Jump to content

Rootkit

BassCreator
 Share

Recommended Posts

BassCreator

BassCreator

Posted
Posted

I don't know if this is in the correct section if it is not I sincerely apologize.

Yesterday I scanned my computer with Malwarebytes of course and the following items were infected.

C:\Users\*\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\*\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

The first two listed are completely unknown. Normally if you search for the virus it will shown is search engines etc, this one would not. Is it a new type of virus or is that the actual rootkit.

I restarted my computer after Malwarebytes prompted me too, scanned again straight after that nothing found. Then used AVG 9 anti-rootkit scanner, nothing was found in that either.

I just want to make sure that all of this has been completely removed, any help would be much appreciated.

Thanks guys and gals.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello BassCreator! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

This is when I scanned and found the virus:

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Harry\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

Will post others after i have restarted.

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Another problem I have come across is that firefox will not close properly. I always have to go to processes firefox and end process to be able to open firefox again.

I used defogger everything went ok, but it didn't prompt to restart my system I did that manually.

This is the DDS log the attach will be attached as requested.

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Windows\System32\svchost.exe -k Akamai

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\lxczcoms.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Harry\Desktop\dds.com

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

Defogger log, other one is attached.

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.ro

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2619605

uSearch Bar = hxxp://www.google.ro

uInternet Settings,ProxyServer = 127.0.0.1:8080

uInternet Settings,ProxyOverride = local;*.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

uURLSearchHooks: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Nuclear Games Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Nuclear Games Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

uPolicies-explorer: NoResolveTrack = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: Free YouTube to Mp3 Converter - c:\users\harry\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: avgrsstx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\harry\appdata\roaming\mozilla\firefox\profiles\do1xicsw.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2619605&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=

FF - prefs.js: network.proxy.ftp - 80.193.72.145

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 80.193.72.145

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.socks - 80.193.72.145

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 80.193.72.145

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\harry\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

user_pref(network.proxy.http_port,);

FF - user.js: network.proxy.no_proxies_on -

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-13 52872]

R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2010-4-30 127744]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-13 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-13 29584]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-13 243024]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]

R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2010-5-23 11936]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2010-4-30 157184]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-23 1343400]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-08-17 12:06:49 0 ----a-w- c:\users\harry\defogger_reenable

2010-08-16 17:00:49 0 d-----w- c:\programdata\Sun

2010-08-16 17:00:17 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-13 11:38:20 0 d-----w- c:\program files\Graboid

2010-08-12 22:55:48 0 d-----w- c:\users\harry\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-08-12 22:55:41 0 d-----w- c:\program files\TweetDeck

2010-08-11 14:19:36 0 d-----w- c:\users\harry\appdata\roaming\Registry Mechanic

2010-08-11 14:17:10 0 d-----w- c:\users\harry\appdata\roaming\FTWeak

2010-08-10 18:53:16 0 d-----w- c:\users\harry\appdata\roaming\DVDVideoSoftIEHelpers

2010-08-10 18:52:51 0 d-----w- c:\program files\DVDVideoSoft

2010-08-10 18:52:51 0 d-----w- c:\program files\common files\DVDVideoSoft

2010-08-10 15:59:59 0 d-----w- c:\users\harry\appdata\roaming\WindSolutions

2010-08-10 15:59:59 0 d-----w- c:\programdata\WindSolutions

2010-08-10 15:51:49 0 d-----w- c:\users\harry\appdata\roaming\DiskAid

2010-08-10 15:32:28 355 ----a-w- c:\users\harry\Homegroup - Shortcut.lnk

2010-08-01 20:40:37 316207 ----a-w- c:\windows\system32\slwc.exe

2010-08-01 20:37:33 0 d-----w- c:\program files\Yzshadow

2010-08-01 20:37:32 0 d-----w- c:\program files\UberIcon

2010-08-01 20:37:30 0 d-----w- c:\program files\RKLauncher

2010-08-01 20:37:28 37376 ----a-w- c:\windows\system32\themeservice.dll.backup

2010-08-01 20:37:28 2755072 ----a-w- c:\windows\system32\themeui.dll.backup

2010-08-01 20:37:27 249856 ----a-w- c:\windows\system32\uxtheme.dll.backup

2010-08-01 20:37:20 25214 ----a-w- c:\windows\Icon_1.ico

2010-08-01 20:37:19 8636 ----a-w- c:\windows\system32\modifype.exe

2010-08-01 20:37:19 111104 ----a-w- c:\windows\system32\Uharc.exe

2010-08-01 20:37:19 0 d-----w- C:\SnowFiles

2010-07-28 11:28:33 0 d-----w- c:\users\harry\appdata\roaming\Intelli-studio

2010-07-28 11:26:40 0 d-----w- c:\program files\SAMSUNG

2010-07-28 11:19:41 0 d-----w- c:\programdata\Driver Whiz

2010-07-27 13:50:48 40 ----a-w- c:\windows\iltwain.ini

2010-07-27 13:50:03 0 d-----w- c:\program files\EzGenerator3

2010-07-24 23:11:00 0 d-----w- c:\program files\iPod

2010-07-23 23:01:17 0 d-----w- c:\program files\TeamViewer

==================== Find3M ====================

2010-08-01 20:37:28 37376 ----a-w- c:\windows\system32\themeservice.dll

2010-08-01 20:37:28 2755072 ----a-w- c:\windows\system32\themeui.dll

2010-08-01 20:37:27 249856 ----a-w- c:\windows\system32\uxtheme.dll

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 18:04:26 409088 ----a-w- c:\windows\system32\systemcpl.dll

2010-06-24 18:04:26 13824 ----a-w- c:\windows\system32\slwga.dll

2010-06-24 18:04:25 811520 ----a-w- c:\windows\system32\user32.dll

2010-06-22 15:35:10 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-22 15:35:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-06-22 15:35:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-22 02:47:35 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-22 02:47:21 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-06-22 02:47:13 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll

2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-05-30 14:47:34 1122304 ----a-w- c:\windows\system32\libeay32.dll

2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:17:27.80 ===============

This is the Ark.txt

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-17 13:47:28

Windows 6.1.7600

Running: 34shids6.exe; Driver: C:\Users\Harry\AppData\Local\Temp\fgrcqpob.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29AF8

INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29104

INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A293F4

INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A11634

INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A11898

INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A291DC

INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29958

INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A296F8

INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29F2C

INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2A1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A89599 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AADF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text peauth.sys 98071C9D 28 Bytes [44, 8A, 31, 7C, F3, F3, 43, ...]

.text peauth.sys 98071CC1 28 Bytes [44, 8A, 31, 7C, F3, F3, 43, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0022000A

.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0040000A

.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0021000A

.text C:\Windows\system32\svchost.exe[1312] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 00A1000A

.text C:\Windows\system32\svchost.exe[1312] USER32.dll!GetCursorPos 758EC198 5 Bytes JMP 00B9000A

.text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0025000A

.text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0026000A

.text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0024000A

.text C:\Windows\Explorer.EXE[2760] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0029000A

.text C:\Windows\Explorer.EXE[2760] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 002A000A

.text C:\Windows\Explorer.EXE[2760] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0028000A

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!LockResource 772B345C 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!CreateEventA 772B3A2B 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceW 772B922F 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!SizeofResource 772B924D 5 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceExW 772BA7EF 5 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!LoadResource 772BD3B0 5 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceExA 772BD4AD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceA 772BD575 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ADVAPI32.dll!CryptDecrypt 77652140 5 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ADVAPI32.dll!CryptDeriveKey 77652150 5 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowPlacement 758E8169 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!CreateDialogParamW 758E9BFF 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowRgn 758EB29A 4 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowRgn + 5 758EB29F 2 Bytes [CC, CC] {INT 3 ; INT 3 }

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!CreateWindowExW 758F0E51 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadIconW 758F1431 2 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadIconW + 3 758F1434 2 Bytes [71, B2] {JNO 0xffffffffffffffb4}

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadImageW 758F2323 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!GetWindowLongW 758F83A9 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!PeekMessageW 758F91B5 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!TrackPopupMenuEx 75915F72 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!MessageBoxIndirectW 7593E9C3 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!closesocket 75D83BED 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!recv 75D847DF 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!WSASend 75D868A7 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!WSARecv 75D8C29F 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!send 75D8C4C8 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] SHELL32.dll!Shell_NotifyIconW 75FCFBE1 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoRegisterClassObject 75B511F5 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoInitializeEx 75B80804 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoCreateInstance 75B957FC 1 Byte [E9]

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!InternetCloseHandle 76C1C83E 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!InternetReadFile 76C1E264 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!HttpOpenRequestA 76C203FA 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!HttpSendRequestA 76C902E0 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

.text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0012000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0013000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 000C000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!LdrLoadDll 774EF625 5 Bytes JMP 012913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8591AEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Harry\Downloads\ZoneAlarm\xae Internet Security Suite 2009+Keygen[h33t]MasterUploader\Setup\zaSUITE_Setup_en.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thanks for the help, you guys are amazing !.

Attach.zip

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Harry\Downloads\ZoneAlarm\xae Internet Security Suite 2009+Keygen[h33t]MasterUploader\Setup\zaSUITE_Setup_en.exe 1

I remember that. I tried to download Zone Alarm Free of their website but it wouldn't work for me at the time. And because I'm so stupid I looked for the free version and downloaded it not realizing that it was it wasn't and had a keygen with a virus which I deleted straight away when I realize it was not a Zone Alarm product but that was a long time ago and I believe the virus was removed, does that mean it's still there ?.

Thanks once again.

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4434

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/16/2010 1:34:07 AM

mbam-log-2010-08-16 (01-34-07).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 63532

Time elapsed: 20 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Harry\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

C:\Users\Harry\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

You missing a couple of updates and my instructions was for Quick scan, not for Full scan. Be more careful!

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4440

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/17/2010 9:12:06 PM

mbam-log-2010-08-17 (21-12-06).txt

Scan type: Quick scan

Objects scanned: 144453

Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Good!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Here is the combo-fix log it opted me to restart my computer due to rootkit activity during the scan :).

ComboFix 10-08-17.02 - Harry 08/17/2010 23:27:54.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1916.1033 [GMT 1:00]

Running from: c:\users\Harry\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\7Loader.TAG

c:\windows\system32\sleep.exe

c:\windows\system32\system

Infected copy of c:\windows\system32\drivers\mssmbios.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))

.

2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Harry\AppData\Local\temp

2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Richard\AppData\Local\temp

2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-08-16 17:00 . 2010-08-16 17:00 -------- d-----w- c:\program files\Common Files\Java

2010-08-16 17:00 . 2010-08-16 16:59 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-13 11:38 . 2010-08-13 11:38 -------- d-----w- c:\program files\Graboid

2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\users\Harry\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-08-12 22:55 . 2010-08-12 22:53 53632 ----a-w- c:\users\Harry\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\program files\TweetDeck

2010-08-12 22:55 . 2010-08-12 22:53 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-08-11 15:35 . 2010-08-11 15:35 -------- d-----w- c:\users\Harry\AppData\Roaming\acccore

2010-08-11 14:19 . 2010-08-11 14:19 -------- d-----w- c:\users\Harry\AppData\Roaming\Registry Mechanic

2010-08-11 14:17 . 2010-08-16 00:44 -------- d-----w- c:\users\Harry\AppData\Roaming\FTWeak

2010-08-10 18:53 . 2010-08-10 18:53 -------- d-----w- c:\users\Harry\AppData\Roaming\DVDVideoSoftIEHelpers

2010-08-10 18:52 . 2010-08-10 18:53 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2010-08-10 18:52 . 2010-08-10 18:53 -------- d-----w- c:\program files\DVDVideoSoft

2010-08-10 16:00 . 2010-08-10 16:00 5443752 ----a-w- c:\users\Harry\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTrans.exe

2010-08-10 16:00 . 2010-08-10 16:00 2671840 ----a-w- c:\users\Harry\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTransControlCenter.exe

2010-08-10 15:59 . 2010-08-10 16:01 -------- d-----w- c:\users\Harry\AppData\Roaming\WindSolutions

2010-08-10 15:59 . 2010-08-10 16:00 -------- d-----w- c:\programdata\WindSolutions

2010-08-10 15:51 . 2010-08-10 15:54 -------- d-----w- c:\users\Harry\AppData\Roaming\DiskAid

2010-08-10 15:43 . 2010-08-10 15:51 -------- d-----w- c:\users\Harry\AppData\Local\tctemp

2010-08-01 20:40 . 2010-07-31 13:45 316207 ----a-w- c:\windows\system32\slwc.exe

2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\Yzshadow

2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\UberIcon

2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\RKLauncher

2010-08-01 20:37 . 2010-08-09 20:31 -------- d-----w- C:\SnowFiles

2010-08-01 20:37 . 2006-12-03 16:15 111104 ----a-w- c:\windows\system32\Uharc.exe

2010-08-01 20:37 . 2006-12-03 16:14 8636 ----a-w- c:\windows\system32\modifype.exe

2010-07-28 11:29 . 2010-07-28 11:29 17552011 ----a-w- c:\users\Harry\AppData\Roaming\Intelli-studio\iUpdate.exe

2010-07-28 11:28 . 2010-07-28 11:33 -------- d-----w- c:\users\Harry\AppData\Roaming\Intelli-studio

2010-07-28 11:26 . 2010-08-10 00:45 -------- d-----w- c:\program files\SAMSUNG

2010-07-28 11:19 . 2010-07-28 11:19 -------- d-----w- c:\programdata\Driver Whiz

2010-07-27 13:50 . 2010-07-30 15:13 -------- d-----w- c:\program files\EzGenerator3

2010-07-24 23:11 . 2010-07-24 23:11 -------- d-----w- c:\program files\iPod

2010-07-24 23:02 . 2010-07-24 23:02 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-07-23 23:01 . 2010-07-23 23:07 -------- d-----w- c:\program files\TeamViewer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-17 22:38 . 2010-01-13 18:52 -------- d-----w- c:\program files\Common Files\Akamai

2010-08-17 13:02 . 2009-08-30 00:18 -------- d-----w- c:\users\Harry\AppData\Roaming\uTorrent

2010-08-17 10:48 . 2009-08-28 17:03 -------- d-----w- c:\program files\uTorrent

2010-08-16 01:21 . 2010-05-16 18:55 -------- d-----w- c:\program files\JDownloader

2010-08-13 10:20 . 2009-08-28 17:05 -------- d-----w- c:\programdata\Microsoft Help

2010-08-11 14:17 . 2010-07-03 09:46 123664 ----a-w- c:\users\Harry\AppData\Local\GDIPFONTCACHEV1.DAT

2010-08-11 09:17 . 2009-12-06 20:52 -------- d-----w- c:\program files\Steam

2010-08-10 00:51 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar

2010-08-10 00:46 . 2009-08-28 17:03 -------- d-----w- c:\program files\WinSCP

2010-08-10 00:46 . 2009-12-07 18:12 -------- d-----w- c:\program files\Any Video Converter Professional

2010-08-08 20:33 . 2009-12-07 18:15 -------- d-----w- c:\users\Harry\AppData\Roaming\Any Video Converter Professional

2010-08-03 19:51 . 2009-09-06 10:31 -------- d-----w- c:\users\Harry\AppData\Roaming\LimeWire

2010-08-03 19:13 . 2009-08-28 17:18 -------- d-----w- c:\users\Harry\AppData\Roaming\Skype

2010-08-02 16:49 . 2009-12-29 15:12 -------- d-----w- c:\users\Harry\AppData\Roaming\vlc

2010-08-01 20:37 . 2009-07-13 23:39 2755072 ----a-w- c:\windows\system32\themeui.dll

2010-08-01 20:37 . 2009-07-13 23:39 37376 ----a-w- c:\windows\system32\themeservice.dll

2010-08-01 20:37 . 2009-07-13 23:40 249856 ----a-w- c:\windows\system32\uxtheme.dll

2010-07-29 06:30 . 2010-08-12 10:15 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30 . 2010-08-12 10:15 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-07-24 23:11 . 2010-02-15 14:03 -------- d-----w- c:\program files\iTunes

2010-07-24 23:10 . 2009-10-14 18:44 -------- d-----w- c:\program files\Common Files\Apple

2010-07-24 23:07 . 2009-12-02 22:51 -------- d-----w- c:\program files\Bonjour

2010-07-15 18:00 . 2010-07-15 18:00 -------- d-----w- c:\users\Harry\AppData\Roaming\AVG9

2010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\users\Harry\AppData\Roaming\Malwarebytes

2010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\programdata\Malwarebytes

2010-06-30 06:25 . 2010-08-12 10:15 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-27 14:11 . 2010-05-13 16:22 -------- d-----w- c:\programdata\AVG Security Toolbar

2010-06-26 18:08 . 2010-02-16 13:27 -------- d-----w- c:\program files\VstPlugins

2010-06-26 18:07 . 2010-02-16 13:24 -------- d-----w- c:\program files\Image-Line

2010-06-24 18:04 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll

2010-06-24 18:04 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll

2010-06-24 18:04 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll

2010-06-22 15:54 . 2010-06-22 15:54 -------- d-----w- c:\program files\Siber Systems

2010-06-22 15:35 . 2010-05-13 16:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-22 15:35 . 2010-06-22 15:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-06-22 15:35 . 2010-05-13 16:22 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-22 02:47 . 2010-08-12 10:15 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-22 02:47 . 2010-08-12 10:15 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-06-22 02:47 . 2010-08-12 10:15 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-06-19 06:33 . 2010-08-12 10:15 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33 . 2010-08-12 10:15 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23 . 2010-08-12 10:15 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07 . 2010-08-12 10:15 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-06-16 05:48 . 2010-08-12 10:15 224256 ----a-w- c:\windows\system32\schannel.dll

2010-06-14 06:12 . 2010-08-12 10:15 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-06-08 06:02 . 2010-08-12 10:15 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 11:05 . 2010-05-13 16:22 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-30 14:47 . 2010-05-30 14:47 1122304 ----a-w- c:\windows\system32\libeay32.dll

2010-05-27 07:24 . 2010-06-12 09:29 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 03:49 . 2010-06-12 09:29 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-05-23 14:53 . 2010-05-23 14:53 11936 ----a-w- c:\windows\system32\drivers\inpout32.sys

2009-10-19 18:59 . 2009-12-19 00:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat

2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

.

------- Sigcheck -------

[-] 2010-06-24 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

"{d59e6cc3-54fa-470c-971c-b8546b1540ac}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-07-10 17:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d59e6cc3-54fa-470c-971c-b8546b1540ac}]

2010-04-15 11:33 2515552 ----a-w- c:\program files\jdownloader-pro\tbjdow.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

"{d59e6cc3-54fa-470c-971c-b8546b1540ac}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

"{D59E6CC3-54FA-470C-971C-B8546B1540AC}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-16 327472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"FTweakFCleaner"=c:\program files\FCleaner\FCleaner.exe -a

"Google Update"="c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe" /c

"RocketDock"="c:\program files\RocketDock\RocketDock.exe"

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

"Steam"="c:\program files\Steam\Steam.exe" -silent

"uTorrent"="c:\program files\uTorrent\uTorrent.exe"

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"IgfxTray"=c:\windows\system32\igfxtray.exe

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"Persistence"=c:\windows\system32\igfxpers.exe

"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe"

"USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController

"USBToolTip"=c:\progra~1\COMMON~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe

"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\DRIVERS\hcwhdpvr.sys [2009-04-01 157184]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-23 1343400]

S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-05-14 52872]

S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2009-02-19 127744]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-06-22 216400]

S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-22 243024]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]

S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]

S2 inpout32;inpout32;c:\windows\system32\Drivers\inpout32.sys [2010-05-23 11936]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3834575299-2961363844-1884367645-1001Core.job

- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-28 17:16]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3834575299-2961363844-1884367645-1001UA.job

- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-28 17:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2619605

uInternet Settings,ProxyServer = 127.0.0.1:8080

uInternet Settings,ProxyOverride = local;*.local

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Free YouTube to Mp3 Converter - c:\users\Harry\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\do1xicsw.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2619605&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=

FF - prefs.js: network.proxy.ftp - 80.193.72.145

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 80.193.72.145

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.socks - 80.193.72.145

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 80.193.72.145

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\Harry\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

user_pref(network.proxy.http_port,);

FF - user.js: network.proxy.no_proxies_on -

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

.txt=

.

- - - - ORPHANS REMOVED - - - -

AddRemove-reFX Nexus 1.3.8 - AMPLiFY Analog Xpansion Update_is1 - c:\users\Harry\Desktop\Nexus\unins000.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]

@Denied: (A 2) (LocalSystem)

"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"

"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-08-17 23:41:08

ComboFix-quarantined-files.txt 2010-08-17 22:41

Pre-Run: 25,047,867,392 bytes free

Post-Run: 25,093,369,856 bytes free

- - End Of File - - 34B03216A40597396CF18FDB2227987C

Link to post
Share on other sites
BassCreator

BassCreator

Posted
  • Author
Posted

Antivirus Version Last update Result

AhnLab-V3 2010.08.18.00 2010.08.17 -

AntiVir 8.2.4.34 2010.08.17 -

Antiy-AVL 2.0.3.7 2010.08.16 -

Authentium 5.2.0.5 2010.08.18 -

Avast 4.8.1351.0 2010.08.17 -

Avast5 5.0.332.0 2010.08.17 -

AVG 9.0.0.851 2010.08.17 -

BitDefender 7.2 2010.08.18 -

CAT-QuickHeal 11.00 2010.08.16 -

ClamAV 0.96.2.0-git 2010.08.18 -

Comodo 5776 2010.08.17 -

DrWeb 5.0.2.03300 2010.08.18 -

Emsisoft 5.0.0.39 2010.08.17 -

eSafe 7.0.17.0 2010.08.17 -

eTrust-Vet 36.1.7797 2010.08.17 -

F-Prot 4.6.1.107 2010.08.18 -

F-Secure 9.0.15370.0 2010.08.18 -

Fortinet 4.1.143.0 2010.08.16 -

GData 21 2010.08.18 -

Ikarus T3.1.1.88.0 2010.08.17 -

Jiangmin 13.0.900 2010.08.17 -

Kaspersky 7.0.0.125 2010.08.18 -

McAfee 5.400.0.1158 2010.08.18 -

Microsoft 1.6004 2010.08.17 -

NOD32 5374 2010.08.17 -

Norman 6.05.11 2010.08.17 -

nProtect 2010-08-17.01 2010.08.17 -

Panda 10.0.2.7 2010.08.17 -

PCTools 7.0.3.5 2010.08.18 -

Prevx 3.0 2010.08.18 -

Rising 22.61.01.04 2010.08.17 -

Sophos 4.56.0 2010.08.17 -

Sunbelt 6749 2010.08.17 -

SUPERAntiSpyware 4.40.0.1006 2010.08.17 -

Symantec 20101.1.1.7 2010.08.18 -

TheHacker 6.5.2.1.349 2010.08.16 -

TrendMicro 9.120.0.1004 2010.08.17 -

TrendMicro-HouseCall 9.120.0.1004 2010.08.18 -

VBA32 3.12.14.0 2010.08.17 -

ViRobot 2010.8.17.3993 2010.08.17 -

VirusBuster 5.0.27.0 2010.08.17 -

MD5: 7bd7f45ff37fa0669cd32ca0ef46e22c

SHA1: 03c47973f52800a6ae21f1a5992e331b4a9b2837

SHA256: 88cf562d5f8c803a4ff8db28c355073c58be6c02ce950149584749d2d72cc6de

File size: 811520 bytes

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Don't bump it! :)

Last steps:

Step 1

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 2

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 3

Please manually delete Defogger, DDS and GMER.

Step 4

Please download and install the latest version of Adobe Reader from:

www.adobe.com

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.