help needed with Vundo removal

cad3905 · July 20, 2010

Hi,

I have followed some of the other posts that had problems with the Vundo removal so I worked ahead. I hope you can help me. I hope I didn't forget anything, thanks in advance!

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 16:14:21.98 on Mon 07/19/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3583.2794 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\VisualSVN Server\bin\VisualSVNServer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\DeltTray.exe

C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe

C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

C:\Documents and Settings\User\Application Data\regsdkrl32\regsdkrl13.exe

C:\Program Files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sneakerscomputers.com/start

BHO: {074c1dc5-9320-4a9a-947d-c042949c6216} - ContributeBHO Class

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [Windows Live Sync] "c:\program files\windows live\sync\WindowsLiveSync.exe" /background

uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup

uRun: [AdobeBridge]

uRun: [regsdkrl32] c:\documents and settings\user\application data\regsdkrl32\regsdkrl13.exe

uRun: [fccyabdrv] rundll32.exe "hgfcdc.dll",s

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [DeltTray] DeltTray.exe

mRun: [D-Link RangeBooster G WDA-2320] c:\program files\d-link\rangebooster g wda-2320\AirPlusCFG.exe

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [rqpnlldrv] rundll32.exe "hgfcdc.dll",s

mRun: [ssttursys] rundll32.exe "rqppmm.dll",DllRegisterServer

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [wvwurpsys] rundll32.exe "rqppmm.dll",DllRegisterServer

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spyder~1.lnk - c:\program files\datacolor\spyder3elite\utility\Spyder3Utility.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

LSA: Authentication Packages = msv1_0 rqppmm.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\abijm2bk.default\

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-17 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-17 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]

R2 VisualSVNServer;VisualSVN Server;c:\program files\visualsvn server\httpd-wrapper.bat [2008-10-10 172]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-6-8 36224]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-12-18 57376]

S2 gupdate1c961977cf66bd0;Google Update Service (gupdate1c961977cf66bd0);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-12-18 547744]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]

S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaii.sys --> c:\windows\system32\drivers\deltaII.sys [?]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-18 30192]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wda-2320\jswutil\jswpsapi.exe [2008-12-18 352338]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2009-5-19 12288]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-13 222976]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-6-8 134912]

=============== Created Last 30 ================

2010-07-19 23:00:47 0 d-----w- C:\1da461a0591a2016d3c019bae0c5

2010-07-17 22:42:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-17 22:42:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-17 22:42:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-17 22:38:50 0 d--h--w- c:\windows\PIF

2010-07-17 22:28:02 0 d-----w- c:\program files\CleanUp!

2010-07-17 22:23:32 0 d-----w- c:\program files\common files\Little Registry Cleaner

2010-07-17 22:23:02 0 d-----w- c:\program files\Little Registry Cleaner

2010-07-17 22:20:14 0 d-----w- C:\cmdcons

2010-07-17 22:17:51 98816 ----a-w- c:\windows\sed.exe

2010-07-17 22:17:51 77312 ----a-w- c:\windows\MBR.exe

2010-07-17 22:17:51 256512 ----a-w- c:\windows\PEV.exe

2010-07-17 22:17:51 161792 ----a-w- c:\windows\SWREG.exe

2010-07-17 22:17:41 0 d-s---w- C:\ComboFix

2010-07-17 20:39:09 0 d--h--w- C:\WindowsLiveSyncTemp

2010-07-17 19:28:42 0 d-----w- c:\program files\Trend Micro

2010-07-17 16:09:06 38848 ----a-w- c:\windows\avastSS.scr

2010-07-17 16:09:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-17 00:32:03 94720 ---ha-w- c:\windows\system32\xxywtu.dll

2010-07-17 00:21:46 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes

2010-07-17 00:21:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-15 02:20:37 94208 ---ha-w- c:\windows\system32\hgfcdc.dll

2010-07-15 02:18:10 0 d-----w- c:\program files\Photodex Presenter

2010-07-15 02:18:01 0 d-----w- c:\program files\Photodex

2010-07-15 02:15:45 0 d-----w- c:\docume~1\user\applic~1\Photodex

2010-07-15 02:15:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Photodex

2010-07-15 02:15:41 0 d-----w- c:\docume~1\user\applic~1\regsdkrl32

2010-07-15 02:15:39 2 ----a-w- c:\documents and settings\user\tenmy.ini

2010-07-15 02:15:36 140288 ----a-w- c:\windows\system32\pcre3.dll

2010-07-15 02:15:34 68096 ---ha-w- c:\windows\system32\rqppmm.dll

2010-07-15 02:15:33 717671 ----a-w- c:\documents and settings\user\regsdkrl13.exe

2010-06-24 16:25:33 0 d-----w- c:\docume~1\user\applic~1\Tor

2010-06-24 16:25:30 0 d-----w- c:\program files\Vidalia Bundle

2010-06-21 16:58:09 0 d-----w- c:\program files\Vimeo Uploader

==================== Find3M ====================

2010-07-01 18:37:12 73312 ----a-w- c:\windows\system32\drivers\adfs.sys

2010-06-09 00:30:22 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-06-09 00:30:22 109360 ----a-w- c:\windows\system32\GEARAspi.dll

2010-05-21 21:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2002-09-11 14:26:52 63730 ------w- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 16:14:36.04 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-20 09:00:10

Windows 5.1.2600 Service Pack 3

Running: 5rdi26oh.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kwpyrfow.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xF79AA138]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xF4 0x6F 0x4F 0xA9 ...

---- EOF - GMER 1.0.15 ----

Attach.txt

MrCharlie · July 21, 2010

Welcome to the forum.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable. More info HERE
They may interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have SP3, use the SP2 package.
If Vista or Windows 7, skip the Recovery Console part
ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

cad3905 · July 21, 2010

Here's the log; thanks!

ComboFix 10-07-21.01 - User 07/21/2010 15:20:21.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3583.2884 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Employee\Application Data\EurekaLog

c:\documents and settings\User\psgold_41_2737.exe

c:\documents and settings\User\regsdkrl13.exe

c:\program files\VisualSVN Server\httpd-wrapper.bat

c:\windows\system32\hgfcdc.dll

c:\windows\system32\jkkiff.dll

c:\windows\system32\lsprst7.dll

c:\windows\system32\rqppmm.dll

c:\windows\system32\ssprs.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VisualSVNServer

-------\Service_VisualSVNServer

((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))

.

2010-07-19 23:00 . 2010-07-19 23:00 -------- d-----w- C:\1da461a0591a2016d3c019bae0c5

2010-07-17 22:42 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-17 22:42 . 2010-07-17 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-17 22:42 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-17 22:38 . 2010-07-17 22:38 -------- d--h--w- c:\windows\PIF

2010-07-17 22:33 . 2010-07-17 22:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Little_Apps_(http___www.l

2010-07-17 22:28 . 2010-07-17 22:28 -------- d-----w- c:\program files\CleanUp!

2010-07-17 22:23 . 2010-07-17 22:25 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner

2010-07-17 22:23 . 2010-07-17 22:23 -------- d-----w- c:\program files\Little Registry Cleaner

2010-07-17 20:39 . 2010-07-17 20:39 -------- d-----w- C:\WindowsLiveSyncTemp

2010-07-17 19:28 . 2010-07-17 19:28 -------- d-----w- c:\program files\Trend Micro

2010-07-17 16:09 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-07-17 16:09 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-07-17 16:09 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-07-17 16:09 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-07-17 16:09 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-07-17 16:09 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-07-17 16:09 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-07-17 16:09 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-07-17 16:09 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-07-17 16:09 . 2010-07-17 16:09 -------- d-----w- c:\program files\Alwil Software

2010-07-17 16:09 . 2010-07-17 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-17 00:32 . 2010-07-17 00:32 94720 ---ha-w- c:\windows\system32\xxywtu.dll

2010-07-17 00:21 . 2010-07-17 00:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-07-17 00:21 . 2010-07-17 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-15 04:20 . 2010-07-15 04:20 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Sophos

2010-07-15 02:18 . 2010-07-15 02:18 -------- d-----w- c:\program files\Photodex Presenter

2010-07-15 02:18 . 2010-07-15 02:18 -------- d-----w- c:\documents and settings\User\Application Data\Netscape

2010-07-15 02:18 . 2010-07-15 02:18 -------- d-----w- c:\program files\Photodex

2010-07-15 02:15 . 2010-07-15 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Photodex

2010-07-15 02:15 . 2010-07-15 02:15 -------- d-----w- c:\documents and settings\User\Application Data\Photodex

2010-07-15 02:15 . 2010-07-15 02:15 -------- d-----w- c:\documents and settings\User\Application Data\regsdkrl32

2010-07-15 02:15 . 2010-07-15 02:15 140288 ----a-w- c:\windows\system32\pcre3.dll

2010-07-15 02:15 . 2010-07-17 17:38 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Desktop Cleanup Wizard

2010-07-13 19:55 . 2010-07-13 19:56 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2010-07-13 19:22 . 2010-07-13 19:22 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer

2010-06-30 14:04 . 2010-06-30 14:04 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2010-06-26 00:04 . 2010-06-26 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-06-26 00:03 . 2010-06-27 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-24 16:25 . 2010-07-02 20:22 -------- d-----w- c:\documents and settings\User\Application Data\Tor

2010-06-24 16:25 . 2010-07-02 20:22 -------- d-----w- c:\documents and settings\User\Application Data\Vidalia

2010-06-24 16:25 . 2010-06-24 16:25 -------- d-----w- c:\program files\Vidalia Bundle

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-21 22:27 . 2009-01-21 02:21 -------- d-----w- c:\program files\VisualSVN Server

2010-07-21 22:12 . 2008-12-18 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-07-21 00:28 . 2009-03-25 02:54 -------- d-----w- c:\documents and settings\User\Application Data\Audacity

2010-07-17 23:21 . 2010-03-10 17:36 -------- d-----w- c:\program files\Sophos

2010-07-17 19:28 . 2010-07-17 19:28 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-17 17:00 . 2010-06-14 22:41 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink

2010-07-17 00:23 . 2010-06-09 01:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-16 23:53 . 2009-01-05 17:41 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent

2010-07-15 02:15 . 2010-07-15 02:15 717671 ----a-w- c:\documents and settings\User\Application Data\regsdkrl32\regsdkrl13.exe

2010-07-04 19:19 . 2010-06-17 17:13 -------- d-----w- c:\program files\Songbird

2010-07-01 18:37 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys

2010-06-29 20:42 . 2009-01-05 17:41 -------- d-----w- c:\program files\uTorrent

2010-06-26 00:04 . 2010-06-26 00:04 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-06-25 22:56 . 2009-11-02 02:04 8 ----a-w- c:\windows\system32\nvModes.dat

2010-06-24 16:27 . 2010-03-09 19:05 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe

2010-06-21 16:58 . 2010-06-21 16:58 -------- d-----w- c:\program files\Vimeo Uploader

2010-06-21 16:43 . 2010-06-09 02:04 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-06-21 16:43 . 2010-06-21 16:46 53632 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-06-17 21:50 . 2008-12-18 18:50 -------- d-----w- c:\program files\aTunes

2010-06-17 17:29 . 2010-06-17 17:29 -------- d-----w- c:\documents and settings\User\Application Data\Songbird2

2010-06-15 01:52 . 2010-06-15 01:52 503808 ----a-w- c:\documents and settings\Employee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f89c640-n\msvcp71.dll

2010-06-15 01:52 . 2010-06-15 01:52 499712 ----a-w- c:\documents and settings\Employee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f89c640-n\jmc.dll

2010-06-15 01:52 . 2010-06-15 01:52 348160 ----a-w- c:\documents and settings\Employee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3f89c640-n\msvcr71.dll

2010-06-15 01:52 . 2010-06-15 01:52 12800 ----a-w- c:\documents and settings\Employee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-529a7fce-n\decora-d3d.dll

2010-06-15 01:52 . 2010-06-15 01:52 61440 ----a-w- c:\documents and settings\Employee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-529a7fce-n\decora-sse.dll

2010-06-14 22:41 . 2010-06-14 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2010-06-14 22:38 . 2008-12-13 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-14 22:37 . 2010-06-14 22:36 -------- d-----w- c:\program files\Cyberlink

2010-06-14 22:36 . 2010-06-14 22:36 36864 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe

2010-06-14 22:24 . 2010-06-14 22:24 -------- d-----w- c:\documents and settings\Employee\Application Data\ArcSoft

2010-06-14 22:24 . 2008-12-20 19:03 28608 ----a-w- c:\documents and settings\Employee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-14 14:31 . 2008-12-13 23:05 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-11 23:36 . 2009-01-16 23:15 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-11 18:04 . 2010-06-11 18:04 1025 ----a-w- c:\windows\system32\sysprs7.dll

2010-06-11 18:04 . 2010-06-11 18:04 1025 ----a-w- c:\windows\system32\clauth2.dll

2010-06-11 18:04 . 2010-06-11 18:04 1025 ----a-w- c:\windows\system32\clauth1.dll

2010-06-11 18:04 . 2010-06-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software

2010-06-09 22:06 . 2008-12-15 19:26 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-09 21:59 . 2010-06-09 21:59 -------- d-----w- c:\documents and settings\User\Application Data\vimeo.Duplo.3E2F2984357E7A95AE95C69EF2C5C14640284048.1

2010-06-09 19:30 . 2010-06-09 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2010-06-09 19:15 . 2008-12-13 23:36 28608 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-09 18:56 . 2010-06-09 18:56 -------- d-----w- c:\documents and settings\User\Application Data\AdobeSupportAdvisor.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1

2010-06-09 18:56 . 2010-06-09 18:56 -------- d-----w- c:\program files\AdobeSupportAdvisor

2010-06-09 18:20 . 2010-06-09 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM

2010-06-09 16:29 . 2010-06-09 16:29 -------- d-----w- c:\program files\Adobe Media Player

2010-06-09 16:10 . 2010-06-09 16:10 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-06-09 01:08 . 2009-01-01 20:29 -------- d-----w- c:\documents and settings\User\Application Data\Sony

2010-06-09 01:03 . 2009-01-01 20:26 -------- d-----w- c:\program files\Sony

2010-06-09 01:02 . 2009-01-01 20:20 -------- d-----w- c:\program files\Sony Setup

2010-06-09 00:39 . 2010-06-17 18:09 704512 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\msc@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMSCDevice.dll

2010-06-09 00:37 . 2010-06-03 16:18 -------- d-----w- c:\documents and settings\User\Application Data\ArcSoft

2010-06-09 00:37 . 2010-06-03 16:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-06-09 00:36 . 2010-06-03 16:27 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-06-09 00:30 . 2010-06-17 17:13 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-06-09 00:30 . 2010-06-17 17:13 109360 ----a-w- c:\windows\system32\GEARAspi.dll

2010-06-04 02:03 . 2009-02-17 20:16 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-03 16:27 . 2010-06-03 16:27 -------- d-----w- c:\program files\Kodak

2010-05-23 00:14 . 2010-05-23 00:14 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6cffc76e-n\msvcp71.dll

2010-05-23 00:14 . 2010-05-23 00:14 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6cffc76e-n\jmc.dll

2010-05-23 00:14 . 2010-05-23 00:14 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6cffc76e-n\msvcr71.dll

2010-05-23 00:14 . 2010-05-23 00:14 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-157dba78-n\decora-sse.dll

2010-05-23 00:14 . 2010-05-23 00:14 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-157dba78-n\decora-d3d.dll

2010-05-21 21:14 . 2009-10-09 18:50 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-10 00:30 . 2010-06-17 18:09 282624 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\windowsmedia@songbirdnest.com\platform\WINNT_x86-msvc\components\sbWindowsMediacore.dll

2010-05-10 00:30 . 2010-06-17 18:09 110592 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\quicktime@songbirdnest.com\platform\WINNT_x86-msvc\components\sbQuickTimeMediacore.dll

2010-05-10 00:30 . 2010-06-17 18:09 872448 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\mtp@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMTPWin32.dll

2010-05-10 00:28 . 2010-06-17 18:09 13312 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGracenoteStub.dll

2010-05-10 00:28 . 2010-06-17 18:09 571904 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_sdkmanager.dll

2010-05-10 00:28 . 2010-06-17 18:09 154624 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_search.dll

2010-05-10 00:28 . 2010-06-17 18:09 114688 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_link.dll

2010-05-10 00:28 . 2010-06-17 18:09 81920 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGracenote.dll

2010-05-10 00:28 . 2010-06-17 18:09 81408 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_musicid_cd.dll

2010-05-10 00:28 . 2010-06-17 18:09 13312 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGearworksStub.dll

2010-05-10 00:28 . 2010-06-17 18:09 65536 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGearworksCD.dll

2010-05-10 00:28 . 2010-06-17 18:09 394600 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwrks32.dll

2010-05-10 00:28 . 2010-06-17 18:09 3573096 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gearaw32.dll

2010-05-10 00:28 . 2010-06-17 18:09 238952 ----a-w- c:\documents and settings\User\Application Data\Songbird2\Profiles\3ni0hwu8.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwlangen.dll

2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 23:05 . 2010-05-05 23:05 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b72f3b8-n\msvcp71.dll

2010-05-05 23:05 . 2010-05-05 23:05 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b72f3b8-n\jmc.dll

2010-05-05 23:05 . 2010-05-05 23:05 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5b72f3b8-n\msvcr71.dll

2010-05-05 23:05 . 2010-05-05 23:05 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-495447ae-n\decora-sse.dll

2010-05-05 23:05 . 2010-05-05 23:05 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-495447ae-n\decora-d3d.dll

2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2002-09-11 14:26 . 2009-02-18 03:38 63730 ------w- c:\program files\viewsonicinstruct_xp.pdf

2009-12-05 23:05 . 2008-12-19 05:01 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"Windows Live Sync"="c:\program files\Windows Live\Sync\WindowsLiveSync.exe" [2009-10-23 1171784]

"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-08-13 2684200]

"regsdkrl32"="c:\documents and settings\User\Application Data\regsdkrl32\regsdkrl13.exe" [2010-07-15 717671]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 29757440]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"DeltTray"="DeltTray.exe" [2002-12-06 56320]

"D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2007-08-29 1662976]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-05 30192]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-13 198160]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-07-01 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-20 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-14 39264]

c:\documents and settings\Employee\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2009-7-24 6574687]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\aTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\VisualSVN Server\\bin\\VisualSVNServer.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro_Downloader.exe"=

"c:\\Program Files\\Participatory Culture Foundation\\Miro\\Miro.exe"=

"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\IBP 11\\IBP.exe"=

"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"42234:TCP"= 42234:TCP:Tor

"42235:TCP"= 42235:TCP:Tor2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowOutboundDestinationUnreachable"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/17/2010 9:09 AM 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/17/2010 9:09 AM 17744]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [6/8/2010 5:35 PM 36224]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [12/18/2008 9:42 PM 57376]

S2 gupdate1c961977cf66bd0;Google Update Service (gupdate1c961977cf66bd0);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 10:06 PM 133104]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/18/2008 9:42 PM 547744]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\deltaII.sys --> c:\windows\system32\DRIVERS\deltaII.sys [?]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2008 10:01 PM 30192]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WDA-2320\JSWUtil\jswpsapi.exe [12/18/2008 9:42 PM 352338]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [5/19/2009 10:42 PM 12288]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [12/13/2008 4:29 PM 222976]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [6/8/2010 5:35 PM 134912]

--- Other Services/Drivers In Memory ---

*Deregistered* - ArcRec

.

Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Areca back up.job

- c:\documents and settings\User\backup.bat [2009-01-03 20:28]

2010-07-06 c:\windows\Tasks\GBM - Back-up-2010-Full.job

- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2009-11-12 13:27]

2010-07-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 05:28]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 12:51]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 12:51]

2010-07-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{734A11C6-048D-440C-8716-169B76AF0734}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sneakerscomputers.com/start

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\abijm2bk.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Photodex Presenter\npPxPlay.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-ssttursys - rqppmm.dll

HKLM-Run-jkjkjkdrv - hgfcdc.dll

HKU-Default-Run-wvwurpsys - rqppmm.dll

HKU-Default-Run-ssrsrpdrv - hgfcdc.dll

Notify-AtiExtEvent - (no file)

AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-21 15:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:f4,6f,4f,a9,cf,2f,e7,e9,ad,05,dd,66,30,b1,3e,9a,23,6e,0d,f5,bc,

b0,47,ab,11,aa,6f,ff,3c,1e,22,65,fd,8e,05,62,50,c0,08,26,71,6e,e1,8d,59,e9,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:f4,6f,4f,a9,cf,2f,e7,e9,ad,05,dd,66,30,b1,3e,9a,23,6e,0d,f5,bc,

b0,47,ab,11,aa,6f,ff,3c,1e,22,65,fd,8e,05,62,50,c0,08,26,71,6e,e1,8d,59,e9,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3440)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe

c:\program files\Photodex\ProShowGold\ScsiAccess.exe

c:\windows\system32\DeltTray.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\Brother\Brmfcmon\BrMfimon.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-07-21 15:44:05 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-21 22:44

Pre-Run: 120,913,842,176 bytes free

Post-Run: 120,874,672,128 bytes free

- - End Of File - - 91161DA24FFC92D3B531667A1A2316D8

MrCharlie · July 21, 2010

Please be careful when using registry cleaners like:

Little Registry Cleaner

They often do more harm then good....we don't recommend using them.

-----------------------------

Do you have any idea what this:

c:\documents and settings\User\Application Data\regsdkrl32\regsdkrl13.exe

You may have to enable hidden files to see it:

http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

If not please upload this file:

c:\documents and settings\User\Application Data\regsdkrl32\regsdkrl13.exe

To Virus Total and let me know the results.

-------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=57957
Collect::
c:\windows\system32\xxywtu.dll
c:\documents and settings\User\Application Data\regsdkrl32
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"regsdkrl32"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log in your next reply and a fresh HJT log, MrC

cad3905 · July 22, 2010

uploaded the file you asked for, here are the results:

http://www.virustotal.com/analisis/37ac8eb...bdd4-1279791281

Will work on the combofix next (need close browser)

MrCharlie · July 22, 2010

OK, run ComboFix.

I think we should delete that file and folder

I changed the ComboFix script

MrC

cad3905 · July 22, 2010

Here's the combofix log.

I tried to delete the folder but got "Acces Denied , make sure disk not full etc."

Tried to delete the individual files, didn't work either

Thank you.

combofixlog.txt

MrCharlie · July 22, 2010

I fixed the ComboFix script to include those files, I thought you saw it.

So run this one the same way you did the other:

http://forums.malwarebytes.org/index.php?showtopic=57957
Collect::
c:\documents and settings\User\Application Data\regsdkrl32

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"regsdkrl32"=-

Post the CF log back here, MrC

cad3905 · July 23, 2010

Here is the log:

ComboFix 10-07-22.01 - User 07/22/2010 17:32:51.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3583.2812 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))

.

2010-07-22 00:16 . 2010-07-22 00:16 -------- d-----w- c:\documents and settings\Employee\Local Settings\Application Data\Power2Go