Jump to content

Accountant's Computer


Recommended Posts

Okay,so I've been asked to take a look at my cousin's computer.He is an accountant,so he's worried that if there is something on this computer,it could be used to gain his clients details.Anyway,so I followed the instructions on this board,and the logs are below.

DDS (Ver_10-03-17.01) - NTFSx86

Run by User1 at 17:25:17.53 on 05/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1057 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\Program Files\Mouse Driver\MouseDrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\YouSendIt\Express\YouSendIt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\iolo\System Mechanic\SMTrayNotify.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\PROGRA~1\COMMON~1\Nokia\MPLATF~1\NOKIAM~1.EXE

C:\Documents and Settings\User1\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.mytalktalk.co.uk/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.alltheinternet.com/search.htm

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

mSearchAssistant = hxxp://www.alltheinternet.com/search.htm

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Advanced Searchbar: {cdeec43d-3572-4e95-a2a5-f519d29f00c0} - c:\progra~1\advanc~1\ADVANC~1.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Advanced Searchbar: {57f02779-3d88-4958-8ad3-83c12d86adc7} - c:\program files\advancedsearchbar\advancedsearchbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [<NO NAME>]

uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\user1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\client~1.lnk - c:\program files\buffalo\client manager3\cm3_tray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-gb\local\search.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

IE: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - c:\program files\advancedsearchbar\advancedsearchbar.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238587244625

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\aphg9f63.default\

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-5 165456]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-25 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-25 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-25 242896]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-5 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-5 40384]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-4 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-4 308064]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2010-1-5 81920]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-6-10 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-6-10 704432]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-5 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-5 40384]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2010-1-5 2723840]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [2006-8-24 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-07-05 16:18:56 0 ----a-w- c:\documents and settings\user1\defogger_reenable

2010-07-05 12:33:52 38848 ----a-w- c:\windows\avastSS.scr

2010-07-05 12:33:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-05 11:21:36 0 d-----w- c:\docume~1\user1\applic~1\Malwarebytes

2010-07-05 11:21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 11:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-05 11:21:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-05 11:21:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-23 15:05:54 0 d-----w- c:\docume~1\user1\applic~1\Greenpoint

2010-06-23 15:05:00 696320 ----a-w- c:\windows\system32\libeay32.dll

2010-06-23 15:05:00 25600 ----a-w- c:\windows\system32\borlndmm.dll

2010-06-23 15:05:00 155648 ----a-w- c:\windows\system32\ssleay32.dll

2010-06-22 07:58:26 629 ----a-w- c:\windows\system32\mapisvc.inf

2010-06-22 07:22:28 0 d-----w- c:\program files\iPod

2010-06-22 07:17:58 0 d-----w- c:\program files\Bonjour

2010-06-16 11:53:02 0 d-----w- c:\program files\Palace of Chance

2010-06-12 09:45:34 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-10 09:12:22 406 ----a-w- c:\windows\system32\ioloBootDefrag.cfg

2010-06-10 09:11:24 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-06-10 09:11:24 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-06-10 09:11:20 30208 ----a-w- c:\windows\system32\iolobtdfg.exe

2010-06-10 09:11:20 12288 ----a-w- c:\windows\system32\smrgdf.exe

2010-06-10 09:11:19 0 d-----w- c:\program files\iolo

2010-06-10 09:10:31 74703 ----a-w- c:\windows\system32\mfc45.dll

2010-06-10 09:09:29 0 d-----w- c:\docume~1\user1\applic~1\iolo

2010-06-10 09:09:29 0 d-----w- c:\docume~1\alluse~1\applic~1\iolo

==================== Find3M ====================

2010-06-04 13:04:52 18499623 ----a-w- c:\docume~1\alluse~1\applic~1\vlc-1.0.5-win32.exe

2010-06-03 07:59:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 19:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-12 16:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 15:37:12 27800 ---ha-w- c:\windows\system32\mlfcache.dat

2010-01-26 11:31:49 1031 -csh--w- c:\windows\system\ws32ntfa.dat

2002-04-16 10:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv

1998-03-20 01:00:00 1048 -csha-w- c:\windows\system32\flfnlf.sys

1998-03-20 01:00:00 1048 -csha-w- c:\windows\system32\rlfnlf.sys

1998-03-20 01:00:00 1048 -csha-w- c:\windows\system32\TMail3FL.SYS

1998-03-20 01:00:00 1048 -csha-w- c:\windows\system32\TMailRL.sys

============= FINISH: 17:26:22.21 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4277

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

05/07/2010 17:16:52

mbam-log-2010-07-05 (17-16-52).txt

Scan type: Full scan (C:\|)

Objects scanned: 218646

Time elapsed: 1 hour(s), 34 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The Malwayre log before this found roughly eighteen infected items,one of which was called 'Stolen.Data'.So you can see why he's worrying.

I tried running the GMER Rootkit scanner,but any time I did,it would run for a few minutes,and then I'd turn around to find there was a lovely big blue screen of death staring back at me.Both times,it said it was for different reasons,but when Windows recovered,it said it was due to a driver failure.I feel slightly out of my depth at this point.I'd really appreciate any and all help people could offer me.

Attach.zip

Link to post
Share on other sites

  • Root Admin

STEP 01

The logs show that you have 2 Anti-Virus products installed and running. You can only have one installed as they will conflict with each other.

Please choose one of them and FULLY remove the other one BEFORE we continue on here.

avast! Free Antivirus

AVG Free 9.0

STEP 02

We can get to this later but as you can see you have a bit too many Toolbars. Personally I don't care for any of them but that's up to you if you want them or not.

Advanced Searchbar

AOL Toolbar 5.0

Google Toolbar for Internet Explorer

Yahoo! Search Protection

Yahoo! Toolbar

STEP 03

This browser was proably installed as part of another software plugin install. If not used it should be uninstalled but that can wait until we're done here.

Safari

*************************************************

Complete STEP 1 first and then do the following.

*************************************************

STEP 04

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Okay,I uninstalled half the stuff on here.It's not my computer,so I didn't know what was on here,and what wasn't.I tried uninstalling AVG,but every time I did,it came up with an error.This worried me slightly.Anyway,the combofix log is below.

ComboFix 10-07-07.02 - User1 08/07/2010 12:16:32.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1295 [GMT 1:00]

Running from: c:\documents and settings\User1\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\vlc-0.9.9-win32.exe

c:\documents and settings\All Users\Application Data\vlc-1.0.5-win32.exe

c:\windows\system32\Temp

c:\windows\system32\Temp\aawfhriejlcmbvbhxjui.list

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SVCHOST

((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))

.

2010-07-05 17:55 . 2010-07-05 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\program files\Alwil Software

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\User1\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 11:21 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-23 15:05 . 2010-06-23 15:05 -------- d-----w- c:\documents and settings\User1\Application Data\Greenpoint

2010-06-23 15:05 . 2003-11-02 09:18 155648 ----a-w- c:\windows\system32\ssleay32.dll

2010-06-23 15:05 . 2003-11-02 09:18 696320 ----a-w- c:\windows\system32\libeay32.dll

2010-06-23 15:05 . 2002-07-25 17:54 25600 ----a-w- c:\windows\system32\borlndmm.dll

2010-06-22 07:22 . 2010-06-22 07:22 -------- d-----w- c:\program files\iPod

2010-06-22 07:17 . 2010-06-22 07:17 -------- d-----w- c:\program files\Bonjour

2010-06-16 11:53 . 2010-07-05 14:41 -------- d-----w- c:\program files\Palace of Chance

2010-06-12 09:45 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo

2010-06-10 09:11 . 2010-04-21 13:46 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-06-10 09:11 . 2010-04-21 13:46 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-06-10 09:11 . 2010-01-28 17:13 30208 ----a-w- c:\windows\system32\iolobtdfg.exe

2010-06-10 09:11 . 2010-01-28 17:13 12288 ----a-w- c:\windows\system32\smrgdf.exe

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\program files\iolo

2010-06-10 09:10 . 2010-06-10 09:10 74703 ----a-w- c:\windows\system32\mfc45.dll

2010-06-10 09:09 . 2010-06-10 09:17 -------- d-----w- c:\documents and settings\User1\Application Data\iolo

2010-06-10 09:09 . 2010-06-10 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-08 11:04 . 2009-11-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-08 10:24 . 2009-02-26 09:07 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!

2010-07-08 10:23 . 2009-02-26 09:06 -------- d-----w- c:\program files\Yahoo!

2010-07-08 09:10 . 2009-02-24 17:52 1 ----a-w- c:\documents and settings\User1\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-07-05 15:37 . 2009-09-30 07:42 0 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\prvlcl.dat

2010-07-05 14:41 . 2010-05-24 15:30 -------- d-----w- c:\program files\Cool Cat Casino

2010-06-24 07:54 . 2009-03-16 09:06 33600 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-23 15:04 . 2009-02-26 15:35 -------- d-----w- c:\program files\Intuit

2010-06-23 07:15 . 2010-05-25 06:07 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3.tmp.exe

2010-06-22 19:52 . 2010-02-15 14:13 69214784 ----a-w- c:\documents and settings\User1\Application Data\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe

2010-06-22 07:23 . 2010-05-07 07:22 -------- d-----w- c:\program files\iTunes

2010-06-22 07:22 . 2010-01-18 21:31 -------- d-----w- c:\program files\Common Files\Apple

2010-06-22 07:16 . 2010-06-22 07:16 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-22 07:16 . 2010-02-02 09:58 -------- d-----w- c:\program files\Safari

2010-06-22 07:13 . 2010-06-22 07:13 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

2010-06-18 16:46 . 2010-06-18 16:46 581904 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelbonus.f133a53ea3279bce1fc3bc7aa9ad6839.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_hellboy.cde3facca4e62dd1980118b9f69c127f.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_jan_2010.27798ac5c513c88d4f74b2fc87b9bf6e.dll

2010-06-18 16:41 . 2010-06-18 16:41 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_hellboy.ef7dfe9e02564671f52a95d839e51b8d.dll

2010-06-18 16:40 . 2010-06-18 16:40 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_hellboy.0200f4406079039e4f9f4fd4269c6144.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_hellboy.2389dbbb7a92af30b5bb4e62701f18a5.dll

2010-06-18 16:40 . 2010-06-18 16:40 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_gao_jan_2010.114da6697b16a4308920de3f00df9d11.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_jan_2010.6ce545b01335b0127c2a55cc392a24e6.dll

2010-06-18 16:39 . 2010-06-18 16:39 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_jan_2010.d3c0a2c195757b5887793e496479436f.dll

2010-06-18 16:38 . 2010-06-18 16:38 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_jan_2010.734d2ae11536c3d1a34ecdb91aaab798.dll

2010-06-18 16:37 . 2010-06-18 16:37 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_hellboy.ee1c177b2b367dc15184591e57db5798.dll

2010-06-18 16:34 . 2010-06-18 16:34 536576 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldplugin.a5e08942278dbb53df46a8a9523a445b.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:34 . 2010-06-18 16:34 192512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakxxx.9edf63783590e61148711da2563c8d47.dll

2010-06-18 16:34 . 2010-06-18 16:34 602112 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldplugin.f7a40649bbd758b8f99cf67e1769d71c.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:28 . 2010-06-18 16:28 942080 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\f\flightzonebonus.bb993454d3170414b7655081a3ec7db9.dll

2010-06-10 09:17 . 2010-06-10 09:17 1531 ----a-w- c:\documents and settings\User1\Application Data\iolo\restore.bat

2010-06-04 09:15 . 2010-06-04 09:15 708608 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_mar_2010.00e558dbf98f160d236f0e738de93c37.dll

2010-06-04 09:15 . 2010-06-04 09:15 1650688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_mar_2010.011b7c042032e11252156706d78b5e83.dll

2010-06-04 09:15 . 2010-06-04 09:15 950272 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_mar_2010.e5e91d49a18e4440b5a76ddd6446140c.dll

2010-06-04 09:15 . 2010-06-04 09:15 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_mar_2010.05a7fd71980574f91eb4c1420f71b1f7.dll

2010-06-04 09:13 . 2010-06-04 09:13 106496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\aurora.1a2291430fa932849077b65b849668f7.dll

2010-06-04 09:12 . 2010-06-04 09:12 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunetransition.cdb6c11f100d3a3cb0c0550c21b277e4.dll

2010-06-04 09:12 . 2010-06-04 09:12 1568768 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune.b328b57943682e2d7fd4847916ff9b2b.dll

2010-06-04 09:11 . 2010-06-04 09:11 1232896 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_gspider.770d41ad6c8d6246716f0968e4501795.dll

2010-06-04 09:11 . 2010-06-04 09:11 1236992 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_spiderbonus.c6f7df06987955caf77bb513ebf7e5b5.dll

2010-06-04 09:10 . 2010-06-04 09:10 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunexxx.88b69b79191872d92329d1cfa9817586.dll

2010-06-04 09:09 . 2010-06-04 09:09 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_crankbonus.79fd1aae910e128f743d90232d089b3b.dll

2010-06-04 09:08 . 2010-06-04 09:08 246032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\powerpokersuite1_nl.4b954e6e9e7bfe3947a12889040c706e.dll

2010-06-04 09:08 . 2010-06-04 09:08 225552 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\videopokersuite1.e45a40be28c5bc5514b9e806f30cdc6f.dll

2010-06-04 09:08 . 2010-06-04 09:08 307300 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.0b33c40e992b0cec60ff557d251457d2.dll

2010-06-04 09:08 . 2010-06-04 09:08 335976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fc620794b1b18938b640573c722b3922.dll

2010-06-04 09:08 . 2010-06-04 09:08 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.96f2985eb296e0eeb1592aacd45d6e4c.dll

2010-06-04 09:07 . 2010-06-04 09:07 94208 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.668670e33723f8f8763a1e128bf0ba1b.dll

2010-06-03 07:59 . 2009-02-25 16:37 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-03 07:59 . 2009-02-25 16:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-24 09:43 . 2010-05-24 09:43 503808 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcp71.dll

2010-05-24 09:43 . 2010-05-24 09:43 499712 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\jmc.dll

2010-05-24 09:43 . 2010-05-24 09:43 348160 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcr71.dll

2010-05-24 09:43 . 2010-05-24 09:43 61440 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-sse.dll

2010-05-24 09:43 . 2010-05-24 09:43 12800 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-d3d.dll

2010-05-19 11:16 . 2010-05-19 08:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-19 11:14 . 2010-05-19 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-13 13:48 . 2009-02-24 17:24 -------- d-----w- c:\program files\Java

2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-26 16:06 . 2010-06-10 09:10 19552856 ----a-w- c:\documents and settings\User1\Application Data\iolo\Installers\SystemMechanic.exe

2010-04-20 05:30 . 2008-04-14 04:39 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 19:47 . 2010-01-18 21:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-19 19:47 . 2010-01-18 21:32 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-15 09:47 . 2010-04-15 09:47 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

2010-04-14 07:10 . 2010-04-14 07:10 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-04-12 16:29 . 2010-05-13 13:49 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-01-26 11:31 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfa.dat

2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w- c:\windows\system32\CdI5T.drv

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\flfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\rlfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMail3FL.SYS

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMailRL.sys

.

------- Sigcheck -------

[-] 2008-08-14 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 39408]

"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-12-03 81920]

"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2009-12-10 401728]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-03 2065248]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\User1\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]

ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2009-2-25 471040]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-12 967960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-12 09:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/02/2009 17:37 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/02/2009 17:37 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [04/11/2009 13:44 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [04/11/2009 13:44 308064]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [05/01/2010 22:56 81920]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [05/01/2010 22:56 2723840]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 20:27 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-01-16 c:\windows\Tasks\videopadSevenDaysInit.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

2010-01-19 c:\windows\Tasks\videopadShakeIcon.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.mytalktalk.co.uk/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab

FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aphg9f63.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)

AddRemove-Cool Cat Casino - c:\program files\Cool Cat Casino\Install.exe

AddRemove-Palace of Chance - c:\program files\Palace of Chance\Install.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-08 12:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(400)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\iolo\System Mechanic\SMTrayNotify.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Nokia\NoA\nokiaaserver.exe

c:\program files\PC Connectivity Solution\ServiceLayer.exe

c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

c:\progra~1\COMMON~1\Nokia\MPLATF~1\NOKIAM~1.EXE

.

**************************************************************************

.

Completion time: 2010-07-08 12:32:47 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-08 11:32

Pre-Run: 47,283,953,664 bytes free

Post-Run: 47,328,313,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6007AF931AD661F16374FF1887EB0950

Sorry if you wanted it as an attachment,I wasn't sure which to do :D

Link to post
Share on other sites

  • Root Admin

First try to rename it from c:\windows\system32\sfcfiles.dll to c:\windows\system32\sfcfiles.old

Then wait a few minutes and see if the file is replaced automatically by the system. If not then see if you can copy that file from another computer of the same XP Pro as you have.

If it will let you copy it directly via USB or CD then reboot and run Combofix again and post back that log.

Link to post
Share on other sites

First try to rename it from c:\windows\system32\sfcfiles.dll to c:\windows\system32\sfcfiles.old

Then wait a few minutes and see if the file is replaced automatically by the system. If not then see if you can copy that file from another computer of the same XP Pro as you have.

If it will let you copy it directly via USB or CD then reboot and run Combofix again and post back that log.

Sorry for taking so long to reply.I can't get access to the computer right now,because it is a a holiday week over here,so he's away at the moment.I'll try this as soon as I can.Thank you for helping me.Are you able to tell if there was something that would give out his information,and that of his clients,or just that it has been infected by something?

Link to post
Share on other sites

Right,I'm finally able to get into the offices now,so all's good.I'm going to tell him what you've said about changing passwords,although he may have been anyway,I don't know.I managed to do what you said,and ran combofix,so here goes.

ComboFix 10-07-18.03 - User1 19/07/2010 14:49:43.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1293 [GMT 1:00]

Running from: c:\documents and settings\User1\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))

.

2010-07-19 13:31 . 2008-08-14 19:02 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2010-07-15 15:22 . 2010-07-15 15:22 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-07-15 15:22 . 2010-07-15 15:22 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-07-15 15:22 . 2010-07-15 15:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 15:21 . 2010-07-15 15:21 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-07-15 15:21 . 2010-07-15 15:21 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-07-15 15:21 . 2010-07-15 15:21 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-07-15 15:21 . 2010-07-15 15:21 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-07-08 12:06 . 2010-07-08 12:07 -------- d-----w- c:\program files\WinAce

2010-07-05 17:55 . 2010-07-05 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\program files\Alwil Software

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\User1\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 11:21 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-23 15:05 . 2010-06-23 15:05 -------- d-----w- c:\documents and settings\User1\Application Data\Greenpoint

2010-06-23 15:05 . 2003-11-02 09:18 155648 ----a-w- c:\windows\system32\ssleay32.dll

2010-06-23 15:05 . 2003-11-02 09:18 696320 ----a-w- c:\windows\system32\libeay32.dll

2010-06-23 15:05 . 2002-07-25 17:54 25600 ----a-w- c:\windows\system32\borlndmm.dll

2010-06-22 07:22 . 2010-06-22 07:22 -------- d-----w- c:\program files\iPod

2010-06-22 07:17 . 2010-06-22 07:17 -------- d-----w- c:\program files\Bonjour

2010-06-22 07:16 . 2010-06-22 07:16 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-22 07:13 . 2010-06-22 07:13 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-19 13:21 . 2009-09-30 07:42 0 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\prvlcl.dat

2010-07-19 10:28 . 2009-02-24 17:52 1 ----a-w- c:\documents and settings\User1\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-07-15 15:22 . 2009-02-25 16:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 15:22 . 2009-02-25 16:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-09 08:42 . 2010-02-15 14:13 69222840 ----a-w- c:\documents and settings\User1\Application Data\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe

2010-07-08 11:04 . 2009-11-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-08 10:24 . 2009-02-26 09:07 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!

2010-07-08 10:23 . 2009-02-26 09:06 -------- d-----w- c:\program files\Yahoo!

2010-07-05 14:41 . 2010-06-16 11:53 -------- d-----w- c:\program files\Palace of Chance

2010-07-05 14:41 . 2010-05-24 15:30 -------- d-----w- c:\program files\Cool Cat Casino

2010-06-24 07:54 . 2009-03-16 09:06 33600 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-23 15:04 . 2009-02-26 15:35 -------- d-----w- c:\program files\Intuit

2010-06-23 07:15 . 2010-05-25 06:07 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3.tmp.exe

2010-06-22 07:23 . 2010-05-07 07:22 -------- d-----w- c:\program files\iTunes

2010-06-22 07:22 . 2010-01-18 21:31 -------- d-----w- c:\program files\Common Files\Apple

2010-06-22 07:16 . 2010-02-02 09:58 -------- d-----w- c:\program files\Safari

2010-06-18 16:46 . 2010-06-18 16:46 581904 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelbonus.f133a53ea3279bce1fc3bc7aa9ad6839.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_hellboy.cde3facca4e62dd1980118b9f69c127f.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_jan_2010.27798ac5c513c88d4f74b2fc87b9bf6e.dll

2010-06-18 16:41 . 2010-06-18 16:41 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_hellboy.ef7dfe9e02564671f52a95d839e51b8d.dll

2010-06-18 16:40 . 2010-06-18 16:40 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_hellboy.0200f4406079039e4f9f4fd4269c6144.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_hellboy.2389dbbb7a92af30b5bb4e62701f18a5.dll

2010-06-18 16:40 . 2010-06-18 16:40 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_gao_jan_2010.114da6697b16a4308920de3f00df9d11.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_jan_2010.6ce545b01335b0127c2a55cc392a24e6.dll

2010-06-18 16:39 . 2010-06-18 16:39 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_jan_2010.d3c0a2c195757b5887793e496479436f.dll

2010-06-18 16:38 . 2010-06-18 16:38 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_jan_2010.734d2ae11536c3d1a34ecdb91aaab798.dll

2010-06-18 16:37 . 2010-06-18 16:37 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_hellboy.ee1c177b2b367dc15184591e57db5798.dll

2010-06-18 16:34 . 2010-06-18 16:34 536576 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldplugin.a5e08942278dbb53df46a8a9523a445b.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:34 . 2010-06-18 16:34 192512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakxxx.9edf63783590e61148711da2563c8d47.dll

2010-06-18 16:34 . 2010-06-18 16:34 602112 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldplugin.f7a40649bbd758b8f99cf67e1769d71c.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:28 . 2010-06-18 16:28 942080 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\f\flightzonebonus.bb993454d3170414b7655081a3ec7db9.dll

2010-06-14 14:31 . 2009-02-23 08:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-10 09:17 . 2010-06-10 09:17 1531 ----a-w- c:\documents and settings\User1\Application Data\iolo\restore.bat

2010-06-10 09:17 . 2010-06-10 09:09 -------- d-----w- c:\documents and settings\User1\Application Data\iolo

2010-06-10 09:12 . 2010-06-10 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\program files\iolo

2010-06-10 09:10 . 2010-06-10 09:10 74703 ----a-w- c:\windows\system32\mfc45.dll

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AcrobatUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AcrobatUpdater.exe

2010-06-04 09:15 . 2010-06-04 09:15 708608 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_mar_2010.00e558dbf98f160d236f0e738de93c37.dll

2010-06-04 09:15 . 2010-06-04 09:15 1650688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_mar_2010.011b7c042032e11252156706d78b5e83.dll

2010-06-04 09:15 . 2010-06-04 09:15 950272 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_mar_2010.e5e91d49a18e4440b5a76ddd6446140c.dll

2010-06-04 09:15 . 2010-06-04 09:15 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_mar_2010.05a7fd71980574f91eb4c1420f71b1f7.dll

2010-06-04 09:13 . 2010-06-04 09:13 106496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\aurora.1a2291430fa932849077b65b849668f7.dll

2010-06-04 09:12 . 2010-06-04 09:12 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunetransition.cdb6c11f100d3a3cb0c0550c21b277e4.dll

2010-06-04 09:12 . 2010-06-04 09:12 1568768 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune.b328b57943682e2d7fd4847916ff9b2b.dll

2010-06-04 09:11 . 2010-06-04 09:11 1232896 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_gspider.770d41ad6c8d6246716f0968e4501795.dll

2010-06-04 09:11 . 2010-06-04 09:11 1236992 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_spiderbonus.c6f7df06987955caf77bb513ebf7e5b5.dll

2010-06-04 09:10 . 2010-06-04 09:10 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunexxx.88b69b79191872d92329d1cfa9817586.dll

2010-06-04 09:09 . 2010-06-04 09:09 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_crankbonus.79fd1aae910e128f743d90232d089b3b.dll

2010-06-04 09:08 . 2010-06-04 09:08 246032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\powerpokersuite1_nl.4b954e6e9e7bfe3947a12889040c706e.dll

2010-06-04 09:08 . 2010-06-04 09:08 225552 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\videopokersuite1.e45a40be28c5bc5514b9e806f30cdc6f.dll

2010-06-04 09:08 . 2010-06-04 09:08 307300 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.0b33c40e992b0cec60ff557d251457d2.dll

2010-06-04 09:08 . 2010-06-04 09:08 335976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fc620794b1b18938b640573c722b3922.dll

2010-06-04 09:08 . 2010-06-04 09:08 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.96f2985eb296e0eeb1592aacd45d6e4c.dll

2010-06-04 09:07 . 2010-06-04 09:07 94208 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.668670e33723f8f8763a1e128bf0ba1b.dll

2010-06-03 07:59 . 2009-02-25 16:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-24 09:43 . 2010-05-24 09:43 503808 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcp71.dll

2010-05-24 09:43 . 2010-05-24 09:43 499712 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\jmc.dll

2010-05-24 09:43 . 2010-05-24 09:43 348160 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcr71.dll

2010-05-24 09:43 . 2010-05-24 09:43 61440 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-sse.dll

2010-05-24 09:43 . 2010-05-24 09:43 12800 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-d3d.dll

2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-26 16:06 . 2010-06-10 09:10 19552856 ----a-w- c:\documents and settings\User1\Application Data\iolo\Installers\SystemMechanic.exe

2010-04-21 13:46 . 2010-06-10 09:11 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 13:46 . 2010-06-10 09:11 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-01-26 11:31 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfa.dat

2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w- c:\windows\system32\CdI5T.drv

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\flfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\rlfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMail3FL.SYS

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMailRL.sys

.

------- Sigcheck -------

[-] 2008-08-14 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 39408]

"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-12-03 81920]

"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2009-12-10 401728]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\User1\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]

ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2009-2-25 471040]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-12 967960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 15:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/02/2009 17:37 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/02/2009 17:37 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 16:22 921440]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 16:22 308136]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [05/01/2010 22:56 81920]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [05/01/2010 22:56 2723840]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 20:27 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-01-16 c:\windows\Tasks\videopadSevenDaysInit.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

2010-01-19 c:\windows\Tasks\videopadShakeIcon.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.mytalktalk.co.uk/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab

FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aphg9f63.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-19 14:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5228)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-07-19 14:58:19

ComboFix-quarantined-files.txt 2010-07-19 13:58

ComboFix2.txt 2010-07-08 11:32

Pre-Run: 47,769,788,416 bytes free

Post-Run: 47,903,854,592 bytes free

- - End Of File - - 1C6C3AA723BFC915172F80C2E5F0E6F2

Link to post
Share on other sites

  • Root Admin

The file still shows infected. Without access to another computer with this same file or the Windows CD you're not going to be able to fix it. You have to get this file replaced with a valid signed version. You might be able to purchase an OEM CD for XP Pro online or send off to the MFG for a replacement CD.

Link to post
Share on other sites

The file still shows infected. Without access to another computer with this same file or the Windows CD you're not going to be able to fix it. You have to get this file replaced with a valid signed version. You might be able to purchase an OEM CD for XP Pro online or send off to the MFG for a replacement CD.

If I've copied this file from another computer,and it is still showing infection,does that mean the computer I've taken it from is also infected then?I'm having real problems with that one,as I had to replace the BIOS battery,but the holder snapped.Now I've had to solder it back on,and it won't boot properly now.Who is MFG may I ask?

Link to post
Share on other sites

Okay but if I copied the file from another computer,how would the file have become infected again,if the computer I copied the file from wasn't?

I'm going to be able to get a copy of Windows XP Pro tomorrow,from a friend.Unfortunatley,it seems to be a pirate copy.I do have the key code that my cousin has used to validate his own install,so that should be okay.Do I need to do a total reinstall,which means backing up all his files?I really don't know what to do anymore,and just want to get out of his office and have the job over and done with now.

Link to post
Share on other sites

  • Root Admin

No, no, no... You need to try and grab a Linux live CD and boot with it and then copy the file over using that method. Don't grab the file from a pirated copy as we're not sure of the status of it's files.

Try getting one from here

http://www.thefreecountry.com/operating-sy...ributions.shtml

http://distrowatch.com/

Well if you really want to finish the job and be done with it then an FDISK, FORMAT, and re-install would be the sure way to go as we probably won't finish too soon this way. I would not recommend using a pirated CD though as it could easily include a hidden root kit which is what may be what's currently wrong with it now.

Link to post
Share on other sites

No, no, no... You need to try and grab a Linux live CD and boot with it and then copy the file over using that method. Don't grab the file from a pirated copy as we're not sure of the status of it's files.

Try getting one from here

http://www.thefreecountry.com/operating-sy...ributions.shtml

http://distrowatch.com/

Well if you really want to finish the job and be done with it then an FDISK, FORMAT, and re-install would be the sure way to go as we probably won't finish too soon this way. I would not recommend using a pirated CD though as it could easily include a hidden root kit which is what may be what's currently wrong with it now.

Okay,now I'm a little lost.How do I get the file using a different OS?I won't grab the pirated copy anymore,so thanks for that.As for an FDISK formatting,I'd rather get the job done without doing that.He has a lot of files and programs that I don't think he can replace.I'd rather do the job well,and slowly,than have it over and done with.

Link to post
Share on other sites

Okay,now I'm a little lost.How do I get the file using a different OS?In fact,I'm totally lost now.I won't grab the pirated copy anymore,so thanks for that.As for an FDISK formatting,I'd rather get the job done without doing that.He has a lot of files and programs that I don't think he can replace.I'd rather do the job well,and slowly,than have it over and done with.
Link to post
Share on other sites

  • Root Admin

You download one of these Linux Live CD versions and burn it to a CD.

a FREE utility to properly burn the ISO image

ImgBurn

How to write an image file to a disc with ImgBurn

Then you go to a CLEAN Windows XP running the same version and you copy the file onto a USB thumb drive.

Boot up the infected system using the Linux Live CD and plug in the USB drive and it should be detected

Then copy the file from the USB thumb drive to the infected computers drive.

If you have the Recovery Console installed you can simply boot to that.

You would do similar only you would not copy it directly to overwrite it.

If you have the Recovery Console installed let me know and I help you get it going. If you don't then try running Combofix again and when it asks tell to install it.

Based on the logs I think you do already have it installed and it should be an option to choose when booting the computer so just let me know for sure please.

Link to post
Share on other sites

Oh,and I forgot to add,I'm pretty sure I did install the recovery console the first time I ran Combofix.My cousin is working right now with a client,so I can't get to the computer,but as soon as he's done,I'll be on that computer.So,if you could tell me which I'm meant to be doing first,or tell me what to do with the recovery console,I'd be grateful.

Link to post
Share on other sites

  • Root Admin

I would use the Recovery console as it will be easier.

Copy the file c:\windows\system32\sfcfiles.dll from a clean XP computer onto a USB thumb drive or burn to a CD

Then copy it to the following location and name on the infected computer.

C:\sfcfiles.bin

Make sure you have hidden files shown so you can name the file properly.

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Then reboot the infected computer into the Recovery Console and at the DOS prompt type the following and press the ENTER key

COPY C:\sfcfiles.bin c:\windows\system32\sfcfiles.dll

When asked to overwrite it say yes. Then restart the computer into normal mode and run Combofix again and post back the new log.

If you have any questions or run into issues please let me know.

Link to post
Share on other sites

Copy the file c:\windows\system32\sfcfiles.dll from a clean XP computer onto a USB thumb drive or burn to a CD

Then copy it to the following location and name on the infected computer.

C:\sfcfiles.bin

Make sure you have hidden files shown so you can name the file properly.

Sorry,I'm not too sure about this part.Do you mean I copy the file to the same location on the infected computer as I copied the file from the clan computer,and then name it as sfcfiles.bin' or did you mean something else?

Link to post
Share on other sites

Worked out what you meant,sorry about that.Here's the log.

ComboFix 10-07-18.03 - User1 20/07/2010 12:44:20.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1284 [GMT 1:00]

Running from: c:\documents and settings\User1\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))

.

2010-07-20 11:25 . 2008-04-14 00:12 1614848 ----a-w- c:\windows\system32\sfcfiles.dll

2010-07-20 11:25 . 2008-04-14 00:12 1614848 ----a-w- C:\sfcfiles.bin

2010-07-15 15:22 . 2010-07-15 15:22 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-07-15 15:22 . 2010-07-15 15:22 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-07-15 15:22 . 2010-07-15 15:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-15 15:21 . 2010-07-15 15:21 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2010-07-15 15:21 . 2010-07-15 15:21 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll

2010-07-15 15:21 . 2010-07-15 15:21 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe

2010-07-15 15:21 . 2010-07-15 15:21 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-07-08 12:06 . 2010-07-08 12:07 -------- d-----w- c:\program files\WinAce

2010-07-05 17:55 . 2010-07-05 17:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\program files\Alwil Software

2010-07-05 12:33 . 2010-07-05 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\User1\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-05 11:21 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 11:21 . 2010-07-05 11:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 11:21 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-23 15:05 . 2010-06-23 15:05 -------- d-----w- c:\documents and settings\User1\Application Data\Greenpoint

2010-06-23 15:05 . 2003-11-02 09:18 155648 ----a-w- c:\windows\system32\ssleay32.dll

2010-06-23 15:05 . 2003-11-02 09:18 696320 ----a-w- c:\windows\system32\libeay32.dll

2010-06-23 15:05 . 2002-07-25 17:54 25600 ----a-w- c:\windows\system32\borlndmm.dll

2010-06-22 07:22 . 2010-06-22 07:22 -------- d-----w- c:\program files\iPod

2010-06-22 07:17 . 2010-06-22 07:17 -------- d-----w- c:\program files\Bonjour

2010-06-22 07:16 . 2010-06-22 07:16 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-22 07:13 . 2010-06-22 07:13 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 11:06 . 2009-09-30 07:42 0 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\prvlcl.dat

2010-07-19 14:08 . 2009-02-24 17:52 1 ----a-w- c:\documents and settings\User1\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-07-15 15:22 . 2009-02-25 16:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-15 15:22 . 2009-02-25 16:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-09 08:42 . 2010-02-15 14:13 69222840 ----a-w- c:\documents and settings\User1\Application Data\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe

2010-07-08 11:04 . 2009-11-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-08 10:24 . 2009-02-26 09:07 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!

2010-07-08 10:23 . 2009-02-26 09:06 -------- d-----w- c:\program files\Yahoo!

2010-07-05 14:41 . 2010-06-16 11:53 -------- d-----w- c:\program files\Palace of Chance

2010-07-05 14:41 . 2010-05-24 15:30 -------- d-----w- c:\program files\Cool Cat Casino

2010-06-24 07:54 . 2009-03-16 09:06 33600 -c--a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-23 15:04 . 2009-02-26 15:35 -------- d-----w- c:\program files\Intuit

2010-06-23 07:15 . 2010-05-25 06:07 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3.tmp.exe

2010-06-22 07:23 . 2010-05-07 07:22 -------- d-----w- c:\program files\iTunes

2010-06-22 07:22 . 2010-01-18 21:31 -------- d-----w- c:\program files\Common Files\Apple

2010-06-22 07:16 . 2010-02-02 09:58 -------- d-----w- c:\program files\Safari

2010-06-18 16:46 . 2010-06-18 16:46 581904 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelbonus.f133a53ea3279bce1fc3bc7aa9ad6839.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_hellboy.cde3facca4e62dd1980118b9f69c127f.dll

2010-06-18 16:42 . 2010-06-18 16:42 1572864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_jan_2010.27798ac5c513c88d4f74b2fc87b9bf6e.dll

2010-06-18 16:41 . 2010-06-18 16:41 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_hellboy.ef7dfe9e02564671f52a95d839e51b8d.dll

2010-06-18 16:40 . 2010-06-18 16:40 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_hellboy.0200f4406079039e4f9f4fd4269c6144.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_hellboy.2389dbbb7a92af30b5bb4e62701f18a5.dll

2010-06-18 16:40 . 2010-06-18 16:40 626688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_gao_jan_2010.114da6697b16a4308920de3f00df9d11.dll

2010-06-18 16:40 . 2010-06-18 16:40 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_jan_2010.6ce545b01335b0127c2a55cc392a24e6.dll

2010-06-18 16:39 . 2010-06-18 16:39 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_jan_2010.d3c0a2c195757b5887793e496479436f.dll

2010-06-18 16:38 . 2010-06-18 16:38 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_jan_2010.734d2ae11536c3d1a34ecdb91aaab798.dll

2010-06-18 16:37 . 2010-06-18 16:37 925696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_hellboy.ee1c177b2b367dc15184591e57db5798.dll

2010-06-18 16:34 . 2010-06-18 16:34 536576 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldplugin.a5e08942278dbb53df46a8a9523a445b.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:34 . 2010-06-18 16:34 192512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakxxx.9edf63783590e61148711da2563c8d47.dll

2010-06-18 16:34 . 2010-06-18 16:34 602112 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldplugin.f7a40649bbd758b8f99cf67e1769d71c.dll

2010-06-18 16:34 . 2010-06-18 16:34 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldxxx.e2caa9292f5de8579a9ad479e877ced8.dll

2010-06-18 16:28 . 2010-06-18 16:28 942080 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\f\flightzonebonus.bb993454d3170414b7655081a3ec7db9.dll

2010-06-14 14:31 . 2009-02-23 08:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-10 09:17 . 2010-06-10 09:17 1531 ----a-w- c:\documents and settings\User1\Application Data\iolo\restore.bat

2010-06-10 09:17 . 2010-06-10 09:09 -------- d-----w- c:\documents and settings\User1\Application Data\iolo

2010-06-10 09:12 . 2010-06-10 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo

2010-06-10 09:11 . 2010-06-10 09:11 -------- d-----w- c:\program files\iolo

2010-06-10 09:10 . 2010-06-10 09:10 74703 ----a-w- c:\windows\system32\mfc45.dll

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\5888\AcrobatUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\11443\AcrobatUpdater.exe

2010-06-04 09:15 . 2010-06-04 09:15 708608 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_gao_mar_2010.00e558dbf98f160d236f0e738de93c37.dll

2010-06-04 09:15 . 2010-06-04 09:15 1650688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_gao_mar_2010.011b7c042032e11252156706d78b5e83.dll

2010-06-04 09:15 . 2010-06-04 09:15 950272 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_gao_mar_2010.e5e91d49a18e4440b5a76ddd6446140c.dll

2010-06-04 09:15 . 2010-06-04 09:15 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_gao_mar_2010.05a7fd71980574f91eb4c1420f71b1f7.dll

2010-06-04 09:13 . 2010-06-04 09:13 106496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\aurora.1a2291430fa932849077b65b849668f7.dll

2010-06-04 09:12 . 2010-06-04 09:12 684032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunetransition.cdb6c11f100d3a3cb0c0550c21b277e4.dll

2010-06-04 09:12 . 2010-06-04 09:12 1568768 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune.b328b57943682e2d7fd4847916ff9b2b.dll

2010-06-04 09:11 . 2010-06-04 09:11 1232896 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_gspider.770d41ad6c8d6246716f0968e4501795.dll

2010-06-04 09:11 . 2010-06-04 09:11 1236992 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_spiderbonus.c6f7df06987955caf77bb513ebf7e5b5.dll

2010-06-04 09:10 . 2010-06-04 09:10 1064960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortunexxx.88b69b79191872d92329d1cfa9817586.dll

2010-06-04 09:09 . 2010-06-04 09:09 1224704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\arcticfortune_crankbonus.79fd1aae910e128f743d90232d089b3b.dll

2010-06-04 09:08 . 2010-06-04 09:08 246032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\powerpokersuite1_nl.4b954e6e9e7bfe3947a12889040c706e.dll

2010-06-04 09:08 . 2010-06-04 09:08 225552 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\videopokersuite1.e45a40be28c5bc5514b9e806f30cdc6f.dll

2010-06-04 09:08 . 2010-06-04 09:08 307300 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.0b33c40e992b0cec60ff557d251457d2.dll

2010-06-04 09:08 . 2010-06-04 09:08 335976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fc620794b1b18938b640573c722b3922.dll

2010-06-04 09:08 . 2010-06-04 09:08 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.96f2985eb296e0eeb1592aacd45d6e4c.dll

2010-06-04 09:07 . 2010-06-04 09:07 94208 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.668670e33723f8f8763a1e128bf0ba1b.dll

2010-06-03 07:59 . 2009-02-25 16:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-24 09:43 . 2010-05-24 09:43 503808 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcp71.dll

2010-05-24 09:43 . 2010-05-24 09:43 499712 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\jmc.dll

2010-05-24 09:43 . 2010-05-24 09:43 348160 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23c889db-n\msvcr71.dll

2010-05-24 09:43 . 2010-05-24 09:43 61440 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-sse.dll

2010-05-24 09:43 . 2010-05-24 09:43 12800 ----a-w- c:\documents and settings\User1\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6cc3afb0-n\decora-d3d.dll

2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-26 16:06 . 2010-06-10 09:10 19552856 ----a-w- c:\documents and settings\User1\Application Data\iolo\Installers\SystemMechanic.exe

2010-04-21 13:46 . 2010-06-10 09:11 93096 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-04-21 13:46 . 2010-06-10 09:11 2316712 ----a-w- c:\windows\system32\Incinerator.dll

2010-01-26 11:31 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfa.dat

2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w- c:\windows\system32\CdI5T.drv

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\flfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\rlfnlf.sys

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMail3FL.SYS

1998-03-20 01:00 . 1998-03-20 01:00 1048 -csha-w- c:\windows\system32\TMailRL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-19_13.55.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-20 11:41 . 2010-07-20 11:41 16384 c:\windows\Temp\Perflib_Perfdata_198.dat

+ 2010-07-20 08:47 . 2007-05-15 12:38 207872 c:\windows\system32\spool\drivers\w32x86\3\PCLXL.DLL

+ 2010-07-20 08:47 . 2007-05-15 12:38 1058816 c:\windows\system32\spool\drivers\w32x86\3\PCL5ERES.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-10-16 12:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 39408]

"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-12-03 81920]

"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2009-12-10 401728]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\User1\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]

ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2009-2-25 471040]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-12 967960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 15:22 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/02/2009 17:37 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/02/2009 17:37 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15/07/2010 16:22 921440]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 16:22 308136]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [05/01/2010 22:56 81920]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/06/2010 10:11 704432]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [05/01/2010 22:56 2723840]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 20:27 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 19:27]

2010-01-16 c:\windows\Tasks\videopadSevenDaysInit.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

2010-01-19 c:\windows\Tasks\videopadShakeIcon.job

- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 11:41]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.mytalktalk.co.uk/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab

FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aphg9f63.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2636)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-07-20 12:57:48

ComboFix-quarantined-files.txt 2010-07-20 11:57

ComboFix2.txt 2010-07-19 13:58

ComboFix3.txt 2010-07-08 11:32

Pre-Run: 47,848,402,944 bytes free

Post-Run: 47,812,014,080 bytes free

- - End Of File - - 5916D98752F467FB4E5622DD06800C9F

Link to post
Share on other sites

  • Root Admin

Great - that looks like it worked out just fine and is no longer detected as a non signed driver.

STEP 01

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 21 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 02

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

Okay,I've done step one,but he's asked if I can leave step one until Friday,when they close early,so the scan won't be disrupting their office.I said that I think I can leave it to then,but I just want to check with you to make sure this is alright.

Oh,and something else I need to ask.Their office runs on a network,so will the other two computers have been infected with the same thing that this one has by any chance?Thanks for all your help in sorting this out :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.