Multiple Malware

[jcole124]

Can't seem to get a handle on these. Every time I think they're gone they show up again on reboot. I've attached the dds. GMER has been scanning for a couple of hours. I'll attach attach.txt and ark.txt when gmer is done.

DDS.txt

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log. We'll take it from there.

[jcole124]

Here's my scan from yesterday. GMER is still scanning. I can stop the scan, but it's been running for nearly 3 hours.

mbam_log_2010_06_09__18_48_59_.txt

[screen317]

Hi,

Stop GMER for now.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317

[jcole124]

ComboFix 10-06-10.03 - Owner 06/10/2010 14:09:46.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.497 [GMT -7:00]

Running from: f:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\AVG.exe

c:\documents and settings\Owner\g2mdlhlpx.exe

c:\documents and settings\Owner\Local Settings\Application Data\syssvc.exe

c:\program files\Common Files\SLMSS

c:\winnt\box boat blue.ico

c:\winnt\Downloaded Program Files\popcaploader.inf

c:\winnt\patch.exe

c:\winnt\system32\404Fix.exe

c:\winnt\system32\ad020326.de

c:\winnt\system32\Agent.OMZ.Fix.exe

c:\winnt\system32\bilaowic.ini

c:\winnt\system32\Cache

c:\winnt\system32\Cache\buts.bin

c:\winnt\system32\Cache\msg.bin

c:\winnt\system32\Data

c:\winnt\system32\dumphive.exe

c:\winnt\system32\IEDFix.C.exe

c:\winnt\system32\IEDFix.exe

c:\winnt\system32\o4Patch.exe

c:\winnt\system32\office.exe

c:\winnt\system32\Process.exe

c:\winnt\system32\SrchSTS.exe

c:\winnt\system32\Thumbs.db

c:\winnt\system32\tmp.reg

c:\winnt\system32\trxcadqs.ini

c:\winnt\system32\update.txt

c:\winnt\system32\VACFix.exe

c:\winnt\system32\VCCLSID.exe

c:\winnt\system32\WS2Fix.exe

c:\winnt\Tasks\maspevog.job

F:\install.exe

Infected copy of c:\winnt\system32\drivers\imapi.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ZESOFT

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 02:29 . 2010-03-01 17:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys

2010-06-10 02:29 . 2010-02-16 21:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2010-06-10 02:29 . 2009-05-11 19:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys

2010-06-10 02:29 . 2009-05-11 19:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\program files\Avira

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-06-10 01:07 . 2010-06-09 17:14 15880 ----a-w- c:\winnt\system32\lsdelete.exe

2010-06-09 17:15 . 2010-06-09 17:14 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys

2010-06-09 17:14 . 2010-06-09 17:14 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys

2010-06-09 17:03 . 2010-06-09 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-08 19:21 . 2010-06-10 21:05 951 ----a-w- c:\winnt\system32\nvshkllj.dat

2010-06-08 19:21 . 2010-06-10 21:05 2126 ----a-w- c:\winnt\system32\netcmgx.dat

2010-06-08 17:49 . 2010-06-10 20:56 0 ----a-w- c:\winnt\system32\mcione16.dat

2010-06-08 17:12 . 2010-06-08 17:12 -------- d-----w- C:\spoolerlogs

2010-06-08 16:57 . 2010-06-08 16:57 50981 ----a-w- c:\winnt\system32\oxszuablmrdwz.exe

2010-06-08 16:57 . 2010-06-08 16:57 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-06-08 16:57 . 2010-06-08 19:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WisePlay

2010-06-08 16:56 . 2010-06-10 21:31 951 ----a-w- c:\winnt\system32\loadpegf.dat

2010-06-08 16:56 . 2010-06-10 21:30 1407 ----a-w- c:\winnt\system32\eappgaui.dat

2010-06-08 16:56 . 2010-06-10 21:30 0 ----a-w- c:\winnt\system32\xvidcwre.dat

2010-06-08 16:56 . 2010-06-10 20:04 307 ----a-w- c:\winnt\system32\nvdisssr.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 17:56 . 2010-03-01 03:06 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat

2010-06-09 17:04 . 2003-08-23 01:43 -------- d-----w- c:\program files\Lavasoft

2010-06-09 04:50 . 2009-02-12 04:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-08 17:04 . 2010-02-21 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-05 08:18 . 2009-05-13 05:34 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-02 15:28 . 2009-03-31 14:53 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys

2010-06-02 15:28 . 2007-02-20 04:39 29584 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys

2010-06-02 03:45 . 2002-11-10 07:08 -------- d-----w- c:\program files\Microsoft Games

2010-05-30 04:40 . 2007-12-12 02:25 -------- d--h--w- c:\documents and settings\Owner\Application Data\BitTorrent

2010-05-24 00:09 . 2010-03-12 04:48 -------- d-----w- c:\program files\Farm Frenzy 3

2010-05-21 21:14 . 2009-10-03 01:08 221568 ------w- c:\winnt\system32\MpSigStub.exe

2010-05-02 21:11 . 2008-02-03 04:14 -------- d-----w- c:\program files\Yahoo! Games

2010-04-29 22:39 . 2009-02-12 04:50 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-02-12 04:50 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-04-28 06:45 . 2005-09-01 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!

2010-04-28 06:45 . 2002-04-30 20:01 -------- d-----w- c:\program files\Yahoo!

2010-04-25 20:49 . 2009-12-21 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-04-13 02:37 . 2010-04-13 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ShinyTales

2010-03-14 15:53 . 2010-03-14 15:53 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

2010-03-14 15:52 . 2009-03-31 14:53 216200 ----a-w- c:\winnt\system32\drivers\avgldx86.sys

2008-05-25 02:40 . 2007-10-31 04:55 184 ----a-w- c:\program files\QAUDIO.INI

2007-10-31 04:54 . 2007-10-31 04:54 5384603 ----a-w- c:\program files\EasyMp3setup.exe

2007-09-03 16:34 . 2007-10-31 04:23 1593344 ----a-w- c:\program files\QAUDIO.EXE

2007-08-21 17:24 . 2007-10-31 04:23 47080 ----a-w- c:\program files\QuickAudio.chm

2007-08-14 18:58 . 2007-10-31 04:23 118878 ----a-w- c:\program files\soundstretch.exe

2004-12-21 02:44 . 2007-10-31 04:23 682085 ----a-w- c:\program files\sox.exe

2003-11-22 19:37 . 2007-10-31 04:23 74240 ----a-w- c:\program files\oggdec.exe

2003-11-22 19:36 . 2007-10-31 04:23 155136 ----a-w- c:\program files\oggenc.exe

2003-01-09 07:43 . 2007-10-31 04:23 569344 ----a-w- c:\program files\lame.exe

2000-01-28 02:19 . 2007-10-31 04:23 1048576 ----a-w- c:\program files\ROBOEX32.DLL

1999-01-28 23:44 . 2007-10-31 04:23 49152 ----a-w- c:\program files\INETWH32.DLL

1995-08-29 12:52 . 2007-10-31 04:23 49152 ----a-w- c:\program files\BIDS45F.DLL

1995-08-29 12:52 . 2007-10-31 04:23 176128 ----a-w- c:\program files\CW3215.DLL

1995-02-28 19:16 . 2007-10-31 04:23 211488 ----a-w- c:\program files\BWCC32.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35627A0E-5D1E-45cd-AE24-C1D59CCCC18F}]

2010-06-08 16:57 88064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\nvdisssr]

@="{BD9833DF-3341-7132-A234-BDFF3C341733}"

[HKEY_CLASSES_ROOT\CLSID\{BD9833DF-3341-7132-A234-BDFF3C341733}]

2008-05-16 18:31 135168 ----a-w- c:\winnt\system32\nvdisssr.ocx

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]

"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]

"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2009-05-04 32768]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-03 136176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 66048]

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 101615]

"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-18 180224]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 15:53 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\WINNT\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\WINNT\\system32\\dpvsetup.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\europa universalis iii - demo\\eu3demo.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\WINNT\\system32\\spoolsv.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [6/9/2010 10:15 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [3/31/2009 7:53 AM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [3/31/2009 7:53 AM 242896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/9/2010 7:29 PM 135336]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 8:53 AM 308064]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352320]

R2 npf;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2009 4:17 PM 24652]

S0 ntcdrdrv;ntcdrdrv;c:\winnt\system32\DRIVERS\ntcdrdrv.sys --> c:\winnt\system32\DRIVERS\ntcdrdrv.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/13/2010 2:25 PM 401920]

S3 bDMusicb;bDMusicb;\??\c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys [?]

S3 FWL;FWL Packet Filter;\??\c:\program files\Software602\602LAN SUITE\fwl.sys --> c:\program files\Software602\602LAN SUITE\fwl.sys [?]

S3 IR500;IR500;c:\winnt\system32\drivers\IR500.sys [2/23/2002 4:31 PM 16768]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

S3 PortlUSB;PortlUSB;c:\winnt\system32\drivers\SiriusUSB.sys [2/20/2007 12:27 AM 7552]

S3 PortRst;PortRst;c:\winnt\system32\drivers\PortRst.sys [1/29/2002 6:33 PM 18560]

S4 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [8/29/2007 11:19 PM 685816]

.

Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\winnt\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:14]

2010-05-29 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-10 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-10 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-07 c:\winnt\Tasks\User_Feed_Synchronization-{1B8A7C64-BB3E-48FF-B6EC-DAC27A4FFA43}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 18:58]

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\system32\blank.htm

mWindow Title = Microsoft Internet Explorer

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} - hxxp://www.etniesskateparkoflakeforest.com/rvctl.cab

DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://64.75.174.5/push.cab

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ak.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} - hxxp://www.drivershq.com/members/DD_v4_Member.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1066

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\extensions\{D9879E90-DDA0-4f59-AC80-626D3DB93C63}\components\WisePlayFF.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\RobloxVersions\version-b5dc796702a14251\nproblox.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

BHO-{2B9D5AE4-2924-4F98-9823-F6C40FE1036B} - (no file)

WebBrowser-{00A5781C-9012-446D-AB21-EE5ECB6C55CA} - (no file)

WebBrowser-{BF3C4FAF-8B9A-4F1F-A2E7-D52B36979CD7} - (no file)

HKLM-Run-Keyboard Preload Check - c:\oemdrvrs\KEYB\Preload.exe

HKLM-Run-skb - idpyreob.dll

ShellExecuteHooks-{2E39BE38-5E63-4B86-A550-8396F58C2DF9} - (no file)

Notify-fccyvvwu - fccyvvwu.dll

Notify-xXPjkHAQ - xXPjkHAQ.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 14:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1723214923-1685927933-429115175-1003\Software\SecuROM\License information*]

"datasecu"=hex:51,b5,69,e7,68,f7,6c,1c,1b,c2,02,bd,4d,8f,b7,4d,7b,8b,26,ae,b4,

44,6a,1d,2f,80,e6,6e,6b,e4,ba,26,bf,d4,cf,c8,e5,f4,fa,77,20,67,70,2d,59,02,\

"rkeysecu"=hex:15,5d,12,b9,22,c0,86,bd,30,80,c3,d0,d8,26,3b,6c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4000)

c:\winnt\system32\WININET.dll

c:\program files\RingCentral\RingCentral Call Controller\RCHotKeyHook.dll

c:\winnt\system32\IEFRAME.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\winnt\system32\devldr32.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\winnt\system32\nvsvc32.exe

c:\winnt\System32\MsPMSPSv.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\winnt\Logi_MwX.Exe

c:\winnt\GWMDMMSG.exe

c:\winnt\system32\RUNDLL32.EXE

c:\winnt\System32\wbem\unsecapp.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-06-10 14:48:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-10 21:48

Pre-Run: 14,891,307,008 bytes free

Post-Run: 15,006,191,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 8D16E35013CF0F8359FC527B3CF004BA

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 14:49:12.04 on Thu 06/10/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.381 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch

svchost.exe

C:\WINNT\System32\svchost.exe -k netsvcs

C:\WINNT\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINNT\system32\devldr32.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINNT\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINNT\Logi_MwX.Exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Starfield\Desktop Notifier\wben.exe

C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINNT\explorer.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\system32\blank.htm

mWindow Title = Microsoft Internet Explorer

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: wiseHelper Class: {35627a0e-5d1e-45cd-ae24-c1d59cccc18f} - c:\documents and settings\owner\local settings\application data\wiseplay\wiseplie.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - Viewpoint Toolbar BHO

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} -

TB: {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp

uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [wben] "c:\program files\starfield\desktop notifier\wben.exe"

uRun: [RCUI] "c:\program files\ringcentral\ringcentral call controller\RCUI.exe"

uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRunOnce: [shockwave Updater] c:\winnt\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://games.king.com/first_play.jsp?game=candyrail"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

mRun: [GWMDMMSG] GWMDMMSG.exe

mRun: [AudioHQ] c:\program files\creative\sblive\audiohq\AHQTB.EXE

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)

IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab

DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} - hxxp://www.drivershq.com/DD_v4.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1064931314358

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab

DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} - hxxp://www.etniesskateparkoflakeforest.com/rvctl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144129482859

DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} - hxxp://mirror.worldwinner.com/games/v44/collapse/collapse.cab

DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB

DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} - hxxp://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB

DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://mirror.worldwinner.com/games/v50/swapit/swapit.cab

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab

DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://64.75.174.5/push.cab

DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ak.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} - hxxp://dgl.microsoft.com/downloads/outc.cab

DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} - hxxp://www.drivershq.com/members/DD_v4_Member.CAB

DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/zd/kdx.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\6hbsau6a.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1066

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\6hbsau6a.default\extensions\{d9879e90-dda0-4f59-ac80-626d3db93c63}\components\WisePlayFF.dll

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2010-6-9 64288]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-9 11608]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-3-31 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2007-2-19 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-3-31 242896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-9 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-9 267432]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]

R2 avgntflt;avgntflt;c:\winnt\system32\drivers\avgntflt.sys [2010-6-9 60936]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]

R2 npf;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2009-3-15 34064]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-10-5 24652]

S0 ntcdrdrv;ntcdrdrv;c:\winnt\system32\drivers\ntcdrdrv.sys --> c:\winnt\system32\drivers\ntcdrdrv.sys [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-3-13 401920]

S3 bDMusicb;bDMusicb;\??\c:\docume~1\owner\locals~1\temp\bdmusicb.sys --> c:\docume~1\owner\locals~1\temp\bDMusicb.sys [?]

S3 FWL;FWL Packet Filter;\??\c:\program files\software602\602lan suite\fwl.sys --> c:\program files\software602\602lan suite\fwl.sys [?]

S3 IR500;IR500;c:\winnt\system32\drivers\IR500.sys [2002-2-23 16768]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]

S3 PortlUSB;PortlUSB;c:\winnt\system32\drivers\SiriusUSB.sys [2007-2-20 7552]

S3 PortRst;PortRst;c:\winnt\system32\drivers\PortRst.sys [2002-1-29 18560]

=============== Created Last 30 ================

2010-06-10 20:56:48 0 d-sha-r- C:\cmdcons

2010-06-10 20:52:01 98816 ----a-w- c:\winnt\sed.exe

2010-06-10 20:52:01 77312 ----a-w- c:\winnt\MBR.exe

2010-06-10 20:52:01 256512 ----a-w- c:\winnt\PEV.exe

2010-06-10 20:52:01 161792 ----a-w- c:\winnt\SWREG.exe

2010-06-10 15:49:18 20 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-06-10 02:29:42 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2010-06-10 02:29:41 0 d-----w- c:\program files\Avira

2010-06-10 02:29:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-06-10 01:07:33 15880 ----a-w- c:\winnt\system32\lsdelete.exe

2010-06-09 17:15:52 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys

2010-06-09 17:14:54 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys

2010-06-09 17:03:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-08 19:21:27 951 ----a-w- c:\winnt\system32\nvshkllj.dat

2010-06-08 19:21:27 2126 ----a-w- c:\winnt\system32\netcmgx.dat

2010-06-08 17:49:12 0 ----a-w- c:\winnt\system32\mcione16.dat

2010-06-08 17:12:10 0 d-----w- C:\spoolerlogs

2010-06-08 16:57:51 50981 ----a-w- c:\winnt\system32\oxszuablmrdwz.exe

2010-06-08 16:56:15 1464 ----a-w- c:\winnt\system32\eappgaui.dat

2010-06-08 16:56:15 1008 ----a-w- c:\winnt\system32\loadpegf.dat

2010-06-08 16:56:14 307 ----a-w- c:\winnt\system32\nvdisssr.dat

2010-06-08 16:56:14 0 ----a-w- c:\winnt\system32\xvidcwre.dat

==================== Find3M ====================

2010-06-02 15:28:47 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys

2010-05-21 21:14:28 221568 ------w- c:\winnt\system32\MpSigStub.exe

2010-04-29 22:39:38 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-14 15:53:23 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

2008-05-25 02:40:31 184 ----a-w- c:\program files\QAUDIO.INI

2007-10-31 04:54:50 5384603 ----a-w- c:\program files\EasyMp3setup.exe

2007-09-03 16:34:08 1593344 ----a-w- c:\program files\QAUDIO.EXE

2007-08-21 17:24:22 47080 ----a-w- c:\program files\QuickAudio.chm

2007-08-14 18:58:54 118878 ----a-w- c:\program files\soundstretch.exe

2004-12-21 02:44:48 682085 ----a-w- c:\program files\sox.exe

2003-11-22 19:37:02 74240 ----a-w- c:\program files\oggdec.exe

2003-11-22 19:36:52 155136 ----a-w- c:\program files\oggenc.exe

2003-01-09 07:43:18 569344 ----a-w- c:\program files\lame.exe

2000-01-28 02:19:04 1048576 ----a-w- c:\program files\ROBOEX32.DLL

1999-01-28 23:44:20 49152 ----a-w- c:\program files\INETWH32.DLL

1995-08-29 12:52:00 49152 ----a-w- c:\program files\BIDS45F.DLL

1995-08-29 12:52:00 176128 ----a-w- c:\program files\CW3215.DLL

1995-02-28 19:16:20 211488 ----a-w- c:\program files\BWCC32.DLL

2008-08-26 06:05:14 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 14:50:22.68 ===============

[jcole124]

What's next? Avira keeps finding this worm:

Virus or unwanted program 'WORM/Pinit.FG.6 [worm]'

detected in file 'C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1453\A0453627.dll.

Action performed: Deny access

Also, I continue to get this rundll error on startup:

Error loading idpyreob.dll

The specified module could not be found

[jcole124]

It's been 4 days since I got a response from screen317. Can an admin/mod/expert tell me what the protocol is? Do I continue to wait? Try messaging a mod that's online?

[screen317]

jcole124,

My apologies for the delay. I did not receive a notification of your reply.

In the future, please send me a PM if you've been waiting too long for a reply, and I will be notified immediately.

I will have a reply for you shortly.

[screen317]

Hi,

Again my apologies for the delay.

First, please update MBAM, run a Quick Scan, and post its log.

Next, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=53521
Collect::
c:\winnt\system32\oxszuablmrdwz.exe
c:\winnt\system32\eappgaui.dat
c:\winnt\system32\loadpegf.dat
c:\winnt\system32\nvdisssr.dat
c:\winnt\system32\xvidcwre.dat
c:\winnt\system32\nvshkllj.dat
c:\winnt\system32\netcmgx.dat
c:\winnt\system32\mcione16.dat
Suspect::
c:\winnt\system32\drivers\IR500.sys
c:\program files\sox.exe
c:\program files\oggdec.exe
c:\program files\oggenc.exe
c:\program files\lame.exe
c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\nvdisssr]

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  

Next, please go to VirusTotal, and upload the following file for analysis:

c:\winnt\system32\drivers\IR500.sys

c:\program files\sox.exe

c:\program files\oggdec.exe

c:\program files\oggenc.exe

c:\program files\lame.exe

c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll

Post the results in your reply.

[jcole124]

Hi Chris.

No worries on the delayed response. For future reference, how long should I wait before sending you a PM?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4198

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

6/14/2010 6:44:44 PM

mbam-log-2010-06-14 (18-44-44).txt

Scan type: Quick scan

Objects scanned: 131794

Time elapsed: 20 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oxszuablmrdwz (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\oxszuablmrdwz.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

[screen317]

If it has been longer than 24 hours (it wont be longer than that, but if it is), please do not hesitate to PM me.

[jcole124]

ComboFix 10-06-14.02 - Owner 06/14/2010 19:15:52.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.299 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\winnt\system32\eappgaui.dat

file zipped: c:\winnt\system32\loadpegf.dat

file zipped: c:\winnt\system32\mcione16.dat

file zipped: c:\winnt\system32\netcmgx.dat

file zipped: c:\winnt\system32\nvdisssr.dat

file zipped: c:\winnt\system32\nvshkllj.dat

file zipped: c:\winnt\system32\xvidcwre.dat

file zipped: c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll

file zipped: c:\program files\lame.exe

file zipped: c:\program files\oggdec.exe

file zipped: c:\program files\oggenc.exe

file zipped: c:\program files\sox.exe

file zipped: c:\winnt\system32\drivers\IR500.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\winnt\system32\eappgaui.dat

c:\winnt\system32\loadpegf.dat

c:\winnt\system32\mcione16.dat

c:\winnt\system32\netcmgx.dat

c:\winnt\system32\nvdisssr.dat

c:\winnt\system32\nvshkllj.dat

c:\winnt\system32\xvidcwre.dat

.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))

.

2010-06-13 00:09 . 2010-06-13 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook

2010-06-11 05:36 . 2010-06-11 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2010-06-10 02:29 . 2010-03-01 17:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys

2010-06-10 02:29 . 2010-02-16 21:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2010-06-10 02:29 . 2009-05-11 19:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys

2010-06-10 02:29 . 2009-05-11 19:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\program files\Avira

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-06-10 01:07 . 2010-06-09 17:14 15880 ----a-w- c:\winnt\system32\lsdelete.exe

2010-06-09 17:15 . 2010-06-09 17:14 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys

2010-06-09 17:14 . 2010-06-09 17:14 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys

2010-06-09 17:03 . 2010-06-09 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-08 17:12 . 2010-06-08 17:12 -------- d-----w- C:\spoolerlogs

2010-06-08 16:57 . 2010-06-08 16:57 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-06-08 16:57 . 2010-06-15 02:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WisePlay

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-14 23:56 . 2010-03-01 03:06 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat

2010-06-13 00:09 . 2010-06-13 00:09 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-06-10 12:06 . 2010-06-10 12:06 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\msvcp71.dll

2010-06-10 12:06 . 2010-06-10 12:06 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\jmc.dll

2010-06-10 12:06 . 2010-06-10 12:06 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\msvcr71.dll

2010-06-09 17:04 . 2003-08-23 01:43 -------- d-----w- c:\program files\Lavasoft

2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-06-09 04:50 . 2009-02-12 04:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-08 17:04 . 2010-02-21 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-08 16:57 . 2010-06-08 16:57 32768 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\extensions\{D9879E90-DDA0-4f59-AC80-626D3DB93C63}\components\WisePlayFF.dll

2010-06-05 08:28 . 2010-04-05 12:58 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

2010-06-05 08:18 . 2009-05-13 05:34 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-02 15:29 . 2010-06-02 15:29 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 15:29 . 2010-06-02 15:29 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-02 15:28 . 2009-03-31 14:53 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys

2010-06-02 15:28 . 2007-02-20 04:39 29584 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys

2010-06-02 03:45 . 2002-11-10 07:08 -------- d-----w- c:\program files\Microsoft Games

2010-05-30 04:40 . 2007-12-12 02:25 -------- d--h--w- c:\documents and settings\Owner\Application Data\BitTorrent

2010-05-24 00:09 . 2010-03-12 04:48 -------- d-----w- c:\program files\Farm Frenzy 3

2010-05-21 21:14 . 2009-10-03 01:08 221568 ------w- c:\winnt\system32\MpSigStub.exe

2008-05-25 02:40 . 2007-10-31 04:55 184 ----a-w- c:\program files\QAUDIO.INI

2007-10-31 04:54 . 2007-10-31 04:54 5384603 ----a-w- c:\program files\EasyMp3setup.exe

2007-09-03 16:34 . 2007-10-31 04:23 1593344 ----a-w- c:\program files\QAUDIO.EXE

2007-08-21 17:24 . 2007-10-31 04:23 47080 ----a-w- c:\program files\QuickAudio.chm

2007-08-14 18:58 . 2007-10-31 04:23 118878 ----a-w- c:\program files\soundstretch.exe

2004-12-21 02:44 . 2007-10-31 04:23 682085 ----a-w- c:\program files\sox.exe

2003-11-22 19:37 . 2007-10-31 04:23 74240 ----a-w- c:\program files\oggdec.exe

2003-11-22 19:36 . 2007-10-31 04:23 155136 ----a-w- c:\program files\oggenc.exe

2003-01-09 07:43 . 2007-10-31 04:23 569344 ----a-w- c:\program files\lame.exe

2000-01-28 02:19 . 2007-10-31 04:23 1048576 ----a-w- c:\program files\ROBOEX32.DLL

1999-01-28 23:44 . 2007-10-31 04:23 49152 ----a-w- c:\program files\INETWH32.DLL

1995-08-29 12:52 . 2007-10-31 04:23 49152 ----a-w- c:\program files\BIDS45F.DLL

1995-08-29 12:52 . 2007-10-31 04:23 176128 ----a-w- c:\program files\CW3215.DLL

1995-02-28 19:16 . 2007-10-31 04:23 211488 ----a-w- c:\program files\BWCC32.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35627A0E-5D1E-45cd-AE24-C1D59CCCC18F}]

2010-06-08 16:57 88064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]

"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]

"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2009-05-04 32768]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-03 136176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 66048]

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 101615]

"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-18 180224]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 15:53 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\WINNT\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\WINNT\\system32\\dpvsetup.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\europa universalis iii - demo\\eu3demo.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\WINNT\\system32\\spoolsv.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [6/9/2010 10:15 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [3/31/2009 7:53 AM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [3/31/2009 7:53 AM 242896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/9/2010 7:29 PM 135336]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 8:53 AM 308064]

R2 npf;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2009 4:17 PM 24652]

S0 ntcdrdrv;ntcdrdrv;c:\winnt\system32\DRIVERS\ntcdrdrv.sys --> c:\winnt\system32\DRIVERS\ntcdrdrv.sys [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352320]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/13/2010 2:25 PM 401920]

S3 bDMusicb;bDMusicb;\??\c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys [?]

S3 FWL;FWL Packet Filter;\??\c:\program files\Software602\602LAN SUITE\fwl.sys --> c:\program files\Software602\602LAN SUITE\fwl.sys [?]

S3 IR500;IR500;c:\winnt\system32\drivers\IR500.sys [2/23/2002 4:31 PM 16768]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

S3 PortlUSB;PortlUSB;c:\winnt\system32\drivers\SiriusUSB.sys [2/20/2007 12:27 AM 7552]

S3 PortRst;PortRst;c:\winnt\system32\drivers\PortRst.sys [1/29/2002 6:33 PM 18560]

S4 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [8/29/2007 11:19 PM 685816]

.

Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\winnt\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:14]

2010-06-12 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-15 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-15 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-11 c:\winnt\Tasks\User_Feed_Synchronization-{1B8A7C64-BB3E-48FF-B6EC-DAC27A4FFA43}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 18:58]

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\system32\blank.htm

mWindow Title = Microsoft Internet Explorer

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} - hxxp://www.etniesskateparkoflakeforest.com/rvctl.cab

DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://64.75.174.5/push.cab

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ak.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} - hxxp://www.drivershq.com/members/DD_v4_Member.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1066

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\extensions\{D9879E90-DDA0-4f59-AC80-626D3DB93C63}\components\WisePlayFF.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\RobloxVersions\version-b5dc796702a14251\nproblox.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-14 19:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1723214923-1685927933-429115175-1003\Software\SecuROM\License information*]

"datasecu"=hex:51,b5,69,e7,68,f7,6c,1c,1b,c2,02,bd,4d,8f,b7,4d,7b,8b,26,ae,b4,

44,6a,1d,2f,80,e6,6e,6b,e4,ba,26,bf,d4,cf,c8,e5,f4,fa,77,20,67,70,2d,59,02,\

"rkeysecu"=hex:15,5d,12,b9,22,c0,86,bd,30,80,c3,d0,d8,26,3b,6c

.

Completion time: 2010-06-14 19:38:57

ComboFix-quarantined-files.txt 2010-06-15 02:38

ComboFix2.txt 2010-06-10 21:48

Pre-Run: 14,770,991,104 bytes free

Post-Run: 14,791,790,592 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 0076F5C9D1643BB2D44CDADA49BC7058

Upload was successful

[jcole124]

File IR500.sys received on 2010.06.15 02:44:43 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/40 (0%)

Loading server information...

Your file is queued in position: 2.

Estimated start time is between 56 and 80 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.15 -

AhnLab-V3 2010.06.15.00 2010.06.15 -

AntiVir 8.2.2.6 2010.06.14 -

Antiy-AVL 2.0.3.7 2010.06.11 -

Authentium 5.2.0.5 2010.06.15 -

Avast 4.8.1351.0 2010.06.14 -

Avast5 5.0.332.0 2010.06.14 -

AVG 9.0.0.787 2010.06.15 -

BitDefender 7.2 2010.06.15 -

CAT-QuickHeal 10.00 2010.06.14 -

ClamAV 0.96.0.3-git 2010.06.15 -

Comodo 5104 2010.06.15 -

DrWeb 5.0.2.03300 2010.06.15 -

eSafe 7.0.17.0 2010.06.14 -

eTrust-Vet 36.1.7634 2010.06.15 -

F-Prot 4.6.0.103 2010.06.14 -

F-Secure 9.0.15370.0 2010.06.15 -

Fortinet 4.1.133.0 2010.06.14 -

GData 21 2010.06.15 -

Ikarus T3.1.1.84.0 2010.06.15 -

Jiangmin 13.0.900 2010.06.14 -

Kaspersky 7.0.0.125 2010.06.15 -

McAfee 5.400.0.1158 2010.06.15 -

McAfee-GW-Edition 2010.1 2010.06.14 -

Microsoft 1.5802 2010.06.14 -

NOD32 5196 2010.06.14 -

Norman 6.04.12 2010.06.14 -

nProtect 2010-06-14.02 2010.06.14 -

Panda 10.0.2.7 2010.06.14 -

PCTools 7.0.3.5 2010.06.15 -

Rising 22.51.06.01 2010.06.13 -

Sophos 4.54.0 2010.06.15 -

Sunbelt 6448 2010.06.15 -

Symantec 20101.1.0.89 2010.06.14 -

TheHacker 6.5.2.0.298 2010.06.14 -

TrendMicro 9.120.0.1004 2010.06.14 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.15 -

VBA32 3.12.12.5 2010.06.14 -

ViRobot 2010.6.14.3884 2010.06.14 -

VirusBuster 5.0.27.0 2010.06.14 -

Additional information

File size: 16768 bytes

MD5...: e9a9bb599522ca2a4d595cc585622da1

SHA1..: 397964bffa0e05f10f13fae4861fe3d37d8a81eb

SHA256: 7455c2b7b770f45ba9da51611bcf50918186bbae09276f19f37464470fa603a0

ssdeep: 384:UUjqORpwhg/zMtGmX48BeSEEakN68IV1qtlyXFPb4aW:UEqORpwhg/zMtBfE

Vks8Gp9bO

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x5d6

timedatestamp.....: 0x3c77372a (Sat Feb 23 06:31:06 2002)

machinetype.......: 0x14c (I386)

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0x2af4 0x2b00 6.34 cdbadcaf3005be377a1868a437116484

.rdata 0x2e00 0x14e 0x180 4.10 98819d3a52b1a6cbb1e03d5dcdef3c93

.data 0x2f80 0x18 0x80 0.29 26ab1baf41779dbf2fe025c0e9865693

INIT 0x3000 0x540 0x580 5.02 3d9bbe25307d2f07951add546f1e6fc9

.rsrc 0x3580 0x7b8 0x800 5.29 ffb8fab27843e600577455bd5ffbb416

.reloc 0x3d80 0x39a 0x400 4.95 68889e47b944dd8c40aadb067d3c90e4

( 4 imports )

> ntoskrnl.exe: KeInitializeEvent, KeInitializeSpinLock, IoCreateDevice, memmove, ExAllocatePoolWithTag, RtlQueryRegistryValues, wcslen, KeSetEvent, KeClearEvent, InterlockedIncrement, InterlockedDecrement, KeWaitForSingleObject, IofCallDriver, IoBuildDeviceIoControlRequest, IoFreeWorkItem, IofCompleteRequest, InterlockedExchange, IoDetachDevice, IoSetDeviceInterfaceState, PoSetPowerState, IoAllocateWorkItem, KeSetTimerEx, PoStartNextPowerIrp, PoCallDriver, PoRequestPowerIrp, IoCancelIrp, IoFreeIrp, IoAllocateIrp, IoWMIRegistrationControl, RtlInitUnicodeString, IoFreeMdl, IoBuildPartialMdl, IoAllocateMdl, IoDeleteDevice, IoIsWdmVersionAvailable, KeInitializeDpc, IoAttachDeviceToDeviceStack, IoQueueWorkItem, IoRegisterDeviceInterface, KeInitializeTimerEx, KeCancelTimer, ExFreePool

> HAL.dll: KfAcquireSpinLock, KfReleaseSpinLock

> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

> USBD.SYS: USBD_CreateConfigurationRequestEx, USBD_ParseConfigurationDescriptorEx

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

sigcheck:

publisher....: First International Digital, Inc.

copyright....: Copyright © 2002, First International Digital, Inc.

product......: irock_ 500 Series

description..: irock_ 500 Series Driver

original name: ir500.sys

internal name: ir500.sys

file version.: 1.01.00.1

comments.....: irock_ 500 Series USB Driver for Windows XP

signers......: -

signing date.: -

verified.....: Unsigned

File sox.exe received on 2010.06.15 02:48:38 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 2.

Estimated start time is between 56 and 80 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.15 -

AhnLab-V3 2010.06.15.00 2010.06.15 -

AntiVir 8.2.2.6 2010.06.14 -

Antiy-AVL 2.0.3.7 2010.06.11 -

Authentium 5.2.0.5 2010.06.15 -

Avast 4.8.1351.0 2010.06.14 -

Avast5 5.0.332.0 2010.06.14 -

AVG 9.0.0.787 2010.06.15 -

BitDefender 7.2 2010.06.15 -

CAT-QuickHeal 10.00 2010.06.14 -

ClamAV 0.96.0.3-git 2010.06.15 -

Comodo 5104 2010.06.15 -

DrWeb 5.0.2.03300 2010.06.15 -

eSafe 7.0.17.0 2010.06.14 -

eTrust-Vet 36.1.7634 2010.06.15 -

F-Prot 4.6.0.103 2010.06.14 -

F-Secure 9.0.15370.0 2010.06.15 -

Fortinet 4.1.133.0 2010.06.14 -

GData 21 2010.06.15 -

Ikarus T3.1.1.84.0 2010.06.15 -

Jiangmin 13.0.900 2010.06.14 -

Kaspersky 7.0.0.125 2010.06.15 -

McAfee 5.400.0.1158 2010.06.15 -

McAfee-GW-Edition 2010.1 2010.06.14 -

Microsoft 1.5802 2010.06.14 -

NOD32 5196 2010.06.14 -

Norman 6.04.12 2010.06.14 -

nProtect 2010-06-14.02 2010.06.14 -

Panda 10.0.2.7 2010.06.14 -

PCTools 7.0.3.5 2010.06.15 -

Prevx 3.0 2010.06.15 -

Rising 22.51.06.01 2010.06.13 -

Sophos 4.54.0 2010.06.15 -

Sunbelt 6448 2010.06.15 -

Symantec 20101.1.0.89 2010.06.14 -

TheHacker 6.5.2.0.298 2010.06.14 -

TrendMicro 9.120.0.1004 2010.06.14 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.15 -

VBA32 3.12.12.5 2010.06.14 -

ViRobot 2010.6.14.3884 2010.06.14 -

VirusBuster 5.0.27.0 2010.06.14 -

Additional information

File size: 682085 bytes

MD5...: 3595e17f0defcbac73ee133d9bc73ec9

SHA1..: cc30bdebee026cd153d16b581190ef96733ffd90

SHA256: 4f1acef2eaea5df59ca1a645d5165c584077a8c1057111e6986d1450c2a548e5

ssdeep: 12288:+JZgVUq2rFCSD0fcDOnrfRpJZqHYecLkOj4amrqJKJXcq:+JZgVUq2YSyc

DOnLRvEcLkOj4a3sXcq

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1220

timedatestamp.....: 0x41c77164 (Tue Dec 21 00:42:12 2004)

machinetype.......: 0x14c (I386)

( 7 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x2b674 0x2b800 6.48 5eb7774f1d013b07e506ae4a87b10828

.data 0x2d000 0x7750 0x7800 7.24 0b36de128202075aae152bb7627709b0

.rdata 0x35000 0xaf2c 0xb000 4.89 0763db9d944aaf52c175062e85b0ab79

.bss 0x40000 0x1ddc0 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.idata 0x5e000 0x8c0 0xa00 4.35 c5b7f87dc9da6e96fe92304f4e5ef05b

.stab 0x5f000 0x45288 0x45400 3.25 0d7207b00a9a7fcd7b0dbbeaa1f7ba66

.stabstr 0xa5000 0x11bfd 0x11c00 5.08 71ab6b5931d4ad30b9d429add37c3754

( 3 imports )

> msvcrt.dll: _finite, _fstat, _strdup, _unlink

> msvcrt.dll: _HUGE, __getmainargs, __mb_cur_max, __p___argv, __p__environ, __p__fmode, __set_app_type, _assert, _cexit, _errno, _filbuf, _flsbuf, _iob, _isctype, _onexit, _pctype, _setmode, _stricmp, abort, atexit, atof, atoi, calloc, ceil, clearerr, cos, ctime, exit, exp, fclose, fflush, floor, fmod, fopen, fprintf, fputc, fread, free, frexp, fscanf, fseek, ftell, fwrite, getenv, ldexp, log, log10, malloc, memcpy, memmove, perror, pow, printf, raise, rand, realloc, rewind, setvbuf, signal, sin, sprintf, sqrt, srand, sscanf, strcat, strchr, strcpy, strerror, strlen, strncmp, strrchr, strtod, strtok, strtol, tan, time, tmpfile, tolower, vfprintf, vsprintf

> KERNEL32.dll: AddAtomA, ExitProcess, FindAtomA, GetAtomNameA, SetUnhandledExceptionFilter

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: MinGW32 C/C++ Executable (76.2%)

InstallShield setup (13.3%)

Windows Screen Saver (4.0%)

Win32 Executable Generic (2.6%)

Win32 Dynamic Link Library (generic) (2.3%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File oggdec.exe received on 2010.06.15 02:51:33 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.15 -

AhnLab-V3 2010.06.15.00 2010.06.15 -

AntiVir 8.2.2.6 2010.06.14 -

Antiy-AVL 2.0.3.7 2010.06.11 -

Authentium 5.2.0.5 2010.06.15 -

Avast 4.8.1351.0 2010.06.14 -

Avast5 5.0.332.0 2010.06.14 -

AVG 9.0.0.787 2010.06.15 -

BitDefender 7.2 2010.06.15 -

CAT-QuickHeal 10.00 2010.06.14 -

ClamAV 0.96.0.3-git 2010.06.15 -

Comodo 5104 2010.06.15 -

DrWeb 5.0.2.03300 2010.06.15 -

eSafe 7.0.17.0 2010.06.14 -

eTrust-Vet 36.1.7634 2010.06.15 -

F-Prot 4.6.0.103 2010.06.14 -

F-Secure 9.0.15370.0 2010.06.15 -

Fortinet 4.1.133.0 2010.06.14 -

GData 21 2010.06.15 -

Ikarus T3.1.1.84.0 2010.06.15 -

Jiangmin 13.0.900 2010.06.14 -

Kaspersky 7.0.0.125 2010.06.15 -

McAfee 5.400.0.1158 2010.06.15 -

McAfee-GW-Edition 2010.1 2010.06.14 -

Microsoft 1.5802 2010.06.14 -

NOD32 5196 2010.06.14 -

Norman 6.04.12 2010.06.14 -

nProtect 2010-06-14.02 2010.06.14 -

Panda 10.0.2.7 2010.06.14 -

PCTools 7.0.3.5 2010.06.15 -

Prevx 3.0 2010.06.15 -

Rising 22.51.06.01 2010.06.13 -

Sophos 4.54.0 2010.06.15 -

Sunbelt 6448 2010.06.15 -

Symantec 20101.1.0.89 2010.06.14 -

TheHacker 6.5.2.0.298 2010.06.14 -

TrendMicro 9.120.0.1004 2010.06.14 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.15 -

VBA32 3.12.12.5 2010.06.14 -

ViRobot 2010.6.14.3884 2010.06.14 -

VirusBuster 5.0.27.0 2010.06.14 -

Additional information

File size: 74240 bytes

MD5...: e8c42dc6cae749ffc63f281652033a22

SHA1..: 3cd34d8ffe4a5278a4e406bd20ac4f7aa752bdce

SHA256: a6754eff8e5793bcddcb252195748ba30a4a88e3386f409db016bb5456d30311

ssdeep: 1536:/uoPwG5nSmXi41HxL7XKraN/lUNK1fpZ0CNeeToaQbgQ4:GoI2SmXH1HxL7

6itUw1TzNjo34

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x22980

timedatestamp.....: 0x3fbf2e3d (Sat Nov 22 09:37:01 2003)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x10000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x11000 0x12000 0x11c00 7.90 cde7a20fda702186fd7b22b73d4e6148

UPX2 0x23000 0x1000 0x200 1.47 c17a8c244852a9f83f86dde3106bbb4a

( 2 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess

> MSVCRT.dll: exp

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (Kaspersky): UPX

packers (F-Prot): UPX

[jcole124]

File oggenc.exe received on 2010.06.15 02:53:34 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.15 -

AhnLab-V3 2010.06.15.00 2010.06.15 -

AntiVir 8.2.2.6 2010.06.14 -

Antiy-AVL 2.0.3.7 2010.06.11 -

Authentium 5.2.0.5 2010.06.15 -

Avast 4.8.1351.0 2010.06.14 -

Avast5 5.0.332.0 2010.06.14 -

AVG 9.0.0.787 2010.06.15 -

BitDefender 7.2 2010.06.15 -

CAT-QuickHeal 10.00 2010.06.14 -

ClamAV 0.96.0.3-git 2010.06.15 -

Comodo 5104 2010.06.15 -

DrWeb 5.0.2.03300 2010.06.15 -

eSafe 7.0.17.0 2010.06.14 -

eTrust-Vet 36.1.7634 2010.06.15 -

F-Prot 4.6.0.103 2010.06.14 -

F-Secure 9.0.15370.0 2010.06.15 -

Fortinet 4.1.133.0 2010.06.14 -

GData 21 2010.06.15 -

Ikarus T3.1.1.84.0 2010.06.15 -

Jiangmin 13.0.900 2010.06.14 -

Kaspersky 7.0.0.125 2010.06.15 -

McAfee 5.400.0.1158 2010.06.15 -

McAfee-GW-Edition 2010.1 2010.06.14 -

Microsoft 1.5802 2010.06.14 -

NOD32 5196 2010.06.14 -

Norman 6.04.12 2010.06.14 -

nProtect 2010-06-14.02 2010.06.14 -

Panda 10.0.2.7 2010.06.14 -

PCTools 7.0.3.5 2010.06.15 -

Prevx 3.0 2010.06.15 -

Rising 22.51.06.01 2010.06.13 -

Sophos 4.54.0 2010.06.15 -

Sunbelt 6448 2010.06.15 -

Symantec 20101.1.0.89 2010.06.14 -

TheHacker 6.5.2.0.298 2010.06.14 -

TrendMicro 9.120.0.1004 2010.06.14 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.15 -

VBA32 3.12.12.5 2010.06.14 -

ViRobot 2010.6.14.3884 2010.06.14 -

VirusBuster 5.0.27.0 2010.06.14 -

Additional information

File size: 155136 bytes

MD5...: 2b25475c24b096e1b7db765bcdb4569e

SHA1..: ba950d5c26e88b4b77c61501f2c9277792fb4a76

SHA256: 0203323f76ec20391765e33c582ddc901798697b0a3d49df5708fc6f4a2fbcae

ssdeep: 3072:+UGg7hLbqMHboPNiu96qF3jjXOfR5uXcoBZLXqgKp6Md84a/UMyLIC:FR0N

JtZSLuX5as/4qYd

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x102600

timedatestamp.....: 0x3fbf2e34 (Sat Nov 22 09:36:52 2003)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0xdc000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0xdd000 0x26000 0x25800 7.89 5076f00f07863a6d51b537849174772f

UPX2 0x103000 0x1000 0x200 1.46 c908fc4aad089dbb3b274a5d426d4d2a

( 2 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess

> MSVCRT.dll: sin

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

packers (Kaspersky): UPX

packers (F-Prot): UPX

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

File lame.exe received on 2010.06.15 02:56:37 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 42 and 60 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.15 -

AhnLab-V3 2010.06.15.00 2010.06.15 -

AntiVir 8.2.2.6 2010.06.14 -

Antiy-AVL 2.0.3.7 2010.06.11 -

Authentium 5.2.0.5 2010.06.15 -

Avast 4.8.1351.0 2010.06.14 -

Avast5 5.0.332.0 2010.06.14 -

AVG 9.0.0.787 2010.06.15 -

BitDefender 7.2 2010.06.15 -

CAT-QuickHeal 10.00 2010.06.14 -

ClamAV 0.96.0.3-git 2010.06.15 -

Comodo 5104 2010.06.15 -

DrWeb 5.0.2.03300 2010.06.15 -

eSafe 7.0.17.0 2010.06.14 -

eTrust-Vet 36.1.7634 2010.06.15 -

F-Prot 4.6.0.103 2010.06.14 -

F-Secure 9.0.15370.0 2010.06.15 -

Fortinet 4.1.133.0 2010.06.14 -

GData 21 2010.06.15 -

Ikarus T3.1.1.84.0 2010.06.15 -

Jiangmin 13.0.900 2010.06.14 -

Kaspersky 7.0.0.125 2010.06.15 -

McAfee 5.400.0.1158 2010.06.15 -

McAfee-GW-Edition 2010.1 2010.06.14 -

Microsoft 1.5802 2010.06.14 -

NOD32 5196 2010.06.14 -

Norman 6.04.12 2010.06.14 -

nProtect 2010-06-14.02 2010.06.14 -

Panda 10.0.2.7 2010.06.14 -

PCTools 7.0.3.5 2010.06.15 -

Prevx 3.0 2010.06.15 -

Rising 22.51.06.01 2010.06.13 -

Sophos 4.54.0 2010.06.15 -

Sunbelt 6448 2010.06.15 -

Symantec 20101.1.0.89 2010.06.14 -

TheHacker 6.5.2.0.298 2010.06.14 -

TrendMicro 9.120.0.1004 2010.06.14 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.15 -

VBA32 3.12.12.5 2010.06.14 -

ViRobot 2010.6.14.3884 2010.06.14 -

VirusBuster 5.0.27.0 2010.06.14 -

Additional information

File size: 569344 bytes

MD5...: f34f695c977f5ba41272456deff349d4

SHA1..: 3fd64bb06a6f13a22cf6776f762eccb6ce785221

SHA256: 335cd98072123d7124f1ed6337e50e51ea8b5e491622eb5c789cbe9fb1634020

ssdeep: 12288:vihpnIpv6ZcDziLv+o8S1S+mQFEBnI7MZZ:6nIpv8cDziLv+eM+mQOBn2M

ZZ

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x61c5f

timedatestamp.....: 0x3e1ca985 (Wed Jan 08 22:43:17 2003)

machinetype.......: 0x14c (I386)

( 7 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x2000 0x68d1a 0x69000 6.41 dfca4f39296ef6dceb0aa49b6a8431a7

CODE32 0x6b000 0x1171 0x2000 3.96 7a13746cda02046fa71bc2f0140e18c2

.rdata 0x6d000 0xd34 0x1000 4.92 c44e1ded61b66ed7f4806a149e50e89b

.data 0x6e000 0x6da28 0xd000 4.04 8a2ef42dc180a28e73ae6bcfdabc52fe

.data1 0xdc000 0xd840 0xe000 4.89 f28b5c32a044c514c7708576924709f2

DATA32 0xea000 0x348 0x1000 1.36 c8e706b03efe7f9ea0ed375765a1a35c

_DATA 0xeb000 0xc20 0x1000 6.12 00d8e3d7d3fbec3b1a41386af8a7f78a

( 1 imports )

> KERNEL32.dll: CloseHandle, FindClose, SetConsoleCursorPosition, GetConsoleScreenBufferInfo, GetFileType, GetStdHandle, GetModuleHandleA, GetSystemInfo, GetCurrentProcess, GetProcAddress, HeapAlloc, HeapFree, ExitProcess, TerminateProcess, GetSystemTimeAsFileTime, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetCommandLineA, GetVersion, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetLastError, FindFirstFileA, SetFilePointer, WriteFile, SetHandleCount, GetStartupInfoA, FlushFileBuffers, ReadFile, RaiseException, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, RtlUnwind, GetStringTypeA, GetStringTypeW, SetStdHandle, LoadLibraryA, CreateFileA, GetCPInfo, CompareStringA, CompareStringW, GetACP, GetOEMCP, SetEnvironmentVariableA, SetEndOfFile, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeA, GetFullPathNameA, GetCurrentDirectoryA

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

I get the following error message every time I try to upload that last file:

0 bytes size received / Se ha recibido un archivo vacio

[screen317]

Hi,

Are you familiar with any of these files:

c:\winnt\system32\drivers\IR500.sys

c:\program files\sox.exe

c:\program files\oggdec.exe

c:\program files\oggenc.exe

c:\program files\lame.exe

c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll

c:\program files\EasyMp3setup.exe

c:\program files\QAUDIO.EXE

c:\program files\QuickAudio.chm

c:\program files\soundstretch.exe

c:\program files\ROBOEX32.DLL

c:\program files\INETWH32.DLL

c:\program files\BIDS45F.DLL

c:\program files\CW3215.DLL

c:\program files\BWCC32.DLL

[jcole124]

No, I don't recognize any of those.

[screen317]

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=43234
Collect::
c:\program files\sox.exe
c:\program files\oggdec.exe
c:\program files\oggenc.exe
c:\program files\lame.exe
c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\wiseplie.dll
c:\program files\EasyMp3setup.exe
c:\program files\QAUDIO.EXE
c:\program files\QuickAudio.chm
c:\program files\soundstretch.exe
c:\program files\ROBOEX32.DLL
c:\program files\INETWH32.DLL
c:\program files\BIDS45F.DLL
c:\program files\CW3215.DLL
c:\program files\BWCC32.DLL 
Folder::
c:\documents and settings\Owner\Local Settings\Application Data\WisePlay
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35627A0E-5D1E-45cd-AE24-C1D59CCCC18F}]
Filelook::
c:\winnt\system32\drivers\IR500.sys

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  

[jcole124]

Hi Chris. Thanks for all of your help on this. I use the PC as my work computer, and I've got a lot of sensitive files on it. Are they compromised in any way?

ComboFix 10-06-15.03 - Owner 06/16/2010 8:18.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.239 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

file zipped: c:\program files\BIDS45F.DLL

file zipped: c:\program files\BWCC32.DLL

file zipped: c:\program files\CW3215.DLL

file zipped: c:\program files\EasyMp3setup.exe

file zipped: c:\program files\INETWH32.DLL

file zipped: c:\program files\lame.exe

file zipped: c:\program files\oggdec.exe

file zipped: c:\program files\oggenc.exe

file zipped: c:\program files\QAUDIO.EXE

file zipped: c:\program files\QuickAudio.chm

file zipped: c:\program files\ROBOEX32.DLL

file zipped: c:\program files\soundstretch.exe

file zipped: c:\program files\sox.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\WisePlay

c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\settings.xml

c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\Uninstall.exe

c:\program files\$NtUninstallWTF1012$

c:\program files\$NtUninstallWTF1012$\elUninstall.exe

c:\program files\BIDS45F.DLL

c:\program files\BWCC32.DLL

c:\program files\CW3215.DLL

c:\program files\EasyMp3setup.exe

c:\program files\INETWH32.DLL

c:\program files\lame.exe

c:\program files\oggdec.exe

c:\program files\oggenc.exe

c:\program files\QAUDIO.EXE

c:\program files\QuickAudio.chm

c:\program files\ROBOEX32.DLL

c:\program files\soundstretch.exe

c:\program files\sox.exe

c:\winnt\$NtUninstallMTF1011$

c:\winnt\$NtUninstallMTF1011$\apUninstall.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))

.

2010-06-13 00:09 . 2010-06-13 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook

2010-06-11 05:36 . 2010-06-11 05:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2010-06-10 02:29 . 2010-03-01 17:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys

2010-06-10 02:29 . 2010-02-16 21:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2010-06-10 02:29 . 2009-05-11 19:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys

2010-06-10 02:29 . 2009-05-11 19:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\program files\Avira

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-06-10 01:07 . 2010-06-09 17:14 15880 ----a-w- c:\winnt\system32\lsdelete.exe

2010-06-09 17:15 . 2010-06-09 17:14 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys

2010-06-09 17:14 . 2010-06-09 17:14 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys

2010-06-09 17:03 . 2010-06-09 17:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-08 17:12 . 2010-06-08 17:12 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-16 11:56 . 2010-03-01 03:06 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat

2010-06-16 08:32 . 2010-04-05 12:58 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

2010-06-13 00:09 . 2010-06-13 00:09 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-06-10 12:06 . 2010-06-10 12:06 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\msvcp71.dll

2010-06-10 12:06 . 2010-06-10 12:06 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\jmc.dll

2010-06-10 12:06 . 2010-06-10 12:06 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3948c5e3-n\msvcr71.dll

2010-06-09 17:04 . 2003-08-23 01:43 -------- d-----w- c:\program files\Lavasoft

2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-06-09 04:50 . 2009-02-12 04:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-08 17:04 . 2010-02-21 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-08 16:57 . 2010-06-08 16:57 32768 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\extensions\{D9879E90-DDA0-4f59-AC80-626D3DB93C63}\components\WisePlayFF.dll

2010-06-05 08:18 . 2009-05-13 05:34 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-02 15:29 . 2010-06-02 15:29 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 15:29 . 2010-06-02 15:29 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-02 15:28 . 2009-03-31 14:53 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys

2010-06-02 15:28 . 2007-02-20 04:39 29584 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys

2010-06-02 03:45 . 2002-11-10 07:08 -------- d-----w- c:\program files\Microsoft Games

2010-05-30 04:40 . 2007-12-12 02:25 -------- d--h--w- c:\documents and settings\Owner\Application Data\BitTorrent

2010-05-24 00:09 . 2010-03-12 04:48 -------- d-----w- c:\program files\Farm Frenzy 3

2010-05-21 21:14 . 2009-10-03 01:08 221568 ------w- c:\winnt\system32\MpSigStub.exe

2008-05-25 02:40 . 2007-10-31 04:55 184 ----a-w- c:\program files\QAUDIO.INI

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

--- c:\winnt\system32\drivers\IR500.sys ---

Company: First International Digital, Inc.

File Description: irock! 500 Series Driver

File Version: 1.01.00.1

Product Name: irock! 500 Series

Copyright: Copyright © 2002, First International Digital, Inc.

Original Filename: ir500.sys

File size: 16768

Created time: 2002-02-23 23:31

Modified time: 2002-02-23 23:31

MD5: E9A9BB599522CA2A4D595CC585622DA1

SHA1: 397964BFFA0E05F10F13FAE4861FE3D37D8A81EB

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]

"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]

"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2009-05-04 32768]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-03 136176]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [bU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2008-05-16 13529088]

"nwiz"="nwiz.exe" [2008-05-16 1630208]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 66048]

"GWMDMMSG"="GWMDMMSG.exe" [2001-11-27 101615]

"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-18 180224]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-14 15:53 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\WINNT\\system32\\mmc.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\WINNT\\system32\\dpvsetup.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\europa universalis iii - demo\\eu3demo.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Eidos Interactive\\Pyro Studios\\Praetorians\\Praetorians.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\WINNT\\system32\\spoolsv.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [6/9/2010 10:15 AM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [3/31/2009 7:53 AM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [3/31/2009 7:53 AM 242896]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/9/2010 7:29 PM 135336]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 8:53 AM 308064]

R2 npf;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [3/15/2009 1:13 PM 34064]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2009 4:17 PM 24652]

S0 ntcdrdrv;ntcdrdrv;c:\winnt\system32\DRIVERS\ntcdrdrv.sys --> c:\winnt\system32\DRIVERS\ntcdrdrv.sys [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352320]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/13/2010 2:25 PM 401920]

S3 bDMusicb;bDMusicb;\??\c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bDMusicb.sys [?]

S3 FWL;FWL Packet Filter;\??\c:\program files\Software602\602LAN SUITE\fwl.sys --> c:\program files\Software602\602LAN SUITE\fwl.sys [?]

S3 IR500;IR500;c:\winnt\system32\drivers\IR500.sys [2/23/2002 4:31 PM 16768]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

S3 PortlUSB;PortlUSB;c:\winnt\system32\drivers\SiriusUSB.sys [2/20/2007 12:27 AM 7552]

S3 PortRst;PortRst;c:\winnt\system32\drivers\PortRst.sys [1/29/2002 6:33 PM 18560]

S4 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [8/29/2007 11:19 PM 685816]

.

Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\winnt\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:14]

2010-06-12 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-16 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-16 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-1723214923-1685927933-429115175-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:54]

2010-06-11 c:\winnt\Tasks\User_Feed_Synchronization-{1B8A7C64-BB3E-48FF-B6EC-DAC27A4FFA43}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 18:58]

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\system32\blank.htm

mWindow Title = Microsoft Internet Explorer

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

DPF: {6781FF2E-7452-11D4-84D4-0040F60CE591} - hxxp://www.etniesskateparkoflakeforest.com/rvctl.cab

DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} - hxxp://64.75.174.5/push.cab

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ak.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} - hxxp://www.drivershq.com/members/DD_v4_Member.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 1066

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6hbsau6a.default\extensions\{D9879E90-DDA0-4f59-AC80-626D3DB93C63}\components\WisePlayFF.dll

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\RobloxVersions\version-b5dc796702a14251\nproblox.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-$NtUninstallMTF1011$ - c:\winnt\$NtUninstallMTF1011$\apUninstall.exe

AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe

AddRemove-WisePlay - c:\documents and settings\Owner\Local Settings\Application Data\WisePlay\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-16 08:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1723214923-1685927933-429115175-1003\Software\SecuROM\License information*]

"datasecu"=hex:51,b5,69,e7,68,f7,6c,1c,1b,c2,02,bd,4d,8f,b7,4d,7b,8b,26,ae,b4,

44,6a,1d,2f,80,e6,6e,6b,e4,ba,26,bf,d4,cf,c8,e5,f4,fa,77,20,67,70,2d,59,02,\

"rkeysecu"=hex:15,5d,12,b9,22,c0,86,bd,30,80,c3,d0,d8,26,3b,6c

.

Completion time: 2010-06-16 08:39:32

ComboFix-quarantined-files.txt 2010-06-16 15:39

ComboFix2.txt 2010-06-15 02:39

ComboFix3.txt 2010-06-10 21:48

Pre-Run: 14,638,469,120 bytes free

Post-Run: 14,600,626,176 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - B867481524DF79EBAFFB9D0E56D8D7F0

[screen317]

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[jcole124]

Scanning Report

Thursday, June 17, 2010 07:48:36 - 11:04:40

Computer name: DESKTOP

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ F:\

8 malware found

Gen:Adware.Heur.gu8@N0btXuai (spyware)

* System (Disinfected)

Trojan.Generic.1559021 (spyware)

* System (Disinfected)

Trojan.Downloader.AGO (spyware)

* System (Disinfected)

Trojan.Downloader.AGO (virus)

* C:\WINNT\DOWNLOADED PROGRAM FILES\TURBO.INF (Not cleaned)

Trojan:INI/Vundo.gen!F (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1454\A0453842.INI (Renamed & Submitted)

Trojan:INI/Vundo.gen!F (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1454\A0453851.INI (Renamed & Submitted)

Trojan.Generic.1559021 (virus)

* C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\SMITFRAUDFIX.EXE (Not cleaned)

Trojan.Generic.3997346 (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL DOWNLOADS\TRITON_SUITE_INSTALL\6.1.41.2\MIGRATOR.EXE (Renamed & Submitted)

Statistics

Scanned:

* Files: 85533

* System: 5273

* Not scanned: 11

Actions:

* Disinfected: 3

* Renamed: 3

* Deleted: 0

* Not cleaned: 2

* Submitted: 3

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINNT\SYSTEM32\CONFIG\DEFAULT

* C:\WINNT\SYSTEM32\CONFIG\SOFTWARE

* C:\WINNT\SYSTEM32\CONFIG\SAM

* C:\WINNT\SYSTEM32\CONFIG\SECURITY

* C:\WINNT\SYSTEM32\CONFIG\SYSTEM

* C:\WINNT\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

* C:\WINNT\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1458\A0454283.OCX

* C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ETILQS_3PGIDW7YYZHDBUM5BKJB

* C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ETILQS_V3GWJGGV9ND8UBFY9ZIC

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

[jcole124]

Things seem to be running smoothly. I don't know that any issues remain. I'll run Avira and Malwarebytes to see if they detect anything. How concerned should I be about the viruses and malware I had? Should I change all my passwords? I have sensitive client files on my HDD (txt and pdf files) is it possible the contents of those were read? If so, I need to notify my clients.

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

nslookup.exe missing!

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[jcole124]

Avira found 18 viruses, and Malwarebytes found a couple of items as well.

Avira AntiVir Personal

Report file date: Thursday, June 17, 2010 11:39

Scanning for 2223370 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : DESKTOP

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 02:33:28

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 02:33:36

VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 02:33:36

VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 02:33:36

VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 02:33:36

VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 02:33:36

VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 02:33:37

VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 02:33:37

VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 21:31:35

VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 21:31:12

VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 18:35:10

VBASE016.VDF : 7.10.8.103 2048 Bytes 6/16/2010 18:35:10

VBASE017.VDF : 7.10.8.104 2048 Bytes 6/16/2010 18:35:10

VBASE018.VDF : 7.10.8.105 2048 Bytes 6/16/2010 18:35:10

VBASE019.VDF : 7.10.8.106 2048 Bytes 6/16/2010 18:35:10

VBASE020.VDF : 7.10.8.107 2048 Bytes 6/16/2010 18:35:11

VBASE021.VDF : 7.10.8.108 2048 Bytes 6/16/2010 18:35:11

VBASE022.VDF : 7.10.8.109 2048 Bytes 6/16/2010 18:35:11

VBASE023.VDF : 7.10.8.110 2048 Bytes 6/16/2010 18:35:11

VBASE024.VDF : 7.10.8.111 2048 Bytes 6/16/2010 18:35:11

VBASE025.VDF : 7.10.8.112 2048 Bytes 6/16/2010 18:35:12

VBASE026.VDF : 7.10.8.113 2048 Bytes 6/16/2010 18:35:12

VBASE027.VDF : 7.10.8.114 2048 Bytes 6/16/2010 18:35:12

VBASE028.VDF : 7.10.8.115 2048 Bytes 6/16/2010 18:35:12

VBASE029.VDF : 7.10.8.116 2048 Bytes 6/16/2010 18:35:12

VBASE030.VDF : 7.10.8.117 2048 Bytes 6/16/2010 18:35:13

VBASE031.VDF : 7.10.8.122 43008 Bytes 6/17/2010 18:35:13

Engineversion : 8.2.2.6

AEVDF.DLL : 8.1.2.0 106868 Bytes 6/10/2010 02:33:54

AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/10/2010 02:33:53

AESCN.DLL : 8.1.6.1 127347 Bytes 6/10/2010 02:33:51

AESBX.DLL : 8.1.3.1 254324 Bytes 6/10/2010 02:33:54

AERDL.DLL : 8.1.4.6 541043 Bytes 6/10/2010 02:33:51

AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 20:34:51

AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/10/2010 02:33:50

AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/10/2010 02:33:49

AEHELP.DLL : 8.1.11.5 242038 Bytes 6/10/2010 02:33:45

AEGEN.DLL : 8.1.3.10 377205 Bytes 6/10/2010 02:33:45

AEEMU.DLL : 8.1.2.0 393588 Bytes 6/10/2010 02:33:44

AECORE.DLL : 8.1.15.3 192886 Bytes 6/10/2010 02:33:43

AEBB.DLL : 8.1.1.0 53618 Bytes 6/10/2010 02:33:43

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, F:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,

Start of the scan: Thursday, June 17, 2010 11:39

Starting search for hidden objects.

HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Preferences\backgroundscancompletedate

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1723214923-1685927933-429115175-1003\Software\SecuROM\License information\datasecu

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1723214923-1685927933-429115175-1003\Software\SecuROM\License information\rkeysecu

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'msdtc.exe' - '42' Module(s) have been scanned

Scan process 'dllhost.exe' - '61' Module(s) have been scanned

Scan process 'dllhost.exe' - '47' Module(s) have been scanned

Scan process 'vssvc.exe' - '50' Module(s) have been scanned

Scan process 'avscan.exe' - '69' Module(s) have been scanned

Scan process 'chrome.exe' - '104' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '66' Module(s) have been scanned

Scan process 'aim6.exe' - '128' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '42' Module(s) have been scanned

Scan process 'chrome.exe' - '69' Module(s) have been scanned

Scan process 'realsched.exe' - '28' Module(s) have been scanned

Scan process 'firefox.exe' - '188' Module(s) have been scanned

Scan process 'aolsoftware.exe' - '69' Module(s) have been scanned

Scan process 'explorer.exe' - '121' Module(s) have been scanned

Scan process 'WMPNetwk.exe' - '102' Module(s) have been scanned

Scan process 'iPodService.exe' - '30' Module(s) have been scanned

Scan process 'ctfmon.exe' - '28' Module(s) have been scanned

Scan process 'RCHotKey.exe' - '19' Module(s) have been scanned

Scan process 'wben.exe' - '64' Module(s) have been scanned

Scan process 'avgnt.exe' - '53' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '69' Module(s) have been scanned

Scan process 'pptd40nt.exe' - '27' Module(s) have been scanned

Scan process 'jusched.exe' - '21' Module(s) have been scanned

Scan process 'GWMDMMSG.exe' - '22' Module(s) have been scanned

Scan process 'Logi_MwX.Exe' - '19' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '44' Module(s) have been scanned

Scan process 'unsecapp.exe' - '38' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'YahooAUService.exe' - '41' Module(s) have been scanned

Scan process 'avgnsx.exe' - '26' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '14' Module(s) have been scanned

Scan process 'ViewpointService.exe' - '19' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '42' Module(s) have been scanned

Scan process 'jqs.exe' - '33' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'svchost.exe' - '36' Module(s) have been scanned

Scan process 'avgwdsvc.exe' - '45' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '29' Module(s) have been scanned

Scan process 'avguard.exe' - '53' Module(s) have been scanned

Scan process 'svchost.exe' - '35' Module(s) have been scanned

Scan process 'sched.exe' - '48' Module(s) have been scanned

Scan process 'spoolsv.exe' - '59' Module(s) have been scanned

Scan process 'devldr32.exe' - '43' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '12' Module(s) have been scanned

Scan process 'svchost.exe' - '51' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'avgrsx.exe' - '11' Module(s) have been scanned

Scan process 'avgchsvx.exe' - '16' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '162' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'svchost.exe' - '57' Module(s) have been scanned

Scan process 'lsass.exe' - '60' Module(s) have been scanned

Scan process 'services.exe' - '27' Module(s) have been scanned

Scan process 'winlogon.exe' - '70' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'F:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '0' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\syssvc.exe.vir

[DETECTION] Is the TR/Killav.KS Trojan

C:\Qoobox\Quarantine\C\Program Files\BIDS45F.DLL.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\Qoobox\Quarantine\C\Program Files\EasyMp3setup.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\Qoobox\Quarantine\C\Program Files\INETWH32.DLL.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\Qoobox\Quarantine\C\Program Files\lame.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\Qoobox\Quarantine\C\Program Files\QAUDIO.EXE.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\Qoobox\Quarantine\C\Program Files\QuickAudio.chm.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\Qoobox\Quarantine\C\Program Files\ROBOEX32.DLL.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\Qoobox\Quarantine\C\Program Files\sox.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\imapi.sys.vir

[DETECTION] Is the TR/Patched.Gen Trojan

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1458\A0454072.ini

[DETECTION] Contains recognition pattern of the ADSPY/IPInsight.A adware or spyware

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454308.DLL

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454311.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454312.DLL

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454313.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454316.EXE

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454317.DLL

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454319.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

Begin scan in 'F:\' <New Volume>

Beginning disinfection:

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454319.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '4ece0c9d.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454317.DLL

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '5659233b.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454316.EXE

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '040679d3.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454313.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '62313616.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454312.DLL

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to the quarantine directory under the name '27b51b28.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454311.exe

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '58ae2949.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1459\A0454308.DLL

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to the quarantine directory under the name '14160501.qua'.

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1458\A0454072.ini

[DETECTION] Contains recognition pattern of the ADSPY/IPInsight.A adware or spyware

[NOTE] The file was moved to the quarantine directory under the name '680e4550.qua'.

C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\imapi.sys.vir

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '45616a5e.qua'.

C:\Qoobox\Quarantine\C\Program Files\sox.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '5ce051c7.qua'.

C:\Qoobox\Quarantine\C\Program Files\ROBOEX32.DLL.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '30727d97.qua'.

C:\Qoobox\Quarantine\C\Program Files\QuickAudio.chm.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to the quarantine directory under the name '41144478.qua'.

C:\Qoobox\Quarantine\C\Program Files\QAUDIO.EXE.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '4fe274c8.qua'.

C:\Qoobox\Quarantine\C\Program Files\lame.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '0a230dea.qua'.

C:\Qoobox\Quarantine\C\Program Files\INETWH32.DLL.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to the quarantine directory under the name '03f0092c.qua'.

C:\Qoobox\Quarantine\C\Program Files\EasyMp3setup.exe.vir

[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm

[NOTE] The file was moved to the quarantine directory under the name '5b631029.qua'.

C:\Qoobox\Quarantine\C\Program Files\BIDS45F.DLL.vir

[DETECTION] Contains recognition pattern of the RKIT/Agent.pri root kit

[NOTE] The file was moved to the quarantine directory under the name '7744698d.qua'.

C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\syssvc.exe.vir

[DETECTION] Is the TR/Killav.KS Trojan

[NOTE] The file was moved to the quarantine directory under the name '49690927.qua'.

End of the scan: Thursday, June 17, 2010 15:55

Used time: 4:15:17 Hour(s)

The scan has been done completely.

23674 Scanned directories

659639 Files were scanned

18 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

18 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

659621 Files not concerned

4250 Archives were scanned

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4211

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

6/17/2010 4:29:05 PM

mbam-log-2010-06-17 (16-29-05).txt

Scan type: Quick scan

Objects scanned: 132961

Time elapsed: 28 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[screen317]

Hi,

No need to worry about your clients' information; the malware you had does not attempt to steal data.

please go to VirusTotal, and upload the following file for analysis:

C:\WINNT\DOWNLOADED PROGRAM FILES\TURBO.INF

Post the results in your reply.

Next, navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Restart your computer.

Go to Microsoft Update, and download/install all available updates, including Internet Explorer 8.

After that, restart your computer and let me know what issues remain.

-screen317

[jcole124]

I don't seem to have that file?

[screen317]

That's fine. Skip that part.