuwytty.exe

C:\Program Files\iBurst\iBurst_UTL.EXE

c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE

C:\APPS\SAXO\HIDSERV.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\WordWeb\wweb32.exe

C:\WINDOWS\system32\lxczcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

c:\apps\Powercinema\Kernel\TV\CLSched.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\MsiExec.exe

D:\Documents and Settings\Marius\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.altavista.com/

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL

BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [sMSERIAL] sm56hlpr.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [bTUSRBDG] BtUsrBdg.exe

mRun: [bTSETBOOTKEY] BTSetBootKey.exe

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033

mRun: [(Default)] c:\windows\$ntservicepackuninstall$\svchost.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"

mRun: [NSWosCheck] "c:\program files\norton systemworks\osCheck.exe"

mRun: [NswUiTray] c:\program files\norton systemworks\NswUiTray.exe

mRun: [Fax Machine]

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [fissa] c:\windows\system32\quuwytty.exe

mRun: [ryvu] c:\windows\system32\quuwytty.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [pytukek] c:\windows\system32\quuwytty.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [fissa] d:\documents and settings\localservice\application data\microsoft\dynycosec.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [<NO NAME>]

StartupFolder: d:\docume~1\marius\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\freewe~1.lnk - c:\program files\coffeecup software\coffeecup free ftp\ThirtyDayTimer.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\iburst~2.lnk - c:\program files\iburst\iBurst_UTL.EXE

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\iburst~1.lnk - c:\program files\iburst terminal\iBurst_Terminal_UTL.EXE

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta

IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/pm/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195018987453

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {A79E8D8F-61AE-4413-80D0-287E6CBD7CAD} = 41.208.247.5 196.46.70.10

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll

Hosts: 82.98.86.161 fixerisa.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\marius\applic~1\mozilla\firefox\profiles\vnslebjw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.altavista.com/

FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\coffplgn\components\coFFPlgn.dll

FF - component: d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\ipsffplgn\components\IPSFFPl.dll

FF - component: d:\documents and settings\marius\application data\mozilla\firefox\profiles\vnslebjw.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll

FF - component: d:\documents and settings\marius\application data\mozilla\firefox\profiles\vnslebjw.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-12-31 155136]

R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-12-31 5248]

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2007-5-26 25344]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\SymDS.sys [2010-5-28 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\SymEFA.sys [2010-5-28 172592]

R1 BHDrvx86;BHDrvx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-5-28 536112]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-5-28 501888]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\Ironx86.sys [2010-5-28 116784]

R2 adsuhl0j8;AOL Connectivity Service;c:\windows\system32\cahizoofes.exe --> c:\windows\system32\cahizoofes.exe [?]

R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-5-26 3744]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-11-1 10640]

R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-5-26 3904]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-26 304464]

R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccSvcHst.exe [2010-5-28 126392]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~1\NPROTECT.EXE [2008-9-25 95600]

R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [2007-6-21 57640]

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\BtKrnBdg.sys [2007-6-21 15876]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]

R3 iBurstu;iBurst Terminal;c:\windows\system32\drivers\iBurstu.sys [2010-5-25 37362]

R3 IDSxpx86;IDSxpx86;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20091105.001\IDSxpx86.sys [2010-5-28 329592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-26 20952]

R3 NAVENG;NAVENG;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20100527.039\NAVENG.SYS [2010-5-28 85552]

R3 NAVEX15;NAVEX15;d:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20100527.039\NAVEX15.SYS [2010-5-28 1347504]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-4-17 115944]

R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys [2007-6-21 17792]

S2 aecr;aecr;\??\c:\windows\system32\drivers\aecr.sys --> c:\windows\system32\drivers\aecr.sys [?]

S2 AsyncMacj;AsyncMacj;\??\c:\windows\system32\drivers\asyncmacj.sys --> c:\windows\system32\drivers\AsyncMacj.sys [?]

S2 Bridgea;Bridgea;\??\c:\windows\system32\drivers\bridgea.sys --> c:\windows\system32\drivers\Bridgea.sys [?]

S2 BthEnumq;BthEnumq;\??\c:\windows\system32\drivers\bthenumq.sys --> c:\windows\system32\drivers\BthEnumq.sys [?]

S2 BTHMODEMq;BTHMODEMq;\??\c:\windows\system32\drivers\bthmodemq.sys --> c:\windows\system32\drivers\BTHMODEMq.sys [?]

S2 BthPanq;BthPanq;\??\c:\windows\system32\drivers\bthpanq.sys --> c:\windows\system32\drivers\BthPanq.sys [?]

S2 C-Dillaq;C-Dillaq;\??\c:\windows\system32\drivers\c-dillaq.sys --> c:\windows\system32\drivers\C-Dillaq.sys [?]

S2 C-Dillar;C-Dillar;\??\c:\windows\system32\drivers\c-dillar.sys --> c:\windows\system32\drivers\C-Dillar.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]

S2 ooelmyonoa;Websense CPM Report Scheduler;c:\windows\system32\woofo.exe [2010-5-17 328704]

S2 opjvineyolmeo2;RUMBA AS/400 Shared Folders;c:\windows\system32\jabywoujoo.exe [2010-5-17 328704]

S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\drivers\CSRBC01.sys [2007-6-21 24859]

S3 iBcT0201;iBurst Modem Type02-01;c:\windows\system32\drivers\iBcT0201.sys [2010-4-8 37907]

S3 iBurst;iBurst Modem;c:\windows\system32\drivers\iBurst.sys [2010-4-8 36957]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-26 38224]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-18 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-12-18 8320]

=============== Created Last 30 ================

2010-05-28 16:03:14 0 dcsha-r- C:\autorun.inf

2010-05-28 13:54:05 569856 ----a-w- d:\documents and settings\marius\ntuser.exe

2010-05-28 13:14:40 55296 ----a-w- d:\documents and settings\marius\Desktop.exe

2010-05-28 13:13:38 55808 ----a-w- d:\documents and settings\marius\default.exe

2010-05-28 13:13:34 569856 ----a-w- d:\documents and settings\all users\NTUSER.exe

2010-05-28 11:54:38 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-05-28 11:52:59 0 d-----w- c:\windows\system32\drivers\N360

2010-05-28 11:52:56 0 d-----w- c:\program files\Norton 360

2010-05-26 19:02:02 0 d-----w- d:\docume~1\marius\applic~1\Malwarebytes

2010-05-26 19:01:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-26 19:01:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-26 19:01:43 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-26 19:01:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-26 16:23:00 328704 ----a-w- c:\windows\system32\zemovouz.exe

2010-05-26 15:26:00 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-26 14:21:21 0 d-----w- c:\program files\iBurst Terminal

2010-05-26 13:33:56 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-25 11:40:55 37362 ----a-w- c:\windows\system32\drivers\iBurstu.sys

2010-05-25 08:01:10 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-18 11:37:32 1572 ----a-w- c:\windows\Sandboxie.ini

2010-05-18 11:37:18 0 d-----w- c:\program files\Sandboxie

2010-05-17 13:45:12 328704 ----a-w- c:\windows\system32\woofo.exe

2010-05-17 09:14:01 36480 ----a-w- c:\windows\system32\drivers\bthprint.sys

2010-05-17 09:14:01 36480 ----a-w- c:\windows\system32\dllcache\bthprint.sys

2010-05-17 09:14:01 18944 ----a-w- c:\windows\system32\drivers\bthusb.sys

2010-05-17 09:14:01 18944 ----a-w- c:\windows\system32\dllcache\bthusb.sys

2010-05-17 09:13:09 0 d-----w- c:\windows\system32\drivers\Bth Files

2010-05-17 08:40:19 328704 ----a-w- c:\windows\system32\vuvune.exe

2010-05-17 07:35:46 328704 ----a-w- c:\windows\system32\jabywoujoo.exe

2010-05-16 14:26:07 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-05-16 14:21:41 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-05-16 11:07:17 328704 ----a-w- c:\windows\system32\quuwytty.exe

2010-05-16 11:06:48 328704 ----a-w- c:\windows\system32\dynycosec.exe

2010-05-15 12:24:54 0 d-----w- c:\windows\system32\wbem\Repository

2010-05-12 05:21:28 0 ---ha-w- d:\documents and settings\marius\Desktop.ini

==================== Find3M ====================

2010-05-28 11:54:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-05-28 11:54:18 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-05-28 11:54:18 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-05-28 11:54:18 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-05-27 10:31:17 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-26 15:44:38 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe

2010-05-26 15:44:38 1033728 ----a-w- c:\windows\explorer.exe

2010-05-17 09:14:26 14528 ----a-w- c:\windows\system32\drivers\cdant.sys

2010-05-07 06:13:02 4182 --sha-w- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2004-06-18 09:05:00 45056 ----a-w- c:\windows\inf\Slntinst.exe

2003-08-22 09:09:00 45056 ----a-w- c:\windows\inf\slntinst_staticW2k.exe

2008-09-17 07:52:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 18:05:20.03 ===============

Attach.rar

Blade81 · May 28, 2010

uTorrent

BitComet

Vuze

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Marius · May 28, 2010

Hi Blade81,

Many thanks for your further advice and assistance.

At first glance, the worm is still active on the removable drive (drive O:)

Logs follow. in 3 separate answers to avoid length.

Best wishes,

Marius

Here is the ComboFix log:

ComboFix 10-05-28.02 - Marius 2010/05/28 21:58:54.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1033.18.1022.287 [GMT 2:00]

Running from: d:\documents and settings\Marius\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

c:\windows\2.exe

c:\windows\system32\dynycosec.exe

D:\9rfpp.exe

d:\docume~1\Marius\LOCALS~1\Temp\502.exe

d:\documents and settings\Marius\Recent\Thumbs.db

D:\fk.exe

D:\i8ikdjwt.exe

D:\rpw.exe

O:\autorun.inf

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASYNCMACQ

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))

.

2010-05-28 20:26 . 2010-05-28 20:26 -------- d-----w- d:\documents and settings\Marius\Application Data\Tific

2010-05-28 20:19 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2010-05-28 11:54 . 2008-04-17 20:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-05-28 11:52 . 2010-05-28 11:52 -------- d-----w- c:\windows\system32\drivers\N360

2010-05-28 11:52 . 2010-05-28 11:52 -------- d-----w- c:\program files\Norton 360

2010-05-28 11:52 . 2010-05-28 11:52 -------- d-----w- c:\program files\Windows Sidebar

2010-05-27 08:45 . 2010-05-27 08:45 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Vuze_Remote

2010-05-27 08:45 . 2010-05-27 08:45 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple

2010-05-26 19:02 . 2010-05-26 19:02 -------- d-----w- d:\documents and settings\Marius\Application Data\Malwarebytes

2010-05-26 19:01 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-26 19:01 . 2010-05-26 19:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-26 19:01 . 2010-05-26 19:01 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-26 19:01 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-26 16:23 . 2010-05-27 07:58 328704 ----a-w- c:\windows\system32\zemovouz.exe

2010-05-26 15:26 . 2010-05-21 12:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-26 14:27 . 2010-05-26 14:27 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\PCHealth

2010-05-26 14:21 . 2010-05-26 14:21 -------- d-----w- c:\program files\iBurst Terminal

2010-05-26 13:34 . 2010-05-26 13:34 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2010-05-26 13:33 . 2010-05-26 13:34 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-25 11:40 . 2006-03-29 01:25 37362 ----a-w- c:\windows\system32\drivers\iBurstu.sys

2010-05-25 08:01 . 2010-05-25 08:01 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-18 11:37 . 2010-05-18 11:37 -------- d-----w- c:\program files\Sandboxie

2010-05-17 13:45 . 2010-05-16 11:06 328704 ----a-w- c:\windows\system32\woofo.exe

2010-05-17 09:14 . 2008-04-13 18:46 36480 ----a-w- c:\windows\system32\drivers\bthprint.sys

2010-05-17 09:14 . 2008-04-13 18:46 36480 ----a-w- c:\windows\system32\dllcache\bthprint.sys

2010-05-17 09:14 . 2008-04-13 18:46 18944 ----a-w- c:\windows\system32\drivers\bthusb.sys

2010-05-17 09:14 . 2008-04-13 18:46 18944 ----a-w- c:\windows\system32\dllcache\bthusb.sys

2010-05-17 09:13 . 2010-05-17 09:13 -------- d-----w- c:\windows\system32\drivers\Bth Files

2010-05-17 08:40 . 2010-05-16 11:06 328704 ----a-w- c:\windows\system32\vuvune.exe

2010-05-17 07:35 . 2010-05-16 11:06 328704 ----a-w- c:\windows\system32\jabywoujoo.exe

2010-05-16 14:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-05-16 14:21 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-05-16 11:07 . 2010-05-16 11:06 328704 ----a-w- c:\windows\system32\quuwytty.exe

2010-05-15 12:29 . 2010-05-15 12:29 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google

2010-05-15 12:28 . 2010-05-17 08:30 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft

2010-05-15 12:28 . 2010-05-17 08:31 -------- d-sh--w- d:\documents and settings\NetworkService.NT AUTHORITY

2010-05-15 12:24 . 2010-05-15 12:24 -------- d-----w- c:\windows\system32\wbem\Repository

2010-05-15 12:13 . 2010-05-15 12:13 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-28 20:23 . 2008-12-06 21:28 -------- d-----w- d:\documents and settings\Marius\Application Data\Orbit

2010-05-28 20:20 . 2007-06-21 09:55 12 ----a-w- c:\windows\bthservsdp.dat

2010-05-28 19:29 . 2007-05-26 12:49 -------- d-----w- d:\documents and settings\Marius\Application Data\Skype

2010-05-28 18:51 . 2007-05-28 12:23 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-05-28 17:00 . 2008-06-22 19:52 -------- d-----w- c:\program files\Monkey's Audio

2010-05-28 16:47 . 2007-12-18 10:00 -------- d-----w- c:\program files\Ricochet Infinity

2010-05-28 15:49 . 2010-04-24 13:36 -------- d-----w- d:\documents and settings\Marius\Application Data\uTorrent

2010-05-28 12:40 . 2010-04-16 07:26 -------- d-----w- d:\documents and settings\Marius\Application Data\Azureus

2010-05-28 11:57 . 2007-05-26 10:10 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-05-28 11:54 . 2009-04-24 16:26 -------- d-----w- c:\program files\Symantec

2010-05-28 11:54 . 2009-04-24 16:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-05-28 11:54 . 2009-04-24 16:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-05-28 11:54 . 2009-04-24 16:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-05-28 11:54 . 2009-04-24 16:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-05-28 11:52 . 2009-04-23 20:00 -------- d-----w- d:\documents and settings\All Users\Application Data\Norton

2010-05-28 11:03 . 2009-04-23 20:00 -------- d-----w- d:\documents and settings\All Users\Application Data\NortonInstaller

2010-05-27 10:31 . 2007-05-26 11:49 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-26 15:44 . 2004-08-10 15:37 1033728 ----a-w- c:\windows\explorer.exe

2010-05-26 15:28 . 2009-05-22 19:35 -------- d-----w- c:\program files\DOSBox-0.72

2010-05-26 13:33 . 2007-05-26 10:10 -------- d-----w- d:\documents and settings\All Users\Application Data\Symantec

2010-05-26 11:41 . 2008-10-31 11:27 -------- d-----w- c:\program files\Security Task Manager

2010-05-24 20:39 . 2010-05-25 08:06 172102 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat

2010-05-23 10:19 . 2007-05-26 10:25 156304 ----a-w- d:\documents and settings\Marius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-23 01:01 . 2010-02-04 04:21 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-21 01:04 . 2007-05-27 11:34 -------- d-----w- c:\program files\Microsoft Works

2010-05-20 16:09 . 2010-04-16 08:33 -------- d-----w- c:\program files\Vuze_Remote

2010-05-18 11:59 . 2010-04-24 13:37 -------- d-----w- c:\program files\uTorrent

2010-05-18 09:28 . 2009-10-11 05:41 -------- d-----w- c:\program files\Lexmark 1200 Series

2010-05-17 10:00 . 2009-05-05 09:19 -------- d-----w- c:\program files\Norton SystemWorks

2010-05-17 09:14 . 2010-03-18 14:43 14528 ----a-w- c:\windows\system32\drivers\cdant.sys

2010-05-17 06:14 . 2008-10-21 13:10 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-16 07:12 . 2010-04-16 07:25 -------- d-----w- c:\program files\Vuze

2010-05-07 06:13 . 2009-04-29 10:29 4182 --sha-w- d:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-04-26 16:13 . 2010-04-26 12:22 -------- d-----w- d:\documents and settings\Marius\Application Data\DVD Flick

2010-04-26 12:21 . 2010-04-26 12:21 -------- d-----w- c:\program files\DVD Flick

2010-04-20 08:58 . 2010-04-20 08:54 -------- d-----w- d:\documents and settings\Marius\Application Data\Jarte

2010-04-20 08:54 . 2010-04-20 08:54 -------- d-----w- c:\program files\Jarte

2010-04-16 08:33 . 2010-04-16 08:33 -------- d-----w- c:\program files\Conduit

2010-04-16 07:26 . 2010-04-16 07:26 -------- d-----w- d:\documents and settings\All Users\Application Data\Azureus

2010-04-11 08:49 . 2007-05-26 15:40 -------- d-----w- c:\program files\BitComet

2010-04-08 05:57 . 2010-04-08 05:57 -------- d-----w- c:\program files\iBurst

2010-04-08 05:57 . 2007-05-26 09:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-01 06:07 . 2008-03-26 17:04 -------- d-----w- d:\documents and settings\Marius\Application Data\Ahead

2010-03-10 06:15 . 2004-08-10 15:38 420352 ----a-w- c:\windows\system32\vbscript.dll

2007-08-25 03:52 . 2008-01-08 17:17 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2010-03-17 13:45 2355224 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SMSERIAL"="sm56hlpr.exe" [2005-10-18 557056]

"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16207872]

"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-05-16 86960]

"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-11-16 143360]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 53248]

"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 36864]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-27 2658304]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-11-15 83232]

"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112]

"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-08 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]

"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-04-19 74672]

"ryvu"="c:\windows\system32\quuwytty.exe" [2010-05-16 328704]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"pytukek"="c:\windows\system32\quuwytty.exe" [2010-05-16 328704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

d:\documents and settings\Marius\Start Menu\Programs\Startup\

WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-7-16 42168]

d:\documents and settings\All Users\Start Menu\Programs\Startup\

Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-10-10 372224]

iBurst_Modem UTL.lnk - c:\program files\iBurst\iBurst_UTL.EXE [2010-4-8 311296]

iBurst_Terminal UTL.lnk - c:\program files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2010-5-26 311296]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-1 805392]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-12-6 1690824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"12320:TCP"= 12320:TCP:BitComet 12320 TCP

"12320:UDP"= 12320:UDP:BitComet 12320 UDP

R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [2007/05/26 12:36 PM 25344]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SymDS.sys [2010/05/28 01:53 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SymEFA.sys [2010/05/28 01:53 PM 172592]

R1 BHDrvx86;BHDrvx86;d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010/05/28 01:53 PM 536112]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [2010/05/28 01:53 PM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [2010/05/28 01:53 PM 116784]

R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2007/05/26 08:21 PM 3744]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008/11/01 07:00 AM 10640]

R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2007/05/26 08:21 PM 3904]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010/05/26 09:01 PM 304464]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010/05/28 01:53 PM 126392]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [2008/09/25 02:53 PM 95600]

R2 ooelmyonoa;Websense CPM Report Scheduler;c:\windows\system32\woofo.exe [2010/05/17 03:45 PM 328704]

R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [2007/06/21 11:51 AM 57640]

R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\BtKrnBdg.sys [2007/06/21 11:51 AM 15876]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010/05/28 02:11 PM 102448]

R3 iBurstu;iBurst Terminal;c:\windows\system32\drivers\iBurstu.sys [2010/05/25 01:40 PM 37362]

R3 IDSxpx86;IDSxpx86;d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [2010/05/28 01:53 PM 329592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010/05/26 09:01 PM 20952]

R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys [2007/06/21 11:51 AM 17792]

S2 adsuhl0j8;AOL Connectivity Service;c:\windows\system32\cahizoofes.exe --> c:\windows\system32\cahizoofes.exe [?]

S2 aecr;aecr;\??\c:\windows\System32\DRIVERS\aecr.sys --> c:\windows\System32\DRIVERS\aecr.sys [?]

S2 AsyncMacj;AsyncMacj;\??\c:\windows\System32\DRIVERS\AsyncMacj.sys --> c:\windows\System32\DRIVERS\AsyncMacj.sys [?]

S2 Bridgea;Bridgea;\??\c:\windows\System32\DRIVERS\Bridgea.sys --> c:\windows\System32\DRIVERS\Bridgea.sys [?]

S2 BthEnumq;BthEnumq;\??\c:\windows\System32\DRIVERS\BthEnumq.sys --> c:\windows\System32\DRIVERS\BthEnumq.sys [?]

S2 BTHMODEMq;BTHMODEMq;\??\c:\windows\System32\DRIVERS\BTHMODEMq.sys --> c:\windows\System32\DRIVERS\BTHMODEMq.sys [?]

S2 BthPanq;BthPanq;\??\c:\windows\System32\DRIVERS\BthPanq.sys --> c:\windows\System32\DRIVERS\BthPanq.sys [?]

S2 C-Dillaq;C-Dillaq;\??\c:\windows\System32\DRIVERS\C-Dillaq.sys --> c:\windows\System32\DRIVERS\C-Dillaq.sys [?]

S2 C-Dillar;C-Dillar;\??\c:\windows\System32\DRIVERS\C-Dillar.sys --> c:\windows\System32\DRIVERS\C-Dillar.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010/03/05 04:27 PM 135664]

S2 opjvineyolmeo2;RUMBA AS/400 Shared Folders;c:\windows\system32\jabywoujoo.exe [2010/05/17 09:35 AM 328704]

S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\drivers\CSRBC01.sys [2007/06/21 11:51 AM 24859]

S3 iBcT0201;iBurst Modem Type02-01;c:\windows\system32\drivers\iBcT0201.sys [2010/04/08 07:57 AM 37907]

S3 iBurst;iBurst Modem;c:\windows\system32\drivers\iBurst.sys [2010/04/08 07:57 AM 36957]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010/05/26 09:01 PM 38224]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008/12/18 09:52 AM 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008/12/18 09:52 AM 8320]

S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007/12/31 11:45 AM 155136]

S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007/12/31 11:45 AM 5248]

.

Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-05 14:26]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-05 14:26]

2010-05-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]

2010-05-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Marius.job

- c:\program files\Norton 360\Engine\4.1.0.32\Navw32.exe [2010-05-28 23:51]

2010-05-24 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 12:52]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta

FF - ProfilePath - d:\documents and settings\Marius\Application Data\Mozilla\Firefox\Profiles\vnslebjw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.altavista.com/

FF - component: d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll

FF - component: d:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll

FF - component: d:\documents and settings\Marius\Application Data\Mozilla\Firefox\Profiles\vnslebjw.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll

FF - component: d:\documents and settings\Marius\Application Data\Mozilla\Firefox\Profiles\vnslebjw.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-(Default) - c:\windows\$NtServicePackUninstall$\svchost.exe

HKLM-Run-Fax Machine - (no file)

HKLM-Run-fissa - c:\windows\system32\dynycosec.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net

Rootkit scan 2010-05-28 22:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(5656)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\DRIVERS\CDANTSRV.EXE

c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe

c:\apps\SAXO\HIDSERV.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxczcoms.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\sm56hlpr.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\program files\Sandboxie\SbieSvc.exe

c:\progra~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\windows\system32\rundll32.exe

c:\windows\system32\BtUsrBdg.exe

c:\windows\system32\BTSetBootKey.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

c:\apps\Powercinema\Kernel\TV\CLSched.exe

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Lexmark 1200 Series\lxczbmon.exe

c:\windows\system32\vuvune.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\Orbitdownloader\orbitnet.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\msiexec.exe

c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\MsiExec.exe

.

**************************************************************************

.

Completion time: 2010-05-28 22:35:12 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-28 20:35

Pre-Run: 10,137,481,216 bytes free

Post-Run: 9,923,932,160 bytes free

- - End Of File - - 8B83D17497661F993B3013D759511759

Marius · May 28, 2010

Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Marius at 22:37:25.53 on 2010/05/28

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1033.18.1022.298 [GMT 2:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe

C:\APPS\SAXO\HIDSERV.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxczcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\woofo.exe

C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\RTHDCPL.EXE

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Sandboxie\SbieSvc.exe

C:\apps\Powercinema\PCMService.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\BtUsrBdg.exe

C:\WINDOWS\system32\BTSetBootKey.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

C:\Program Files\Java\jre6\bin\jusched.exe

c:\apps\Powercinema\Kernel\TV\CLSched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Norton SystemWorks\NswUiTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

C:\WINDOWS\system32\quuwytty.exe

C:\Program Files\Lexmark 1200 Series\lxczbmon.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\vuvune.exe

C:\WINDOWS\system32\quuwytty.exe

C:\WINDOWS\system32\vuvune.exe

C:\Program Files\iBurst\iBurst_UTL.EXE

C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\WordWeb\wweb32.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

D:\Documents and Settings\Marius\Desktop\dds.com

C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

C:\WINDOWS\system32\MsiExec.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.altavista.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File

BHO: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - No File

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File

BHO: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File

BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File

BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File