Jump to content

Browser redirect, random browser opening, slowpc


Recommended Posts

Hi, Help.

I had a slow and bizzare system and knew something was up

ran malware and found a dozen or so items from trojans to trackers.

\removed these but am still having some probs.

My pc had a skype page open on it this morning, I did not go there or leave browser open

I think it redirected me this morning when surfing.

The pc runs awfull slow at points and takes up to 30 seconds to clear a program window, slowly erasing it from top to bottom.

I do not think the pc is clean yet

Any help appreciated

thank you.

Also think JAVA is taking over my system, it was in my tray this morning, never been there before that I noticed.

Link to post
Share on other sites

Please download ComboFix from this link, save it on your desktop, turn off your anti-virus software, and run the ComboFix download that you had saved on your desktop.

Combofix will ask you a few questions (such as whether or not you want to install the Windows Recovery Console), give you some general warnings about not using it without supervision, and it will give you some general information about the tool. Please note that the Windows Recovery Console is not required to run ComboFix, and that you do not need it if you have a Windows XP disk.

ComboFix usually takes about 10 minutes to run, unless your computer is heavily infected. It will run through about 50 different stages (listing them all on the blue window that popped up while it was running), and if it does not advance to the next stage after about 10 minutes then that is usually a sign that your anti-virus software is interfering with it.

Once ComboFix is done, it will remove anything that it knows is malicious, and restart your computer. If it didn't find anything malicious, then it will skip that step. The final step takes a few minutes, and when it is done it will open a log in Notepad. Please either copy and paste this log into a reply, or save it on your desktop as a Text Document and attach it to a reply. Please do not take screenshots of the log, or save it as a Word Document.

Link to post
Share on other sites

thanks, It found a bit I think. I uninstalled some Java bit the other day.

Here's the log.

ComboFix 10-07-04.01 - Administrator 04/07/2010 22:55:04.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.189 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.\documents\settings

c:\documents and settings\All Users.\documents\settings\cbss.dll

c:\documents and settings\All Users\Application Data\QC44k87A.exe

c:\documents and settings\All Users\Documents\Settings\cbss.dll

c:\windows\system\WINSPOOL.DRV

c:\windows\system32\winlogon.bak

c:\windows\Tasks\At100.job

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected

Restored copy from - Kitty had a snack :P

c:\windows\system32\msgsvc.dll . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))

.

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-07-01 17:12 . 2010-07-01 17:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2010-07-01 14:21 . 2010-07-01 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG9

2010-07-01 11:01 . 2010-07-01 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-30 17:32 . 2010-07-02 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-30 17:32 . 2010-06-30 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-30 01:26 . 2010-06-30 01:26 -------- d-----w- c:\windows\Sun

2010-06-30 00:00 . 2010-06-30 00:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-06-29 09:49 . 2010-06-29 09:49 -------- d-----w- c:\program files\MSECache

2010-06-29 09:14 . 2010-06-29 09:14 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\documents and settings\All Users\Microsoft

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft.NET

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-29 09:07 . 2010-06-29 09:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-29 09:01 . 2010-06-29 09:01 -------- d-----w- c:\program files\Microsoft Analysis Services

2010-06-29 09:00 . 2010-06-29 09:17 -------- d-----w- c:\windows\SHELLNEW

2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-29 08:56 . 2010-06-29 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----r- C:\MSOCache

2010-06-29 08:52 . 2010-06-29 09:00 -------- d-----w- c:\windows\system32\NtmsData

2010-06-29 07:26 . 2010-06-29 07:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-29 05:09 . 2010-07-02 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 03:58 . 2010-06-29 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue

2010-06-29 03:58 . 2010-06-29 09:27 -------- d-----w- c:\program files\Uniblue

2010-06-28 20:08 . 2008-04-13 23:16 37888 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys

2010-06-28 20:08 . 2008-04-13 23:16 37888 ----a-w- c:\windows\system32\drivers\bthmodem.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-26 20:16 . 2010-06-26 20:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-06-26 20:15 . 2007-04-16 04:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 215040 ----a-w- c:\windows\system32\CNMLM8Z.DLL

2010-06-26 20:15 . 2010-06-26 20:15 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-06-26 20:15 . 2007-03-15 13:12 188416 ----a-w- c:\windows\system32\CNC310O.DLL

2010-06-26 20:15 . 2007-03-23 15:30 1400832 ----a-w- c:\windows\system32\CNC310C.DLL

2010-06-26 20:15 . 2007-03-23 15:29 98304 ----a-w- c:\windows\system32\CNC310I.DLL

2010-06-26 20:15 . 2007-03-19 09:39 200704 ----a-w- c:\windows\system32\CNC310L.DLL

2010-06-26 19:48 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-06-26 19:48 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-06-25 17:04 . 2010-06-25 17:04 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcp71.dll

2010-06-25 17:04 . 2010-06-25 17:04 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\jmc.dll

2010-06-25 17:04 . 2010-06-25 17:04 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-d3d.dll

2010-06-25 17:04 . 2010-06-25 17:04 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-sse.dll

2010-06-25 17:04 . 2010-06-25 17:04 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcr71.dll

2010-06-25 17:02 . 2010-06-25 17:00 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-25 00:04 . 2010-06-30 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lyaqy

2010-06-23 22:46 . 2010-06-25 16:59 -------- d-----w- c:\program files\Java

2010-06-23 22:45 . 2010-06-25 21:36 -------- d-----w- c:\program files\Common Files\Java

2010-06-23 21:58 . 2010-06-23 21:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-06-23 21:56 . 2010-06-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-23 21:29 . 2010-06-23 21:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-23 14:31 . 2010-06-23 14:31 -------- d-----w- C:\$AVG

2010-06-23 14:28 . 2010-06-23 21:28 -------- d-----w- C:\Inetpub

2010-06-23 14:28 . 2010-06-23 14:28 -------- d-----w- c:\windows\system32\Logfiles

2010-06-23 04:08 . 2010-06-23 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2010-06-23 04:07 . 2010-07-01 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\VideoLAN

2010-06-23 00:53 . 2010-06-30 10:01 -------- d-----w- C:\Torrentprivacy

2010-06-22 23:59 . 2010-06-29 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent

2010-06-22 23:59 . 2010-06-23 05:19 -------- d-----w- c:\program files\BitTorrent

2010-06-22 23:53 . 2010-06-22 23:53 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6C.tmp.exe

2010-06-22 22:27 . 2008-04-13 23:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys

2010-06-22 22:27 . 2008-04-13 23:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys

2010-06-22 22:26 . 2008-04-14 04:42 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 151552 ----a-w- c:\windows\system32\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 ----a-w- c:\windows\system32\irmon.dll

2010-06-22 22:26 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys

2010-06-22 22:26 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2010-06-22 19:24 . 2010-06-22 19:24 -------- d-----w- c:\program files\MSXML 4.0

2010-06-22 18:54 . 2002-12-31 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-06-22 03:04 . 2010-06-22 03:04 -------- d-----w- C:\pnp

2010-06-22 01:40 . 2010-06-22 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\WildPackets

2010-06-22 01:38 . 2009-12-16 16:34 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-22 01:38 . 2009-12-16 16:34 1060864 ----a-w- c:\windows\system32\mfc71.dll

2010-06-22 01:37 . 2010-06-22 01:37 -------- d-----w- c:\program files\WildPackets

2010-06-22 00:52 . 2010-06-22 00:52 1078 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{8160FD56-151C-440B-B2CD-21C3D3E97EB7}\_F0057AD7FA525342B85622.exe

2010-06-22 00:52 . 2010-06-22 00:52 -------- d-----w- c:\program files\Clarisoft

2010-06-21 21:52 . 2010-06-21 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\windows\system32\XPSViewer

2010-06-21 19:29 . 2010-06-29 09:16 -------- d-----w- c:\program files\MSBuild

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\program files\Reference Assemblies

2010-06-21 19:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-06-21 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-06-21 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-06-21 19:28 . 2010-06-21 19:28 -------- d-----w- C:\94c12bb0934f9f354ff792d06b

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\windows\XSxS

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Common Files\Deskshare Shared

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Deskshare

2010-06-21 09:02 . 2010-06-21 09:02 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-21 09:02 . 2010-06-21 09:02 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-21 02:20 . 2010-06-21 02:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-21 01:57 . 2010-06-21 01:57 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-06-21 01:56 . 2010-06-21 01:56 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-06-21 01:49 . 2010-06-21 01:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-06-21 01:42 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-06-21 01:42 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-06-21 01:42 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-06-21 01:42 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-06-21 01:42 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-06-21 01:42 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-06-21 01:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-21 01:41 . 2010-06-21 01:41 -------- d-----w- c:\windows\ie8updates

2010-06-21 01:41 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-06-21 01:40 . 2010-06-21 01:41 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 06:24 . 2010-06-29 23:21 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat

2010-06-29 09:32 . 2010-06-20 22:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-26 20:14 . 2010-06-26 20:14 -------- d--h--w- c:\program files\CanonBJ

2010-06-21 17:13 . 2010-06-20 17:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-20 23:36 . 2002-12-31 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Analog Devices

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\microsoft frontpage

2010-06-20 16:58 . 2010-06-20 16:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AcrobatUpdater.exe

2010-05-06 10:41 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-12-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2002-12-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Belkin\F5D7050v3\Belkinwcui .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

------- Sigcheck -------

[-] 2010-06-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]

2010-02-28 01:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [N/A]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Full Tilt Poker.lnk - c:\program files\Full Tilt Poker\FullTiltPoker.exe [2010-5-28 7626752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 01:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"{23FCA088-F67F-9278-AAFC-6E9F6CE0B7BA}"="c:\documents and settings\Administrator\Application Data\Xari\kohye.exe"

"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

"QNB2EB90WX"=c:\docume~1\ADMINI~1\LOCALS~1\Temp\Phg.exe

"RZDVL2F27W"=c:\windows\Pziwea.exe

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"BCMSMMSG"=BCMSMMSG.exe

"BigDogPath"=c:\windows\VM_STI.EXE Philips SPC 200NC PC Camera

"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Torrentprivacy\\Torrent\\utorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Torrentprivacy\\SSHTunel.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/06/2010 02:20 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/06/2010 02:22 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [21/06/2010 02:19 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [21/06/2010 02:19 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 00:47 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [21/06/2010 02:21 430152]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

.

Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

DPF: {79A0299B-199F-48BA-9CBE-7E1E60860F5D} - hxxp://www.trackthisout.com/Export.CAB

DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///H:/system/IntraLaunch.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-04 23:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,de,87,bd,9a,a5,3b,4b,83,c8,02,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,de,87,bd,9a,a5,3b,4b,83,c8,02,\

[HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,4e,a9,d4,e6,99,4e,4f,84,3e,db,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,4e,a9,d4,e6,99,4e,4f,84,3e,db,\

[HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2944)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-07-04 23:10:11 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-04 22:10

Pre-Run: 3,205,976,064 bytes free

Post-Run: 3,165,782,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(5)\WINDOWS="Microsoft WinXP (on Volume 4)" /fastdetect

- - End Of File - - 56AF908D6D7CBF1794244695A61B8EFE

Link to post
Share on other sites

it started going crazy again so i re ran combofix heres the result - again

ComboFix 10-07-04.04 - Administrator 05/07/2010 17:12:43.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.185 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\a2c49f25.exe

c:\windows\Pziwea.exe

c:\windows\system32\ernel32.dll

c:\windows\system32\spool\prtprocs\w32x86\AA9kUO.dll

c:\windows\system32\spool\prtprocs\w32x86\c5sK5.dll

c:\windows\system32\spool\prtprocs\w32x86\IQ317o3.dll

c:\windows\system32\spool\prtprocs\w32x86\q7wS1e.dll

c:\windows\system32\spool\prtprocs\w32x86\w1uOCE7a.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))

.

2010-07-05 11:39 . 2010-07-05 11:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera

2010-07-05 11:38 . 2010-07-05 11:38 -------- d-----w- c:\program files\Opera

2010-07-05 10:37 . 2010-07-05 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth

2010-07-05 10:32 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll

2010-07-05 10:12 . 2010-07-05 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\DIFX

2010-07-05 10:08 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\PC Connectivity Solution

2010-07-05 10:08 . 2010-02-26 13:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll

2010-07-05 10:06 . 2010-07-05 10:08 -------- d-----w- c:\program files\Nokia

2010-07-05 10:06 . 2010-07-05 10:06 -------- d-----w- c:\program files\Common Files\Nokia

2010-07-05 10:06 . 2010-07-05 10:03 35607992 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en.exe

2010-07-05 10:05 . 2010-07-05 10:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe

2010-07-05 10:05 . 2010-07-05 10:05 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe

2010-07-05 10:05 . 2010-07-05 10:05 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe

2010-07-05 10:03 . 2010-07-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

2010-07-05 07:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-05 07:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-07-01 17:12 . 2010-07-01 17:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2010-07-01 14:21 . 2010-07-01 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG9

2010-07-01 11:01 . 2010-07-01 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-30 17:32 . 2010-07-02 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-30 17:32 . 2010-06-30 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-30 01:26 . 2010-06-30 01:26 -------- d-----w- c:\windows\Sun

2010-06-30 00:00 . 2010-06-30 00:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-06-29 09:49 . 2010-06-29 09:49 -------- d-----w- c:\program files\MSECache

2010-06-29 09:14 . 2010-06-29 09:14 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\documents and settings\All Users\Microsoft

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft.NET

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-29 09:07 . 2010-06-29 09:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-29 09:01 . 2010-06-29 09:01 -------- d-----w- c:\program files\Microsoft Analysis Services

2010-06-29 09:00 . 2010-06-29 09:17 -------- d-----w- c:\windows\SHELLNEW

2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-29 08:56 . 2010-06-29 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----r- C:\MSOCache

2010-06-29 08:52 . 2010-06-29 09:00 -------- d-----w- c:\windows\system32\NtmsData

2010-06-29 07:26 . 2010-06-29 07:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-29 05:09 . 2010-07-02 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 03:58 . 2010-06-29 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue

2010-06-29 03:58 . 2010-06-29 09:27 -------- d-----w- c:\program files\Uniblue

2010-06-28 20:08 . 2008-04-13 23:16 37888 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys

2010-06-28 20:08 . 2008-04-13 23:16 37888 ----a-w- c:\windows\system32\drivers\bthmodem.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-26 20:16 . 2010-06-26 20:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-06-26 20:15 . 2007-04-16 04:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 215040 ----a-w- c:\windows\system32\CNMLM8Z.DLL

2010-06-26 20:15 . 2010-06-26 20:15 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-06-26 20:15 . 2007-03-15 13:12 188416 ----a-w- c:\windows\system32\CNC310O.DLL

2010-06-26 20:15 . 2007-03-23 15:30 1400832 ----a-w- c:\windows\system32\CNC310C.DLL

2010-06-26 20:15 . 2007-03-23 15:29 98304 ----a-w- c:\windows\system32\CNC310I.DLL

2010-06-26 20:15 . 2007-03-19 09:39 200704 ----a-w- c:\windows\system32\CNC310L.DLL

2010-06-26 19:48 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-06-26 19:48 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-06-25 17:04 . 2010-06-25 17:04 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcp71.dll

2010-06-25 17:04 . 2010-06-25 17:04 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\jmc.dll

2010-06-25 17:04 . 2010-06-25 17:04 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-d3d.dll

2010-06-25 17:04 . 2010-06-25 17:04 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-sse.dll

2010-06-25 17:04 . 2010-06-25 17:04 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcr71.dll

2010-06-25 17:02 . 2010-06-25 17:00 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-25 00:04 . 2010-06-30 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lyaqy

2010-06-23 22:46 . 2010-06-25 16:59 -------- d-----w- c:\program files\Java

2010-06-23 22:45 . 2010-06-25 21:36 -------- d-----w- c:\program files\Common Files\Java

2010-06-23 21:58 . 2010-06-23 21:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-06-23 21:56 . 2010-06-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-23 21:29 . 2010-06-23 21:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-23 14:31 . 2010-06-23 14:31 -------- d-----w- C:\$AVG

2010-06-23 14:28 . 2010-06-23 21:28 -------- d-----w- C:\Inetpub

2010-06-23 14:28 . 2010-06-23 14:28 -------- d-----w- c:\windows\system32\Logfiles

2010-06-23 04:08 . 2010-06-23 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2010-06-23 04:07 . 2010-07-01 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\VideoLAN

2010-06-23 00:53 . 2010-07-05 10:55 -------- d-----w- C:\Torrentprivacy

2010-06-22 23:59 . 2010-06-29 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent

2010-06-22 23:59 . 2010-06-23 05:19 -------- d-----w- c:\program files\BitTorrent

2010-06-22 23:53 . 2010-06-22 23:53 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6C.tmp.exe

2010-06-22 22:27 . 2008-04-13 23:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys

2010-06-22 22:27 . 2008-04-13 23:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys

2010-06-22 22:26 . 2008-04-14 04:42 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 151552 ----a-w- c:\windows\system32\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 ----a-w- c:\windows\system32\irmon.dll

2010-06-22 22:26 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys

2010-06-22 22:26 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2010-06-22 19:24 . 2010-06-22 19:24 -------- d-----w- c:\program files\MSXML 4.0

2010-06-22 18:54 . 2002-12-31 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-06-22 03:04 . 2010-06-22 03:04 -------- d-----w- C:\pnp

2010-06-22 01:40 . 2010-06-22 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\WildPackets

2010-06-22 01:38 . 2009-12-16 16:34 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-22 01:38 . 2009-12-16 16:34 1060864 ----a-w- c:\windows\system32\mfc71.dll

2010-06-22 01:37 . 2010-06-22 01:37 -------- d-----w- c:\program files\WildPackets

2010-06-21 21:52 . 2010-06-21 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\windows\system32\XPSViewer

2010-06-21 19:29 . 2010-06-29 09:16 -------- d-----w- c:\program files\MSBuild

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\program files\Reference Assemblies

2010-06-21 19:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-06-21 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-06-21 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-06-21 19:28 . 2010-06-21 19:28 -------- d-----w- C:\94c12bb0934f9f354ff792d06b

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\windows\XSxS

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Common Files\Deskshare Shared

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Deskshare

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 06:24 . 2010-06-29 23:21 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat

2010-06-29 09:32 . 2010-06-20 22:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-26 20:14 . 2010-06-26 20:14 -------- d--h--w- c:\program files\CanonBJ

2010-06-21 17:13 . 2010-06-20 17:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-20 23:36 . 2002-12-31 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Analog Devices

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\microsoft frontpage

2010-06-20 16:58 . 2010-06-20 16:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\22609\AcrobatUpdater.exe

2010-05-06 10:41 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-12-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2002-12-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Belkin\F5D7050v3\Belkinwcui .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

------- Sigcheck -------

[-] 2010-06-20 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-07-04_22.05.35 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-05 16:21 . 2010-07-05 16:21 16384 c:\windows\Temp\Perflib_Perfdata_664.dat

+ 2002-12-31 12:00 . 2010-07-05 10:59 82018 c:\windows\system32\perfc009.dat

+ 2010-07-05 10:08 . 2008-08-26 09:26 18816 c:\windows\system32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.sys

+ 2010-07-05 10:08 . 2010-02-26 13:32 22528 c:\windows\system32\DRVSTORE\ccdcmbo_86369E3C3E199189C5EAD7421471A08D93A69835\ccdcmbo.sys

+ 2010-07-05 10:08 . 2010-02-26 13:32 92672 c:\windows\system32\DRVSTORE\ccdcmb_86369E3C3E199189C5EAD7421471A08D93A69835\nmwcdcls.dll

+ 2010-07-05 10:08 . 2010-02-26 13:32 18176 c:\windows\system32\DRVSTORE\ccdcmb_86369E3C3E199189C5EAD7421471A08D93A69835\ccdcmb.sys

+ 2002-07-15 14:58 . 2002-07-15 14:58 50176 c:\windows\system32\CSH.DLL

+ 2005-09-12 11:00 . 2005-09-12 11:00 53248 c:\windows\system32\btfunc.dll

+ 2010-07-05 10:08 . 2010-07-05 10:08 10134 c:\windows\Installer\{DCD22647-6D31-479D-8F97-16D0AA934D9E}\ARPPRODUCTICON.exe

+ 2010-07-05 10:07 . 2010-07-05 10:07 10134 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\ARPPRODUCTICON.exe

+ 2010-07-05 10:08 . 2010-02-26 13:21 8320 c:\windows\system32\DRVSTORE\nmwcdnsuc_86369E3C3E199189C5EAD7421471A08D93A69835\nmwcdnsuc.sys

+ 2010-07-05 10:08 . 2010-02-26 13:32 8192 c:\windows\system32\DRVSTORE\ccdcmbm_86369E3C3E199189C5EAD7421471A08D93A69835\usbser_lowerflt.sys

+ 2010-07-05 10:08 . 2010-02-26 13:32 8192 c:\windows\system32\DRVSTORE\ccdcmbcj_86369E3C3E199189C5EAD7421471A08D93A69835\usbser_lowerfltj.sys

+ 2010-07-05 10:08 . 2010-07-05 10:08 3262 c:\windows\Installer\{1B9B5B3B-28E7-4E59-A80D-D670AA984514}\ARPPRODUCTICON.exe

+ 2010-07-05 10:07 . 2010-07-05 10:07 8854 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe

+ 2010-07-05 10:07 . 2010-07-05 10:07 8854 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NewShortcut3_F30B5B541F7D4207BF3032ED8CAF6640.exe

+ 2010-07-05 10:07 . 2010-07-05 10:07 8854 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe

+ 2002-12-31 12:00 . 2010-07-05 10:59 468426 c:\windows\system32\perfh009.dat

+ 2003-03-18 19:14 . 2003-03-18 19:14 499712 c:\windows\system32\msvcp71.dll

+ 2010-07-05 11:56 . 2010-07-05 11:56 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe

+ 2010-07-05 10:08 . 2009-11-23 14:24 571904 c:\windows\system32\DRVSTORE\pccswpddri_8B8EF7097B22C16956A8E8244CC211ADD3463614\PCCSWpdDriver.dll

+ 2010-07-05 10:08 . 2010-02-26 13:21 137344 c:\windows\system32\DRVSTORE\nmwcdnsu_86369E3C3E199189C5EAD7421471A08D93A69835\nmwcdnsu.sys

+ 2010-07-05 10:08 . 2010-02-26 13:32 662016 c:\windows\system32\DRVSTORE\ccdcmb_86369E3C3E199189C5EAD7421471A08D93A69835\nmwcdcocls.dll

+ 2010-07-05 10:08 . 2010-07-05 10:08 495616 c:\windows\Installer\13c457.msi

+ 2010-07-05 10:08 . 2010-07-05 10:08 331776 c:\windows\Installer\13c44e.msi

+ 2010-07-05 10:07 . 2010-07-05 10:07 458752 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NewShortcut20_F7578A24A4B240E4BA057EF931EB25B5.exe

+ 2010-07-05 10:07 . 2010-07-05 10:07 458752 c:\windows\Installer\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NewShortcut16_F7578A24A4B240E4BA057EF931EB25B5.exe

+ 2010-07-05 10:06 . 2010-07-05 10:06 1233920 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll

+ 2010-07-05 11:56 . 2010-07-05 11:56 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2010-07-05 10:08 . 2009-11-23 13:50 1302600 c:\windows\system32\DRVSTORE\pccswpddri_8B8EF7097B22C16956A8E8244CC211ADD3463614\WUDFUpdate_01007.dll

+ 2010-07-05 10:08 . 2010-02-26 13:19 1461992 c:\windows\system32\DRVSTORE\ccdcmb_86369E3C3E199189C5EAD7421471A08D93A69835\wdfcoinstaller01009.dll

+ 2010-07-05 11:38 . 2010-07-05 11:38 2648576 c:\windows\Installer\22fdd7.msi

+ 2010-07-05 10:07 . 2010-07-05 10:07 1589248 c:\windows\Installer\13c445.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]

2010-02-28 01:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [N/A]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2002-12-31 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Full Tilt Poker.lnk - c:\program files\Full Tilt Poker\FullTiltPoker.exe [2010-5-28 7626752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 01:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"{23FCA088-F67F-9278-AAFC-6E9F6CE0B7BA}"="c:\documents and settings\Administrator\Application Data\Xari\kohye.exe"

"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

"QNB2EB90WX"=c:\docume~1\ADMINI~1\LOCALS~1\Temp\Phg.exe

"RZDVL2F27W"=c:\windows\Pziwea.exe

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"BCMSMMSG"=BCMSMMSG.exe

"BigDogPath"=c:\windows\VM_STI.EXE Philips SPC 200NC PC Camera

"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Torrentprivacy\\SSHTunel.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/06/2010 02:20 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/06/2010 02:22 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [21/06/2010 02:19 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [21/06/2010 02:19 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 00:47 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [21/06/2010 02:21 430152]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

.

Contents of the 'Scheduled Tasks' folder

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

2010-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

DPF: {79A0299B-199F-48BA-9CBE-7E1E60860F5D} - hxxp://www.trackthisout.com/Export.CAB

DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///H:/system/IntraLaunch.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-05 17:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,de,87,bd,9a,a5,3b,4b,83,c8,02,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,de,87,bd,9a,a5,3b,4b,83,c8,02,\

[HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,4e,a9,d4,e6,99,4e,4f,84,3e,db,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,4e,a9,d4,e6,99,4e,4f,84,3e,db,\

[HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2892)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-07-05 17:27:14 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-05 16:27

ComboFix2.txt 2010-07-04 22:10

Pre-Run: 2,698,551,296 bytes free

Post-Run: 2,689,040,384 bytes free

- - End Of File - - A2C719331A715A1B48C694EEE368806E

Link to post
Share on other sites

Before I go into the fix I made for you, I need to mention that the ComboFix log shows that your copy of winlogon.exe is failing sigcheck (which means it may have been modified and/or infected). This will most likely need to be restored from a Windows disk (although sometimes there are alternate methods of restoring such a file).

And now on to the fix: I have written a script that will tell ComboFix how to delete some things that I saw in the log. Here are instructions on what to do with the script.

  1. Turn off your Anti-Virus software.
  2. Click your Start button, go to All Programs (or just Programs on Vista), go to Accessories, and then open Notepad.
  3. Please copy and paste the contents of the CODE box below into Notepad (here is a link to instructions if you do not know how to copy and paste):
    http://forums.malwarebytes.org/index.php?showtopic=56256

    KillAll::

    FileLook::
    c:\program files\AVG\AVG9\avgtray .exe
    c:\program files\Belkin\F5D7050v3\Belkinwcui .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    c:\program files\Microsoft Office\Office14\BCSSync .exe
    c:\program files\Spybot - Search & Destroy\TeaTimer .exe

    Collect::[8]
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\Phg.exe
    c:\windows\Pziwea.exe

    Suspicious::[8]
    c:\documents and settings\Administrator\Application Data\Xari\kohye.exe
    c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat
    c:\windows\system32\emptyregdb.dat

    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyOverride"=-
    "ProxyServer"=-
    "ProxyEnable"=0

    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

    RegNull::
    [HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\SystemCertificates\AddressBook*]


  4. Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).
  5. Close Notepad and verify that the CFScript file is saved on your desktop.
  6. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:
    CFScriptB-4.gif

When finished, it will display a new log in Notepad. Please either copy and paste the contents of that log into a reply, or save the log on your desktop and attach it to a reply.

Link to post
Share on other sites

done!

ComboFix 10-07-05.02 - Administrator 06/07/2010 8:47.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.331 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-07-05 11:39 . 2010-07-05 11:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera

2010-07-05 11:38 . 2010-07-05 11:38 -------- d-----w- c:\program files\Opera

2010-07-05 10:37 . 2010-07-05 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth

2010-07-05 10:32 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll

2010-07-05 10:12 . 2010-07-05 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\DIFX

2010-07-05 10:08 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\PC Connectivity Solution

2010-07-05 10:08 . 2010-02-26 13:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll

2010-07-05 10:06 . 2010-07-05 10:08 -------- d-----w- c:\program files\Nokia

2010-07-05 10:06 . 2010-07-05 10:06 -------- d-----w- c:\program files\Common Files\Nokia

2010-07-05 10:06 . 2010-07-05 10:03 35607992 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en.exe

2010-07-05 10:05 . 2010-07-05 10:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe

2010-07-05 10:05 . 2010-07-05 10:05 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe

2010-07-05 10:05 . 2010-07-05 10:05 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe

2010-07-05 10:03 . 2010-07-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

2010-07-05 07:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-05 07:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-07-01 17:12 . 2010-07-01 17:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2010-07-01 14:21 . 2010-07-01 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG9

2010-07-01 11:01 . 2010-07-01 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-30 17:32 . 2010-07-02 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-30 17:32 . 2010-06-30 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-30 01:26 . 2010-06-30 01:26 -------- d-----w- c:\windows\Sun

2010-06-30 00:00 . 2010-06-30 00:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-06-29 09:49 . 2010-06-29 09:49 -------- d-----w- c:\program files\MSECache

2010-06-29 09:14 . 2010-06-29 09:14 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\documents and settings\All Users\Microsoft

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft.NET

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-29 09:07 . 2010-06-29 09:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-29 09:01 . 2010-06-29 09:01 -------- d-----w- c:\program files\Microsoft Analysis Services

2010-06-29 09:00 . 2010-06-29 09:17 -------- d-----w- c:\windows\SHELLNEW

2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-29 08:56 . 2010-06-29 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----r- C:\MSOCache

2010-06-29 08:52 . 2010-06-29 09:00 -------- d-----w- c:\windows\system32\NtmsData

2010-06-29 07:26 . 2010-06-29 07:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-29 05:09 . 2010-07-02 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 03:58 . 2010-06-29 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue

2010-06-29 03:58 . 2010-06-29 09:27 -------- d-----w- c:\program files\Uniblue

2010-06-28 20:08 . 2008-04-13 23:16 37888 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys

2010-06-28 20:08 . 2008-04-13 23:16 37888 ----a-w- c:\windows\system32\drivers\bthmodem.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-26 20:16 . 2010-06-26 20:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-06-26 20:15 . 2007-04-16 04:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 215040 ----a-w- c:\windows\system32\CNMLM8Z.DLL

2010-06-26 20:15 . 2010-06-26 20:15 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-06-26 20:15 . 2007-03-15 13:12 188416 ----a-w- c:\windows\system32\CNC310O.DLL

2010-06-26 20:15 . 2007-03-23 15:30 1400832 ----a-w- c:\windows\system32\CNC310C.DLL

2010-06-26 20:15 . 2007-03-23 15:29 98304 ----a-w- c:\windows\system32\CNC310I.DLL

2010-06-26 20:15 . 2007-03-19 09:39 200704 ----a-w- c:\windows\system32\CNC310L.DLL

2010-06-26 19:48 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-06-26 19:48 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-06-25 17:04 . 2010-06-25 17:04 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcp71.dll

2010-06-25 17:04 . 2010-06-25 17:04 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\jmc.dll

2010-06-25 17:04 . 2010-06-25 17:04 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-d3d.dll

2010-06-25 17:04 . 2010-06-25 17:04 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-sse.dll

2010-06-25 17:04 . 2010-06-25 17:04 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcr71.dll

2010-06-25 17:02 . 2010-06-25 17:00 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-25 00:04 . 2010-06-30 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lyaqy

2010-06-23 22:46 . 2010-06-25 16:59 -------- d-----w- c:\program files\Java

2010-06-23 22:45 . 2010-06-25 21:36 -------- d-----w- c:\program files\Common Files\Java

2010-06-23 21:58 . 2010-06-23 21:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-06-23 21:56 . 2010-06-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-23 21:29 . 2010-06-23 21:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-23 14:31 . 2010-06-23 14:31 -------- d-----w- C:\$AVG

2010-06-23 14:28 . 2010-06-23 21:28 -------- d-----w- C:\Inetpub

2010-06-23 14:28 . 2010-06-23 14:28 -------- d-----w- c:\windows\system32\Logfiles

2010-06-23 04:08 . 2010-06-23 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2010-06-23 04:07 . 2010-07-01 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\VideoLAN

2010-06-23 00:53 . 2010-07-05 10:55 -------- d-----w- C:\Torrentprivacy

2010-06-22 23:59 . 2010-06-29 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent

2010-06-22 23:59 . 2010-06-23 05:19 -------- d-----w- c:\program files\BitTorrent

2010-06-22 23:53 . 2010-06-22 23:53 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6C.tmp.exe

2010-06-22 22:27 . 2008-04-13 23:21 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys

2010-06-22 22:27 . 2008-04-13 23:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys

2010-06-22 22:26 . 2008-04-14 04:42 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 151552 ----a-w- c:\windows\system32\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 ----a-w- c:\windows\system32\irmon.dll

2010-06-22 22:26 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys

2010-06-22 22:26 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2010-06-22 19:24 . 2010-06-22 19:24 -------- d-----w- c:\program files\MSXML 4.0

2010-06-22 18:54 . 2002-12-31 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-06-22 03:04 . 2010-06-22 03:04 -------- d-----w- C:\pnp

2010-06-22 01:40 . 2010-06-22 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\WildPackets

2010-06-22 01:38 . 2009-12-16 16:34 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-22 01:38 . 2009-12-16 16:34 1060864 ----a-w- c:\windows\system32\mfc71.dll

2010-06-22 01:37 . 2010-06-22 01:37 -------- d-----w- c:\program files\WildPackets

2010-06-21 21:52 . 2010-06-21 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\windows\system32\XPSViewer

2010-06-21 19:29 . 2010-06-29 09:16 -------- d-----w- c:\program files\MSBuild

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\program files\Reference Assemblies

2010-06-21 19:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-06-21 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-06-21 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-06-21 19:28 . 2010-06-21 19:28 -------- d-----w- C:\94c12bb0934f9f354ff792d06b

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\windows\XSxS

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Common Files\Deskshare Shared

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Deskshare

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 06:24 . 2010-06-29 23:21 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat

2010-06-29 09:32 . 2010-06-20 22:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-26 20:14 . 2010-06-26 20:14 -------- d--h--w- c:\program files\CanonBJ

2010-06-21 17:13 . 2010-06-20 17:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-20 23:36 . 2002-12-31 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Analog Devices

2010-06-20 22:38 . 2010-06-20 22:38 -------- d-----w- c:\program files\Common Files\InstallShield

2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\microsoft frontpage

2010-06-20 16:58 . 2010-06-20 16:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-05-06 10:41 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-12-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2002-12-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Belkin\F5D7050v3\Belkinwcui .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

--- c:\program files\AVG\AVG9\avgtray .exe ---

Company: AVG Technologies CZ, s.r.o.

File Description: AVG Tray Monitor

File Version: 9.0.0.825

Product Name: AVG Internet Security

Copyright: Copyright

Link to post
Share on other sites

OK, here's a quick rundown of how to have Windows automatically restore files from your Windows CD (note that you may need to reinstall Service Packs after doing this):

  1. Insert your Windows XP disk into the CD drive of the infected computer.
  2. Close anything you were working on, and close the Windows XP thing that pops up after putting the disk in the CD drive.
  3. Click the 'Start' button.
  4. Click on 'Run' to open the 'Run' dialog.
  5. Type the following into the little white field in the 'Run' dialog:

    sfc /scannow


  6. Follow any on-screen instructions while the System File Checker verifies all of your System Files.
  7. When it's done, it will probably ask you to restart your computer. Go ahead and do that as soon as you can.
  8. Download a fresh copy of ComboFix from this link, run it, and get me a new ComboFix log so that I can see if the infected file was properly replaced.

Link to post
Share on other sites

hi gt500 :D

I had a thought and looked at my harddisk

When I set up the PC I copied the operating system to a partition, that I then made bootable.

I looked at the copy of winlogon there and found that not only was it smaller but it was modified in 2004, the one on C: was modified june 2010

I ran from command prompt and copied the z: file to C: . However, in moving it I copied it to x: and then c: root.

As you can see from the log, CF didn't like those anyway and deleted them. :D

It also dont like the one in system32 now either :) - obviously.

I have of course got to activate my system now as the keys have appeared in the bottom right. (Thats how early on I made the back up on Z:)

Is it gioing to be a problem as is, or is there a fix? I had accessed the internet before the backup was made as I needed to download a number of drivers etc.

Only other option is to delete windows and re-install with one of the disks of XP home I have. or one of the other systems. This though will lose all data and all programs on the PC, I am loathed to do this.

I have attached the log that I just run.

One other question, this is affecting many people. :D What is it? and why is it getting onto so many pc's, and through anti viruus and anti spyware? :)

I will of course use malwarebytes for my protection in future. the most comprehensive so far. and excellent service and forum.

Thank you so much for your help.

-----------------------------------------------------

ComboFix 10-07-06.03 - Administrator 07/07/2010 21:26:25.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.181 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix1.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\windows

c:\windows\system32\windows\system32\winlogon.exe

c:\windows\system32\winlogon.bak

C:\winlogon.exe

X:\winlogon.exe

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))

.

2010-07-07 20:04 . 2004-08-04 07:56 502272 ----a-w- c:\windows\system32\winlogon.exe

2010-07-07 19:42 . 2010-07-07 19:42 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-07-07 18:46 . 2010-07-07 18:46 -------- d-----w- c:\documents and settings\Administrator\WINDOWS

2010-07-07 15:02 . 2003-03-24 15:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll

2010-07-07 09:36 . 2010-07-07 09:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\assembly

2010-07-06 21:12 . 2010-07-06 21:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\IsolatedStorage

2010-07-06 21:04 . 2010-07-06 21:11 -------- d-----w- c:\program files\Virtual Earth 3D

2010-07-05 11:39 . 2010-07-05 11:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera

2010-07-05 11:38 . 2010-07-05 11:38 -------- d-----w- c:\program files\Opera

2010-07-05 10:37 . 2010-07-05 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth

2010-07-05 10:32 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll

2010-07-05 10:12 . 2010-07-05 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\DIFX

2010-07-05 10:08 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

2010-07-05 10:08 . 2010-07-05 10:08 -------- d-----w- c:\program files\PC Connectivity Solution

2010-07-05 10:08 . 2010-02-26 13:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll

2010-07-05 10:06 . 2010-07-05 10:08 -------- d-----w- c:\program files\Nokia

2010-07-05 10:06 . 2010-07-05 10:06 -------- d-----w- c:\program files\Common Files\Nokia

2010-07-05 10:06 . 2010-07-05 10:03 35607992 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\NokiaSoftwareUpdaterSetup_en.exe

2010-07-05 10:05 . 2010-07-05 10:05 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\Sleep.exe

2010-07-05 10:05 . 2010-07-05 10:05 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\msxml6Exec.exe

2010-07-05 10:05 . 2010-07-05 10:05 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{09C468CA-2940-466A-AAE8-DCC0C6E9323C}\Installer\CommonCustomActions\vcredistExec.exe

2010-07-05 10:03 . 2010-07-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations

2010-07-05 07:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-05 07:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-07-01 17:12 . 2010-07-01 17:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2010-07-01 14:21 . 2010-07-01 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG9

2010-07-01 11:01 . 2010-07-01 11:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 11:00 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-01 11:00 . 2010-07-01 11:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-30 17:32 . 2010-07-02 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-30 17:32 . 2010-06-30 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-30 01:26 . 2010-06-30 01:26 -------- d-----w- c:\windows\Sun

2010-06-30 00:00 . 2010-06-30 00:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-06-29 09:49 . 2010-06-29 09:49 -------- d-----w- c:\program files\MSECache

2010-06-29 09:14 . 2010-06-29 09:14 -------- d-----w- c:\program files\Microsoft Synchronization Services

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\documents and settings\All Users\Microsoft

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft Sync Framework

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft.NET

2010-06-29 09:12 . 2010-06-29 09:12 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-29 09:07 . 2010-06-29 09:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-29 09:01 . 2010-06-29 09:01 -------- d-----w- c:\program files\Microsoft Analysis Services

2010-06-29 09:00 . 2010-06-29 09:17 -------- d-----w- c:\windows\SHELLNEW

2010-06-29 08:57 . 2010-06-29 08:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2010-06-29 08:56 . 2010-06-29 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----r- C:\MSOCache

2010-06-29 08:52 . 2010-06-29 09:00 -------- d-----w- c:\windows\system32\NtmsData

2010-06-29 07:26 . 2010-06-29 07:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-06-29 05:09 . 2010-07-02 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 03:58 . 2010-06-29 04:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue

2010-06-29 03:58 . 2010-06-29 09:27 -------- d-----w- c:\program files\Uniblue

2010-06-28 20:08 . 2008-04-13 23:16 37888 ----a-w- c:\windows\system32\drivers\bthmodem.sys

2010-06-26 20:27 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-26 20:16 . 2010-06-26 20:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-06-26 20:15 . 2007-04-16 04:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8Z.DLL

2010-06-26 20:15 . 2007-04-16 04:00 215040 ----a-w- c:\windows\system32\CNMLM8Z.DLL

2010-06-26 20:15 . 2010-06-26 20:15 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-06-26 20:15 . 2007-03-15 13:12 188416 ----a-w- c:\windows\system32\CNC310O.DLL

2010-06-26 20:15 . 2007-03-23 15:30 1400832 ----a-w- c:\windows\system32\CNC310C.DLL

2010-06-26 20:15 . 2007-03-23 15:29 98304 ----a-w- c:\windows\system32\CNC310I.DLL

2010-06-26 20:15 . 2007-03-19 09:39 200704 ----a-w- c:\windows\system32\CNC310L.DLL

2010-06-26 19:48 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-06-25 17:04 . 2010-06-25 17:04 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcp71.dll

2010-06-25 17:04 . 2010-06-25 17:04 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\jmc.dll

2010-06-25 17:04 . 2010-06-25 17:04 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-d3d.dll

2010-06-25 17:04 . 2010-06-25 17:04 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5b4d23f2-n\decora-sse.dll

2010-06-25 17:04 . 2010-06-25 17:04 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4babafb7-n\msvcr71.dll

2010-06-25 17:02 . 2010-06-25 17:00 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-25 00:04 . 2010-06-30 17:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lyaqy

2010-06-23 22:46 . 2010-06-25 16:59 -------- d-----w- c:\program files\Java

2010-06-23 22:45 . 2010-06-25 21:36 -------- d-----w- c:\program files\Common Files\Java

2010-06-23 21:58 . 2010-06-23 21:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-06-23 21:56 . 2010-06-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-23 21:29 . 2010-06-23 21:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-23 14:31 . 2010-06-23 14:31 -------- d-----w- C:\$AVG

2010-06-23 14:28 . 2010-06-23 21:28 -------- d-----w- C:\Inetpub

2010-06-23 14:28 . 2010-06-23 14:28 -------- d-----w- c:\windows\system32\Logfiles

2010-06-23 04:08 . 2010-06-23 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2010-06-23 04:07 . 2010-07-01 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\VideoLAN

2010-06-23 00:53 . 2010-07-05 10:55 -------- d-----w- C:\Torrentprivacy

2010-06-22 23:59 . 2010-06-29 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent

2010-06-22 23:59 . 2010-06-23 05:19 -------- d-----w- c:\program files\BitTorrent

2010-06-22 23:53 . 2010-06-22 23:53 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6C.tmp.exe

2010-06-22 22:27 . 2008-04-13 23:21 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys

2010-06-22 22:26 . 2008-04-13 23:16 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys

2010-06-22 22:26 . 2008-04-14 04:42 151552 ----a-w- c:\windows\system32\irftp.exe

2010-06-22 22:26 . 2008-04-14 04:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-06-22 22:26 . 2008-04-14 04:41 28160 ----a-w- c:\windows\system32\irmon.dll

2010-06-22 22:26 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys

2010-06-22 22:26 . 2008-04-13 23:16 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2010-06-22 19:24 . 2010-06-22 19:24 -------- d-----w- c:\program files\MSXML 4.0

2010-06-22 18:54 . 2002-12-31 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-06-22 03:04 . 2010-06-22 03:04 -------- d-----w- C:\pnp

2010-06-22 01:40 . 2010-06-22 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\WildPackets

2010-06-22 01:38 . 2009-12-16 16:34 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-06-22 01:38 . 2009-12-16 16:34 1060864 ----a-w- c:\windows\system32\mfc71.dll

2010-06-22 01:37 . 2010-06-22 01:37 -------- d-----w- c:\program files\WildPackets

2010-06-21 21:52 . 2010-06-21 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\windows\system32\XPSViewer

2010-06-21 19:29 . 2010-06-29 09:16 -------- d-----w- c:\program files\MSBuild

2010-06-21 19:29 . 2010-06-21 19:29 -------- d-----w- c:\program files\Reference Assemblies

2010-06-21 19:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-06-21 19:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-06-21 19:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-06-21 19:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-06-21 19:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-06-21 19:28 . 2010-06-21 19:28 -------- d-----w- C:\94c12bb0934f9f354ff792d06b

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\windows\XSxS

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Common Files\Deskshare Shared

2010-06-21 19:18 . 2010-06-21 19:18 -------- d-----w- c:\program files\Deskshare

2010-06-21 09:02 . 2010-06-21 09:02 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-21 09:02 . 2010-06-21 09:02 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-21 02:20 . 2010-06-21 02:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-02 06:24 . 2010-06-29 23:21 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat

2010-06-26 20:14 . 2010-06-26 20:14 -------- d--h--w- c:\program files\CanonBJ

2010-06-21 17:13 . 2010-06-20 17:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\microsoft frontpage

2010-06-20 16:58 . 2010-06-20 16:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-05-06 10:41 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-12-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2002-12-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Belkin\F5D7050v3\Belkinwcui .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Microsoft Office\Office14\BCSSync .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>

------- Sigcheck -------

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((( SnapShot_2010-07-07_14.11.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-07 20:35 . 2010-07-07 20:35 16384 c:\windows\temp\Perflib_Perfdata_b0.dat

+ 2002-12-31 12:00 . 2002-12-31 12:00 32768 c:\windows\system32\dllcache\dispex.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 39936 c:\windows\system32\dllcache\dimsroam.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 19456 c:\windows\system32\dllcache\dimsntfy.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 27136 c:\windows\system32\dllcache\ctl3d32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 62464 c:\windows\system32\dllcache\cryptsvc.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 64512 c:\windows\system32\dllcache\cryptnet.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 53760 c:\windows\system32\dllcache\cryptext.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 33280 c:\windows\system32\dllcache\cryptdll.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 74752 c:\windows\system32\dllcache\cryptdlg.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 16896 c:\windows\system32\dllcache\cfgmgr32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 30208 c:\windows\system32\dllcache\atmlib.dll

+ 2002-12-31 12:00 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 98304 c:\windows\system32\dllcache\ahui.exe

+ 2010-06-20 17:00 . 2002-12-31 12:00 7168 c:\windows\system32\dllcache\bitsprx4.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 512512 c:\windows\system32\dllcache\cryptui.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 599040 c:\windows\system32\dllcache\crypt32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 252928 c:\windows\system32\dllcache\compatui.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 276992 c:\windows\system32\dllcache\comdlg32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 617472 c:\windows\system32\dllcache\comctl32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 233472 c:\windows\system32\dllcache\azroles.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 125952 c:\windows\system32\dllcache\apphelp.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 116224 c:\windows\system32\dllcache\acxtrnal.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 245248 c:\windows\system32\dllcache\acspecfc.dll

+ 2002-12-31 12:00 . 2009-11-21 15:51 471552 c:\windows\system32\dllcache\aclayers.dll

+ 2010-06-20 16:56 . 2002-12-31 12:00 136192 c:\windows\system32\dllcache\aaclient.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 1852928 c:\windows\system32\dllcache\acgenral.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]

2010-02-28 01:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [N/A]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2002-12-31 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Full Tilt Poker.lnk - c:\program files\Full Tilt Poker\FullTiltPoker.exe [2010-5-28 7626752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-06-21 01:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"{23FCA088-F67F-9278-AAFC-6E9F6CE0B7BA}"="c:\documents and settings\Administrator\Application Data\Xari\kohye.exe"

"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

"QNB2EB90WX"=c:\docume~1\ADMINI~1\LOCALS~1\Temp\Phg.exe

"RZDVL2F27W"=c:\windows\Pziwea.exe

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"BCMSMMSG"=BCMSMMSG.exe

"BigDogPath"=c:\windows\VM_STI.EXE Philips SPC 200NC PC Camera

"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/06/2010 02:20 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/06/2010 02:22 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [21/06/2010 02:19 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [21/06/2010 02:19 308064]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 00:47 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [21/06/2010 02:21 430152]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

.

Contents of the 'Scheduled Tasks' folder

2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-20 23:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

DPF: {79A0299B-199F-48BA-9CBE-7E1E60860F5D} - hxxp://www.trackthisout.com/Export.CAB

DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///H:/system/IntraLaunch.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-07 21:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1229272821-299502267-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2296)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\program files\Malwarebytes' Anti-Malware\mbamext.dll

c:\program files\WinZip\wzshlstb.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

c:\progra~1\SPYBOT~1\SDHelper.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wpabaln.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\windows\system32\NOTEPAD.EXE

.

**************************************************************************

.

Completion time: 2010-07-07 21:41:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-07 20:41

ComboFix2.txt 2010-07-07 14:16

ComboFix3.txt 2010-07-06 08:02

ComboFix4.txt 2010-07-05 16:27

ComboFix5.txt 2010-07-07 20:21

Pre-Run: 2,286,575,616 bytes free

Post-Run: 2,662,236,160 bytes free

- - End Of File - - DBA6020C526E6D145F259DEDA28CBE4F

Link to post
Share on other sites

I ran from command prompt and copied the z: file to C: . However, in moving it I copied it to x: and then c: root.

As you can see from the log, CF didn't like those anyway and deleted them. :D

It also dont like the one in system32 now either :D - obviously.

I just had an "unrecognized file" warning and it wanted to restore from cd. The only change has been swaping wimnlogon.

I had renamed winlogon original to winlogon.bak - CF has deleted it. Is this going to be a problem???? :D

Link to post
Share on other sites

Aft6er reading o of your posts about how to best protect your pc, I installed antivir and ran it. It detected 4 unwanted things.

report attached. -no it's not, "Upload failed. You are not permitted to upload this type of file" message ????? (it a .txt file - using opera)

it below......

Avira AntiVir Personal

Report file date: 10 July 2010 01:28

Scanning for 2329261 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : OFFICE

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 01/04/2010 12:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 07/03/2010 18:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 19:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 17:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 16:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 11:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 19:18:40

VBASE006.VDF : 7.10.7.218 2294784 Bytes 02/06/2010 19:19:00

VBASE007.VDF : 7.10.7.219 2048 Bytes 02/06/2010 19:19:00

VBASE008.VDF : 7.10.7.220 2048 Bytes 02/06/2010 19:19:00

VBASE009.VDF : 7.10.7.221 2048 Bytes 02/06/2010 19:19:00

VBASE010.VDF : 7.10.7.222 2048 Bytes 02/06/2010 19:19:00

VBASE011.VDF : 7.10.7.223 2048 Bytes 02/06/2010 19:19:01

VBASE012.VDF : 7.10.7.224 2048 Bytes 02/06/2010 19:19:01

VBASE013.VDF : 7.10.8.37 270336 Bytes 10/06/2010 19:19:04

VBASE014.VDF : 7.10.8.69 138752 Bytes 14/06/2010 19:19:05

VBASE015.VDF : 7.10.8.102 130560 Bytes 16/06/2010 19:19:06

VBASE016.VDF : 7.10.8.135 152064 Bytes 21/06/2010 19:19:08

VBASE017.VDF : 7.10.8.163 432128 Bytes 23/06/2010 19:19:11

VBASE018.VDF : 7.10.8.194 133632 Bytes 27/06/2010 19:19:12

VBASE019.VDF : 7.10.8.220 134656 Bytes 29/06/2010 19:19:13

VBASE020.VDF : 7.10.8.252 171520 Bytes 04/07/2010 19:19:15

VBASE021.VDF : 7.10.9.19 131072 Bytes 06/07/2010 19:19:16

VBASE022.VDF : 7.10.9.36 297472 Bytes 07/07/2010 19:19:18

VBASE023.VDF : 7.10.9.37 2048 Bytes 07/07/2010 19:19:19

VBASE024.VDF : 7.10.9.38 2048 Bytes 07/07/2010 19:19:19

VBASE025.VDF : 7.10.9.39 2048 Bytes 07/07/2010 19:19:19

VBASE026.VDF : 7.10.9.40 2048 Bytes 07/07/2010 19:19:19

VBASE027.VDF : 7.10.9.41 2048 Bytes 07/07/2010 19:19:19

VBASE028.VDF : 7.10.9.42 2048 Bytes 07/07/2010 19:19:19

VBASE029.VDF : 7.10.9.43 2048 Bytes 07/07/2010 19:19:19

VBASE030.VDF : 7.10.9.44 2048 Bytes 07/07/2010 19:19:20

VBASE031.VDF : 7.10.9.56 112640 Bytes 09/07/2010 19:19:20

Engineversion : 8.2.4.10

AEVDF.DLL : 8.1.2.0 106868 Bytes 09/07/2010 19:19:46

AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 09/07/2010 19:19:46

AESCN.DLL : 8.1.6.1 127347 Bytes 09/07/2010 19:19:42

AESBX.DLL : 8.1.3.1 254324 Bytes 09/07/2010 19:19:47

AERDL.DLL : 8.1.4.6 541043 Bytes 09/07/2010 19:19:42

AEPACK.DLL : 8.2.2.5 430453 Bytes 09/07/2010 19:19:40

AEOFFICE.DLL : 8.1.1.6 201081 Bytes 09/07/2010 19:19:38

AEHEUR.DLL : 8.1.1.38 2724214 Bytes 09/07/2010 19:19:36

AEHELP.DLL : 8.1.11.6 242038 Bytes 09/07/2010 19:19:27

AEGEN.DLL : 8.1.3.13 381300 Bytes 09/07/2010 19:19:27

AEEMU.DLL : 8.1.2.0 393588 Bytes 09/07/2010 19:19:24

AECORE.DLL : 8.1.15.3 192886 Bytes 09/07/2010 19:19:23

AEBB.DLL : 8.1.1.0 53618 Bytes 09/07/2010 19:19:22

AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 01/04/2010 12:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 01/04/2010 12:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 01/04/2010 12:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 09/04/2010 14:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:, G:, W:, X:, Z:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: 10 July 2010 01:28

Starting search for hidden objects.

c:\windows\explorer.exe

c:\WINDOWS\explorer.exe

[NOTE] The process is not visible.

The scan of running processes will be started

Scan process 'rsmsink.exe' - '29' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '61' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'avcenter.exe' - '92' Module(s) have been scanned

Scan process 'explorer.exe' - '124' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '12' Module(s) have been scanned

Scan process 'avgnsx.exe' - '29' Module(s) have been scanned

Scan process 'avgemc.exe' - '54' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'avgwdsvc.exe' - '41' Module(s) have been scanned

Scan process 'sched.exe' - '46' Module(s) have been scanned

Scan process 'spoolsv.exe' - '57' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '12' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'avgrsx.exe' - '10' Module(s) have been scanned

Scan process 'avgchsvx.exe' - '16' Module(s) have been scanned

Scan process 'svchost.exe' - '166' Module(s) have been scanned

Scan process 'svchost.exe' - '40' Module(s) have been scanned

Scan process 'svchost.exe' - '55' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'avguard.exe' - '57' Module(s) have been scanned

Scan process 'lsass.exe' - '58' Module(s) have been scanned

Scan process 'services.exe' - '36' Module(s) have been scanned

Scan process 'winlogon.exe' - '80' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Boot sector 'G:\'

[iNFO] No virus was found!

Boot sector 'W:\'

[iNFO] No virus was found!

Boot sector 'X:\'

[iNFO] No virus was found!

Boot sector 'Z:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '383' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\cbss.dll.vir

[DETECTION] Is the TR/Trash.Gen Trojan

Begin scan in 'D:\' <PRESARIO>

D:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

D:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

Begin scan in 'E:\' <PRESARIO_RP>

Begin scan in 'G:\'

Begin scan in 'W:\' <New Volume>

Begin scan in 'X:\' <store>

Begin scan in 'Z:\' <backup>

Z:\Program Files\VLC Player\vlccfg.exe

[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper

Beginning disinfection:

Z:\Program Files\VLC Player\vlccfg.exe

[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper

[NOTE] The file was moved to the quarantine directory under the name '461530c4.qua'.

D:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to the quarantine directory under the name '5ebd1f62.qua'.

D:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

[NOTE] The file was moved to the quarantine directory under the name '0ce2458a.qua'.

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\cbss.dll.vir

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '6ada0a56.qua'.

End of the scan: 10 July 2010 16:38

Used time: 2:05:38 Hour(s)

The scan has been done completely.

11853 Scanned directories

627450 Files were scanned

4 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

4 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

627446 Files not concerned

19179 Archives were scanned

0 Warnings

4 Notes

476046 Objects were scanned with rootkit scan

1 Hidden objects were found

Link to post
Share on other sites

Aft6er reading o of your posts about how to best protect your pc, I installed antivir and ran it. It detected 4 unwanted things.

report attached. -no it's not, "Upload failed. You are not permitted to upload this type of file" message ????? (it a .txt file - using opera)

it below......

Avira AntiVir Personal

Report file date: 10 July 2010 01:28

Scanning for 2329261 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : OFFICE

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 01/04/2010 12:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 07/03/2010 18:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 19:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 17:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 16:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 11:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 19:18:40

VBASE006.VDF : 7.10.7.218 2294784 Bytes 02/06/2010 19:19:00

VBASE007.VDF : 7.10.7.219 2048 Bytes 02/06/2010 19:19:00

VBASE008.VDF : 7.10.7.220 2048 Bytes 02/06/2010 19:19:00

VBASE009.VDF : 7.10.7.221 2048 Bytes 02/06/2010 19:19:00

VBASE010.VDF : 7.10.7.222 2048 Bytes 02/06/2010 19:19:00

VBASE011.VDF : 7.10.7.223 2048 Bytes 02/06/2010 19:19:01

VBASE012.VDF : 7.10.7.224 2048 Bytes 02/06/2010 19:19:01

VBASE013.VDF : 7.10.8.37 270336 Bytes 10/06/2010 19:19:04

VBASE014.VDF : 7.10.8.69 138752 Bytes 14/06/2010 19:19:05

VBASE015.VDF : 7.10.8.102 130560 Bytes 16/06/2010 19:19:06

VBASE016.VDF : 7.10.8.135 152064 Bytes 21/06/2010 19:19:08

VBASE017.VDF : 7.10.8.163 432128 Bytes 23/06/2010 19:19:11

VBASE018.VDF : 7.10.8.194 133632 Bytes 27/06/2010 19:19:12

VBASE019.VDF : 7.10.8.220 134656 Bytes 29/06/2010 19:19:13

VBASE020.VDF : 7.10.8.252 171520 Bytes 04/07/2010 19:19:15

VBASE021.VDF : 7.10.9.19 131072 Bytes 06/07/2010 19:19:16

VBASE022.VDF : 7.10.9.36 297472 Bytes 07/07/2010 19:19:18

VBASE023.VDF : 7.10.9.37 2048 Bytes 07/07/2010 19:19:19

VBASE024.VDF : 7.10.9.38 2048 Bytes 07/07/2010 19:19:19

VBASE025.VDF : 7.10.9.39 2048 Bytes 07/07/2010 19:19:19

VBASE026.VDF : 7.10.9.40 2048 Bytes 07/07/2010 19:19:19

VBASE027.VDF : 7.10.9.41 2048 Bytes 07/07/2010 19:19:19

VBASE028.VDF : 7.10.9.42 2048 Bytes 07/07/2010 19:19:19

VBASE029.VDF : 7.10.9.43 2048 Bytes 07/07/2010 19:19:19

VBASE030.VDF : 7.10.9.44 2048 Bytes 07/07/2010 19:19:20

VBASE031.VDF : 7.10.9.56 112640 Bytes 09/07/2010 19:19:20

Engineversion : 8.2.4.10

AEVDF.DLL : 8.1.2.0 106868 Bytes 09/07/2010 19:19:46

AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 09/07/2010 19:19:46

AESCN.DLL : 8.1.6.1 127347 Bytes 09/07/2010 19:19:42

AESBX.DLL : 8.1.3.1 254324 Bytes 09/07/2010 19:19:47

AERDL.DLL : 8.1.4.6 541043 Bytes 09/07/2010 19:19:42

AEPACK.DLL : 8.2.2.5 430453 Bytes 09/07/2010 19:19:40

AEOFFICE.DLL : 8.1.1.6 201081 Bytes 09/07/2010 19:19:38

AEHEUR.DLL : 8.1.1.38 2724214 Bytes 09/07/2010 19:19:36

AEHELP.DLL : 8.1.11.6 242038 Bytes 09/07/2010 19:19:27

AEGEN.DLL : 8.1.3.13 381300 Bytes 09/07/2010 19:19:27

AEEMU.DLL : 8.1.2.0 393588 Bytes 09/07/2010 19:19:24

AECORE.DLL : 8.1.15.3 192886 Bytes 09/07/2010 19:19:23

AEBB.DLL : 8.1.1.0 53618 Bytes 09/07/2010 19:19:22

AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 01/04/2010 12:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 01/04/2010 12:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 01/04/2010 12:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 09/04/2010 14:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:, G:, W:, X:, Z:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: 10 July 2010 01:28

Starting search for hidden objects.

c:\windows\explorer.exe

c:\WINDOWS\explorer.exe

[NOTE] The process is not visible.

The scan of running processes will be started

Scan process 'rsmsink.exe' - '29' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '61' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'avcenter.exe' - '92' Module(s) have been scanned

Scan process 'explorer.exe' - '124' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '12' Module(s) have been scanned

Scan process 'avgnsx.exe' - '29' Module(s) have been scanned

Scan process 'avgemc.exe' - '54' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'avgwdsvc.exe' - '41' Module(s) have been scanned

Scan process 'sched.exe' - '46' Module(s) have been scanned

Scan process 'spoolsv.exe' - '57' Module(s) have been scanned

Scan process 'avgcsrvx.exe' - '12' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'avgrsx.exe' - '10' Module(s) have been scanned

Scan process 'avgchsvx.exe' - '16' Module(s) have been scanned

Scan process 'svchost.exe' - '166' Module(s) have been scanned

Scan process 'svchost.exe' - '40' Module(s) have been scanned

Scan process 'svchost.exe' - '55' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'avguard.exe' - '57' Module(s) have been scanned

Scan process 'lsass.exe' - '58' Module(s) have been scanned

Scan process 'services.exe' - '36' Module(s) have been scanned

Scan process 'winlogon.exe' - '80' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Boot sector 'G:\'

[iNFO] No virus was found!

Boot sector 'W:\'

[iNFO] No virus was found!

Boot sector 'X:\'

[iNFO] No virus was found!

Boot sector 'Z:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '383' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\cbss.dll.vir

[DETECTION] Is the TR/Trash.Gen Trojan

Begin scan in 'D:\' <PRESARIO>

****NOTE: D: IS THE DRIVE CURRENTLY UNDERGOING RESTORATION PLUGGED INTO THIS PC. iT WAS NOT HERE ORIGINALLY!!****

D:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

D:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

Begin scan in 'E:\' <PRESARIO_RP>

Begin scan in 'G:\'

Begin scan in 'W:\' <New Volume>

Begin scan in 'X:\' <store>

Begin scan in 'Z:\' <backup>

Z:\Program Files\VLC Player\vlccfg.exe

[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper

Beginning disinfection:

Z:\Program Files\VLC Player\vlccfg.exe

[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper

[NOTE] The file was moved to the quarantine directory under the name '461530c4.qua'.

D:\hp\bin\KillWind.exe

[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application

[NOTE] The file was moved to the quarantine directory under the name '5ebd1f62.qua'.

D:\hp\bin\KillIt.exe

[DETECTION] Contains recognition pattern of the APPL/KillApp.A application

[NOTE] The file was moved to the quarantine directory under the name '0ce2458a.qua'.

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\cbss.dll.vir

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '6ada0a56.qua'.

End of the scan: 10 July 2010 16:38

Used time: 2:05:38 Hour(s)

The scan has been done completely.

11853 Scanned directories

627450 Files were scanned

4 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

4 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

627446 Files not concerned

19179 Archives were scanned

0 Warnings

4 Notes

476046 Objects were scanned with rootkit scan

1 Hidden objects were found

Link to post
Share on other sites

My apologies for the slow response.

Since you do not have access to a Windows XP disk, then I recommend downloading and running the Service Pack 3 installation. It will bring your computer back to Windows XP Service Pack 3, and then you should be able to run Windows Update and get all of the updates again. Here is the link to the full installer for Service Pack 3 (it's intended for network admins, but it will work just fine in this situation).

Link to post
Share on other sites

hi arthur

Well, I got so annoyed with the PC that I managed to get hold of an install disk and did a clean install.

I have since loaded drivers etc and run malwarebytes, covering my attached storage disk

I have now run combofix too and attach the log.

I trust this looks better?????

ComboFix 10-07-18.05 - admin 19/07/2010 18:03:48.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.262 [GMT 1:00]

Running from: c:\combofix\ComboFix.exe

Command switches used :: ComboFix

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))

.

2010-07-19 16:40 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-19 13:33 . 2010-06-27 15:49 1774720 ----a-w- c:\windows\system32\BootMan.exe

2010-07-19 13:33 . 2010-05-11 15:29 13192 ----a-w- c:\windows\system32\epmntdrv.sys

2010-07-19 13:33 . 2010-05-11 15:29 86408 ----a-w- c:\windows\system32\setupempdrv03.exe

2010-07-19 13:33 . 2010-05-11 15:29 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys

2010-07-19 13:33 . 2010-05-11 15:29 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll

2010-07-19 13:33 . 2010-07-19 13:33 -------- d-----w- c:\program files\EASEUS

2010-07-19 13:32 . 2010-07-19 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2010-07-19 12:56 . 2010-07-19 13:12 -------- d-----w- c:\windows\system32\CatRoot_bak

2010-07-19 11:47 . 2010-07-19 16:40 -------- d-----w- c:\windows\LastGood

2010-07-19 11:38 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe

2010-07-19 11:38 . 2010-07-19 12:54 -------- d--h--w- c:\windows\$hf_mig$

2010-07-19 11:30 . 2010-07-19 11:30 -------- d-s---w- c:\documents and settings\admin\UserData

2010-07-19 03:03 . 2010-07-19 03:03 -------- d-----w- c:\windows\system32\NtmsData

2010-07-18 23:02 . 2001-08-17 13:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys

2010-07-18 23:02 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-07-18 23:02 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-07-18 23:01 . 2004-08-03 22:59 5504 ----a-w- c:\windows\system32\drivers\intelide.sys

2010-07-18 23:01 . 2004-08-03 23:56 74240 -c--a-w- c:\windows\system32\dllcache\usbui.dll

2010-07-18 23:01 . 2004-08-03 23:56 74240 ----a-w- c:\windows\system32\usbui.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-18 22:54 . 2010-07-18 22:54 -------- d-----w- c:\documents and settings\admin\Application Data\Avira

2010-07-18 22:52 . 2010-07-18 22:52 12328 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-18 22:51 . 2010-07-18 22:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [18/07/2010 23:33 135336]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [18/07/2010 23:45 304464]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [19/07/2010 14:33 13192]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [19/07/2010 14:33 8456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [18/07/2010 23:45 20952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EPMNTDRV

*NewlyCreated* - EUGDIDRV

.

Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\avscan.job

- c:\documents and settings\admin\Desktop\D&E SCAN.LNK [2010-07-19 14:14]

2010-07-19 c:\windows\Tasks\ComboFix.job

- e:\tools\ComboFix.exe [2010-07-18 17:07]

2010-07-19 c:\windows\Tasks\mbam.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-07-18 14:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

TCP: {CB9B14B1-D4A1-4141-A7CF-340605399809} = 8.8.8.8,8.8.8.4

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-19 18:07

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

.

Completion time: 2010-07-19 18:10:03

ComboFix-quarantined-files.txt 2010-07-19 17:09

Pre-Run: 38,244,724,736 bytes free

Post-Run: 38,249,353,216 bytes free

- - End Of File - - AAB09E01C4B9BBB47A127E44B6237728

Link to post
Share on other sites

The following two files are showing coming up as part of a rogue (see this link):

c:\windows\system32\epmntdrv.sys

c:\windows\system32\EuGdiDrv.sys

As far as I can tell, these are related to Easeus Partition Master Home Edition. I assume that you have Easeus Partition Master Home Edition installed? If so, can you send me the link you downloaded it from?

Link to post
Share on other sites

The following two files are showing coming up as part of a rogue (see this link):

c:\windows\system32\epmntdrv.sys

c:\windows\system32\EuGdiDrv.sys

As far as I can tell, these are related to Easeus Partition Master Home Edition. I assume that you have Easeus Partition Master Home Edition installed? If so, can you send me the link you downloaded it from?

As far as I can remember I got it from either easeus??

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.