BassCreator Posted August 16, 2010 ID:300995 Share Posted August 16, 2010 I don't know if this is in the correct section if it is not I sincerely apologize.Yesterday I scanned my computer with Malwarebytes of course and the following items were infected.C:\Users\*\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\*\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.The first two listed are completely unknown. Normally if you search for the virus it will shown is search engines etc, this one would not. Is it a new type of virus or is that the actual rootkit.I restarted my computer after Malwarebytes prompted me too, scanned again straight after that nothing found. Then used AVG 9 anti-rootkit scanner, nothing was found in that either.I just want to make sure that all of this has been completely removed, any help would be much appreciated. Thanks guys and gals. Link to post Share on other sites More sharing options...
BassCreator Posted August 16, 2010 Author ID:301140 Share Posted August 16, 2010 Just a quick bump because it's on page 2 and hasn't had a reply yet .Any help would be much appreciated. Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301447 Share Posted August 17, 2010 Hello BassCreator! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.Please follow these instructions and post all logs if you can:http://forums.malwarebytes.org/index.php?showtopic=9573 Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301455 Share Posted August 17, 2010 This is when I scanned and found the virus:Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Harry\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.Will post others after i have restarted. Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301462 Share Posted August 17, 2010 Another problem I have come across is that firefox will not close properly. I always have to go to processes firefox and end process to be able to open firefox again.I used defogger everything went ok, but it didn't prompt to restart my system I did that manually.This is the DDS log the attach will be attached as requested.============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Windows\system32\lsm.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\AUDIODG.EXEC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Windows\System32\svchost.exe -k AkamaiC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\lxczcoms.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\AVG\AVG9\avgam.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\AIM\aim.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\RocketDock\RocketDock.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\wuauclt.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\Harry\Desktop\dds.comC:\Windows\system32\conhost.exeC:\Windows\system32\wbem\wmiprvse.exeDefogger log, other one is attached.============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.rouStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2619605uSearch Bar = hxxp://www.google.rouInternet Settings,ProxyServer = 127.0.0.1:8080uInternet Settings,ProxyOverride = local;*.localuURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dlluURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dlluURLSearchHooks: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dllmURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllmURLSearchHooks: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dllBHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dllBHO: Nuclear Games Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: Nuclear Games Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllTB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dllTB: jdownloader-pro Toolbar: {d59e6cc3-54fa-470c-971c-b8546b1540ac} - c:\program files\jdownloader-pro\tbjdow.dllTB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dlluRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-USuRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"uPolicies-explorer: NoResolveTrack = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: Free YouTube to Mp3 Converter - c:\users\harry\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htmIE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.htmlIE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.htmlIE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.htmlIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs: avgrsstx.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll================= FIREFOX ===================FF - ProfilePath - c:\users\harry\appdata\roaming\mozilla\firefox\profiles\do1xicsw.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2619605&SearchSource=3&q={searchTerms}FF - prefs.js: browser.search.selectedEngine - Yahoo! SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=FF - prefs.js: network.proxy.ftp - 80.193.72.145 FF - prefs.js: network.proxy.ftp_port - 80FF - prefs.js: network.proxy.gopher - 80.193.72.145 FF - prefs.js: network.proxy.gopher_port - 80FF - prefs.js: network.proxy.http_port - 80FF - prefs.js: network.proxy.socks - 80.193.72.145 FF - prefs.js: network.proxy.socks_port - 80FF - prefs.js: network.proxy.ssl - 80.193.72.145 FF - prefs.js: network.proxy.ssl_port - 80FF - prefs.js: network.proxy.type - 0FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dllFF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dllFF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\users\harry\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - falseFF - user.js: network.proxy.type - 0FF - user.js: network.proxy.http - user_pref(network.proxy.http_port,);FF - user.js: network.proxy.no_proxies_on - FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-13 52872]R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2010-4-30 127744]R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-13 216400]R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-13 29584]R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-13 243024]R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2010-5-23 11936]R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\drivers\hcwhdpvr.sys [2010-4-30 157184]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-23 1343400]============== File Associations ===============.txt================ Created Last 30 ================2010-08-17 12:06:49 0 ----a-w- c:\users\harry\defogger_reenable2010-08-16 17:00:49 0 d-----w- c:\programdata\Sun2010-08-16 17:00:17 423656 ----a-w- c:\windows\system32\deployJava1.dll2010-08-13 11:38:20 0 d-----w- c:\program files\Graboid2010-08-12 22:55:48 0 d-----w- c:\users\harry\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.12010-08-12 22:55:41 0 d-----w- c:\program files\TweetDeck2010-08-11 14:19:36 0 d-----w- c:\users\harry\appdata\roaming\Registry Mechanic2010-08-11 14:17:10 0 d-----w- c:\users\harry\appdata\roaming\FTWeak2010-08-10 18:53:16 0 d-----w- c:\users\harry\appdata\roaming\DVDVideoSoftIEHelpers2010-08-10 18:52:51 0 d-----w- c:\program files\DVDVideoSoft2010-08-10 18:52:51 0 d-----w- c:\program files\common files\DVDVideoSoft2010-08-10 15:59:59 0 d-----w- c:\users\harry\appdata\roaming\WindSolutions2010-08-10 15:59:59 0 d-----w- c:\programdata\WindSolutions2010-08-10 15:51:49 0 d-----w- c:\users\harry\appdata\roaming\DiskAid2010-08-10 15:32:28 355 ----a-w- c:\users\harry\Homegroup - Shortcut.lnk2010-08-01 20:40:37 316207 ----a-w- c:\windows\system32\slwc.exe2010-08-01 20:37:33 0 d-----w- c:\program files\Yzshadow2010-08-01 20:37:32 0 d-----w- c:\program files\UberIcon2010-08-01 20:37:30 0 d-----w- c:\program files\RKLauncher2010-08-01 20:37:28 37376 ----a-w- c:\windows\system32\themeservice.dll.backup2010-08-01 20:37:28 2755072 ----a-w- c:\windows\system32\themeui.dll.backup2010-08-01 20:37:27 249856 ----a-w- c:\windows\system32\uxtheme.dll.backup2010-08-01 20:37:20 25214 ----a-w- c:\windows\Icon_1.ico2010-08-01 20:37:19 8636 ----a-w- c:\windows\system32\modifype.exe2010-08-01 20:37:19 111104 ----a-w- c:\windows\system32\Uharc.exe2010-08-01 20:37:19 0 d-----w- C:\SnowFiles2010-07-28 11:28:33 0 d-----w- c:\users\harry\appdata\roaming\Intelli-studio2010-07-28 11:26:40 0 d-----w- c:\program files\SAMSUNG2010-07-28 11:19:41 0 d-----w- c:\programdata\Driver Whiz2010-07-27 13:50:48 40 ----a-w- c:\windows\iltwain.ini2010-07-27 13:50:03 0 d-----w- c:\program files\EzGenerator32010-07-24 23:11:00 0 d-----w- c:\program files\iPod2010-07-23 23:01:17 0 d-----w- c:\program files\TeamViewer==================== Find3M ====================2010-08-01 20:37:28 37376 ----a-w- c:\windows\system32\themeservice.dll2010-08-01 20:37:28 2755072 ----a-w- c:\windows\system32\themeui.dll2010-08-01 20:37:27 249856 ----a-w- c:\windows\system32\uxtheme.dll2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll2010-06-24 18:04:26 409088 ----a-w- c:\windows\system32\systemcpl.dll2010-06-24 18:04:26 13824 ----a-w- c:\windows\system32\slwga.dll2010-06-24 18:04:25 811520 ----a-w- c:\windows\system32\user32.dll2010-06-22 15:35:10 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys2010-06-22 15:35:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll2010-06-22 15:35:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys2010-06-22 02:47:35 310784 ----a-w- c:\windows\system32\drivers\srv.sys2010-06-22 02:47:21 307200 ----a-w- c:\windows\system32\drivers\srv2.sys2010-06-22 02:47:13 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll2010-05-30 14:47:34 1122304 ----a-w- c:\windows\system32\libeay32.dll2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe============= FINISH: 13:17:27.80 ===============This is the Ark.txtGMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-08-17 13:47:28Windows 6.1.7600 Running: 34shids6.exe; Driver: C:\Users\Harry\AppData\Local\Temp\fgrcqpob.sys---- System - GMER 1.0.15 ----INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29AF8INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29104INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A293F4INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A11634INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A11898INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A291DCINT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29958INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A296F8INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A29F2CINT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A2A1A8---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A89599 1 Byte [06].text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AADF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}.text peauth.sys 98071C9D 28 Bytes [44, 8A, 31, 7C, F3, F3, 43, ...].text peauth.sys 98071CC1 28 Bytes [44, 8A, 31, 7C, F3, F3, 43, ...]---- User code sections - GMER 1.0.15 ----.text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0022000A .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0040000A .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0021000A .text C:\Windows\system32\svchost.exe[1312] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 00A1000A .text C:\Windows\system32\svchost.exe[1312] USER32.dll!GetCursorPos 758EC198 5 Bytes JMP 00B9000A .text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0025000A .text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0026000A .text C:\Windows\system32\wuauclt.exe[1396] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0024000A .text C:\Windows\Explorer.EXE[2760] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0029000A .text C:\Windows\Explorer.EXE[2760] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 002A000A .text C:\Windows\Explorer.EXE[2760] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 0028000A .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!LockResource 772B345C 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!CreateEventA 772B3A2B 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceW 772B922F 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!SizeofResource 772B924D 5 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceExW 772BA7EF 5 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!LoadResource 772BD3B0 5 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceExA 772BD4AD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] kernel32.dll!FindResourceA 772BD575 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ADVAPI32.dll!CryptDecrypt 77652140 5 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ADVAPI32.dll!CryptDeriveKey 77652150 5 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowPlacement 758E8169 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!CreateDialogParamW 758E9BFF 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowRgn 758EB29A 4 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!SetWindowRgn + 5 758EB29F 2 Bytes [CC, CC] {INT 3 ; INT 3 }.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!CreateWindowExW 758F0E51 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadIconW 758F1431 2 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadIconW + 3 758F1434 2 Bytes [71, B2] {JNO 0xffffffffffffffb4}.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!LoadImageW 758F2323 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!GetWindowLongW 758F83A9 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!PeekMessageW 758F91B5 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!TrackPopupMenuEx 75915F72 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] USER32.dll!MessageBoxIndirectW 7593E9C3 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!closesocket 75D83BED 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!recv 75D847DF 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!WSASend 75D868A7 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!WSARecv 75D8C29F 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WS2_32.dll!send 75D8C4C8 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] SHELL32.dll!Shell_NotifyIconW 75FCFBE1 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoRegisterClassObject 75B511F5 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoInitializeEx 75B80804 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoCreateInstance 75B957FC 1 Byte [E9].text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!InternetCloseHandle 76C1C83E 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!InternetReadFile 76C1E264 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!HttpOpenRequestA 76C203FA 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2944] WININET.dll!HttpSendRequestA 76C902E0 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou).text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!NtProtectVirtualMemory 774D5380 5 Bytes JMP 0012000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!NtWriteVirtualMemory 774D5F00 5 Bytes JMP 0013000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!KiUserExceptionDispatcher 774D6448 5 Bytes JMP 000C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3800] ntdll.dll!LdrLoadDll 774EF625 5 Bytes JMP 012913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device -> \Driver\atapi \Device\Harddisk0\DR0 8591AEC5---- Registry - GMER 1.0.15 ----Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel ApartmentReg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLLReg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Harry\Downloads\ZoneAlarm\xae Internet Security Suite 2009+Keygen[h33t]MasterUploader\Setup\zaSUITE_Setup_en.exe 1---- Files - GMER 1.0.15 ----File C:\Windows\system32\drivers\atapi.sys suspicious modification---- EOF - GMER 1.0.15 ----Thanks for the help, you guys are amazing !.Attach.zip Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301463 Share Posted August 17, 2010 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Harry\Downloads\ZoneAlarm\xae Internet Security Suite 2009+Keygen[h33t]MasterUploader\Setup\zaSUITE_Setup_en.exe 1I remember that. I tried to download Zone Alarm Free of their website but it wouldn't work for me at the time. And because I'm so stupid I looked for the free version and downloaded it not realizing that it was it wasn't and had a keygen with a virus which I deleted straight away when I realize it was not a Zone Alarm product but that was a long time ago and I believe the virus was removed, does that mean it's still there ?.Thanks once again. Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301563 Share Posted August 17, 2010 It seems there .... maybe some leftovers. We'll check this out!Please post the entire log file from MBAM. The first part of the log file is cut. Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301586 Share Posted August 17, 2010 Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4434Windows 6.1.7600Internet Explorer 8.0.7600.163858/16/2010 1:34:07 AMmbam-log-2010-08-16 (01-34-07).txtScan type: Full scan (C:\|D:\|E:\|)Objects scanned: 63532Time elapsed: 20 minute(s), 52 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\Harry\AppData\Local\Temp\samwocnerx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\smewnaxcor.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\1E3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\1F18.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2002.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2233.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\2234.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.C:\Users\Harry\AppData\Local\Temp\23F8.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301590 Share Posted August 17, 2010 You missing a couple of updates and my instructions was for Quick scan, not for Full scan. Be more careful!Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301607 Share Posted August 17, 2010 Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4440Windows 6.1.7600Internet Explorer 8.0.7600.163858/17/2010 9:12:06 PMmbam-log-2010-08-17 (21-12-06).txtScan type: Quick scanObjects scanned: 144453Time elapsed: 9 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301614 Share Posted August 17, 2010 Good!**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301680 Share Posted August 17, 2010 Here is the combo-fix log it opted me to restart my computer due to rootkit activity during the scan .ComboFix 10-08-17.02 - Harry 08/17/2010 23:27:54.1.2 - x86Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1916.1033 [GMT 1:00]Running from: c:\users\Harry\Desktop\Combo-Fix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\7Loader.TAGc:\windows\system32\sleep.exec:\windows\system32\systemInfected copy of c:\windows\system32\drivers\mssmbios.sys was found and disinfected Restored copy from - Kitty had a snack .((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 ))))))))))))))))))))))))))))))).2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Harry\AppData\Local\temp2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Richard\AppData\Local\temp2010-08-17 22:37 . 2010-08-17 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp2010-08-16 17:00 . 2010-08-16 17:00 -------- d-----w- c:\program files\Common Files\Java2010-08-16 17:00 . 2010-08-16 16:59 423656 ----a-w- c:\windows\system32\deployJava1.dll2010-08-13 11:38 . 2010-08-13 11:38 -------- d-----w- c:\program files\Graboid2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\users\Harry\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.12010-08-12 22:55 . 2010-08-12 22:53 53632 ----a-w- c:\users\Harry\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\program files\TweetDeck2010-08-12 22:55 . 2010-08-12 22:53 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe2010-08-12 22:55 . 2010-08-12 22:55 -------- d-----w- c:\program files\Common Files\Adobe AIR2010-08-11 15:35 . 2010-08-11 15:35 -------- d-----w- c:\users\Harry\AppData\Roaming\acccore2010-08-11 14:19 . 2010-08-11 14:19 -------- d-----w- c:\users\Harry\AppData\Roaming\Registry Mechanic2010-08-11 14:17 . 2010-08-16 00:44 -------- d-----w- c:\users\Harry\AppData\Roaming\FTWeak2010-08-10 18:53 . 2010-08-10 18:53 -------- d-----w- c:\users\Harry\AppData\Roaming\DVDVideoSoftIEHelpers2010-08-10 18:52 . 2010-08-10 18:53 -------- d-----w- c:\program files\Common Files\DVDVideoSoft2010-08-10 18:52 . 2010-08-10 18:53 -------- d-----w- c:\program files\DVDVideoSoft2010-08-10 16:00 . 2010-08-10 16:00 5443752 ----a-w- c:\users\Harry\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTrans.exe2010-08-10 16:00 . 2010-08-10 16:00 2671840 ----a-w- c:\users\Harry\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTransControlCenter.exe2010-08-10 15:59 . 2010-08-10 16:01 -------- d-----w- c:\users\Harry\AppData\Roaming\WindSolutions2010-08-10 15:59 . 2010-08-10 16:00 -------- d-----w- c:\programdata\WindSolutions2010-08-10 15:51 . 2010-08-10 15:54 -------- d-----w- c:\users\Harry\AppData\Roaming\DiskAid2010-08-10 15:43 . 2010-08-10 15:51 -------- d-----w- c:\users\Harry\AppData\Local\tctemp2010-08-01 20:40 . 2010-07-31 13:45 316207 ----a-w- c:\windows\system32\slwc.exe2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\Yzshadow2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\UberIcon2010-08-01 20:37 . 2010-08-10 00:51 -------- d-----w- c:\program files\RKLauncher2010-08-01 20:37 . 2010-08-09 20:31 -------- d-----w- C:\SnowFiles2010-08-01 20:37 . 2006-12-03 16:15 111104 ----a-w- c:\windows\system32\Uharc.exe2010-08-01 20:37 . 2006-12-03 16:14 8636 ----a-w- c:\windows\system32\modifype.exe2010-07-28 11:29 . 2010-07-28 11:29 17552011 ----a-w- c:\users\Harry\AppData\Roaming\Intelli-studio\iUpdate.exe2010-07-28 11:28 . 2010-07-28 11:33 -------- d-----w- c:\users\Harry\AppData\Roaming\Intelli-studio2010-07-28 11:26 . 2010-08-10 00:45 -------- d-----w- c:\program files\SAMSUNG2010-07-28 11:19 . 2010-07-28 11:19 -------- d-----w- c:\programdata\Driver Whiz2010-07-27 13:50 . 2010-07-30 15:13 -------- d-----w- c:\program files\EzGenerator32010-07-24 23:11 . 2010-07-24 23:11 -------- d-----w- c:\program files\iPod2010-07-24 23:02 . 2010-07-24 23:02 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe2010-07-23 23:01 . 2010-07-23 23:07 -------- d-----w- c:\program files\TeamViewer.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-08-17 22:38 . 2010-01-13 18:52 -------- d-----w- c:\program files\Common Files\Akamai2010-08-17 13:02 . 2009-08-30 00:18 -------- d-----w- c:\users\Harry\AppData\Roaming\uTorrent2010-08-17 10:48 . 2009-08-28 17:03 -------- d-----w- c:\program files\uTorrent2010-08-16 01:21 . 2010-05-16 18:55 -------- d-----w- c:\program files\JDownloader2010-08-13 10:20 . 2009-08-28 17:05 -------- d-----w- c:\programdata\Microsoft Help2010-08-11 14:17 . 2010-07-03 09:46 123664 ----a-w- c:\users\Harry\AppData\Local\GDIPFONTCACHEV1.DAT2010-08-11 09:17 . 2009-12-06 20:52 -------- d-----w- c:\program files\Steam2010-08-10 00:51 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar2010-08-10 00:46 . 2009-08-28 17:03 -------- d-----w- c:\program files\WinSCP2010-08-10 00:46 . 2009-12-07 18:12 -------- d-----w- c:\program files\Any Video Converter Professional2010-08-08 20:33 . 2009-12-07 18:15 -------- d-----w- c:\users\Harry\AppData\Roaming\Any Video Converter Professional2010-08-03 19:51 . 2009-09-06 10:31 -------- d-----w- c:\users\Harry\AppData\Roaming\LimeWire2010-08-03 19:13 . 2009-08-28 17:18 -------- d-----w- c:\users\Harry\AppData\Roaming\Skype2010-08-02 16:49 . 2009-12-29 15:12 -------- d-----w- c:\users\Harry\AppData\Roaming\vlc2010-08-01 20:37 . 2009-07-13 23:39 2755072 ----a-w- c:\windows\system32\themeui.dll2010-08-01 20:37 . 2009-07-13 23:39 37376 ----a-w- c:\windows\system32\themeservice.dll2010-08-01 20:37 . 2009-07-13 23:40 249856 ----a-w- c:\windows\system32\uxtheme.dll2010-07-29 06:30 . 2010-08-12 10:15 197632 ----a-w- c:\windows\system32\ir32_32.dll2010-07-29 06:30 . 2010-08-12 10:15 82944 ----a-w- c:\windows\system32\iccvid.dll2010-07-24 23:11 . 2010-02-15 14:03 -------- d-----w- c:\program files\iTunes2010-07-24 23:10 . 2009-10-14 18:44 -------- d-----w- c:\program files\Common Files\Apple2010-07-24 23:07 . 2009-12-02 22:51 -------- d-----w- c:\program files\Bonjour2010-07-15 18:00 . 2010-07-15 18:00 -------- d-----w- c:\users\Harry\AppData\Roaming\AVG92010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\users\Harry\AppData\Roaming\Malwarebytes2010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-07-05 15:49 . 2010-07-05 15:49 -------- d-----w- c:\programdata\Malwarebytes2010-06-30 06:25 . 2010-08-12 10:15 978432 ----a-w- c:\windows\system32\wininet.dll2010-06-27 14:11 . 2010-05-13 16:22 -------- d-----w- c:\programdata\AVG Security Toolbar2010-06-26 18:08 . 2010-02-16 13:27 -------- d-----w- c:\program files\VstPlugins2010-06-26 18:07 . 2010-02-16 13:24 -------- d-----w- c:\program files\Image-Line2010-06-24 18:04 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll2010-06-24 18:04 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll2010-06-24 18:04 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll2010-06-22 15:54 . 2010-06-22 15:54 -------- d-----w- c:\program files\Siber Systems2010-06-22 15:35 . 2010-05-13 16:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys2010-06-22 15:35 . 2010-06-22 15:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll2010-06-22 15:35 . 2010-05-13 16:22 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys2010-06-22 02:47 . 2010-08-12 10:15 310784 ----a-w- c:\windows\system32\drivers\srv.sys2010-06-22 02:47 . 2010-08-12 10:15 307200 ----a-w- c:\windows\system32\drivers\srv2.sys2010-06-22 02:47 . 2010-08-12 10:15 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys2010-06-19 06:33 . 2010-08-12 10:15 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe2010-06-19 06:33 . 2010-08-12 10:15 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe2010-06-19 06:23 . 2010-08-12 10:15 37376 ----a-w- c:\windows\system32\rtutils.dll2010-06-19 04:07 . 2010-08-12 10:15 2326016 ----a-w- c:\windows\system32\win32k.sys2010-06-16 05:48 . 2010-08-12 10:15 224256 ----a-w- c:\windows\system32\schannel.dll2010-06-14 06:12 . 2010-08-12 10:15 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys2010-06-08 06:02 . 2010-08-12 10:15 1233920 ----a-w- c:\windows\system32\msxml3.dll2010-06-01 11:05 . 2010-05-13 16:22 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys2010-05-30 14:47 . 2010-05-30 14:47 1122304 ----a-w- c:\windows\system32\libeay32.dll2010-05-27 07:24 . 2010-06-12 09:29 34304 ----a-w- c:\windows\system32\atmlib.dll2010-05-27 03:49 . 2010-06-12 09:29 293888 ----a-w- c:\windows\system32\atmfd.dll2010-05-23 14:53 . 2010-05-23 14:53 11936 ----a-w- c:\windows\system32\drivers\inpout32.sys2009-10-19 18:59 . 2009-12-19 00:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe.------- Sigcheck -------[-] 2010-06-24 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]"{d59e6cc3-54fa-470c-971c-b8546b1540ac}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552][HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}][HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]2009-07-10 17:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d59e6cc3-54fa-470c-971c-b8546b1540ac}]2010-04-15 11:33 2515552 ----a-w- c:\program files\jdownloader-pro\tbjdow.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]"{d59e6cc3-54fa-470c-971c-b8546b1540ac}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]"{D59E6CC3-54FA-470C-971C-B8546B1540AC}"= "c:\program files\jdownloader-pro\tbjdow.dll" [2010-04-15 2515552][HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1][HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}][HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CLASSES_ROOT\clsid\{d59e6cc3-54fa-470c-971c-b8546b1540ac}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-16 327472][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 0 (0x0)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoResolveTrack"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"FTweakFCleaner"=c:\program files\FCleaner\FCleaner.exe -a"Google Update"="c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe" /c"RocketDock"="c:\program files\RocketDock\RocketDock.exe""RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe""Steam"="c:\program files\Steam\Steam.exe" -silent"uTorrent"="c:\program files\uTorrent\uTorrent.exe""msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe""Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe""IgfxTray"=c:\windows\system32\igfxtray.exe"HotKeysCmds"=c:\windows\system32\hkcmd.exe"Persistence"=c:\windows\system32\igfxpers.exe"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe""lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe""USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController"USBToolTip"=c:\progra~1\COMMON~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\DRIVERS\hcwhdpvr.sys [2009-04-01 157184]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-23 1343400]S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-05-14 52872]S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2009-02-19 127744]S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-06-22 216400]S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-22 243024]S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]S2 inpout32;inpout32;c:\windows\system32\Drivers\inpout32.sys [2010-05-23 11936]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Akamai REG_MULTI_SZ Akamai.Contents of the 'Scheduled Tasks' folder2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3834575299-2961363844-1884367645-1001Core.job- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-28 17:16]2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3834575299-2961363844-1884367645-1001UA.job- c:\users\Harry\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-28 17:16]..------- Supplementary Scan -------.uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2619605uInternet Settings,ProxyServer = 127.0.0.1:8080uInternet Settings,ProxyOverride = local;*.localIE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlIE: Free YouTube to Mp3 Converter - c:\users\Harry\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htmIE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlIE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlFF - ProfilePath - c:\users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\do1xicsw.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2619605&SearchSource=3&q={searchTerms}FF - prefs.js: browser.search.selectedEngine - Yahoo! SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=FF - prefs.js: network.proxy.ftp - 80.193.72.145 FF - prefs.js: network.proxy.ftp_port - 80FF - prefs.js: network.proxy.gopher - 80.193.72.145 FF - prefs.js: network.proxy.gopher_port - 80FF - prefs.js: network.proxy.http_port - 80FF - prefs.js: network.proxy.socks - 80.193.72.145 FF - prefs.js: network.proxy.socks_port - 80FF - prefs.js: network.proxy.ssl - 80.193.72.145 FF - prefs.js: network.proxy.ssl_port - 80FF - prefs.js: network.proxy.type - 0FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dllFF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dllFF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dllFF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dllFF - plugin: c:\users\Harry\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll---- FIREFOX POLICIES ----FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falseFF - user.js: browser.sessionstore.resume_from_crash - falseFF - user.js: network.proxy.type - 0FF - user.js: network.proxy.http - user_pref(network.proxy.http_port,);FF - user.js: network.proxy.no_proxies_on - FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);..------- File Associations -------..txt=.- - - - ORPHANS REMOVED - - - -AddRemove-reFX Nexus 1.3.8 - AMPLiFY Analog Xpansion Update_is1 - c:\users\Harry\Desktop\Nexus\unins000.exe.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\.Default\Software\SetID\Internal]@Denied: (A 2) (LocalSystem)"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />""Device"="yM29zbvPzMnLvrm+x8fPzce+zro="[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000"MSCurrentCountry"=dword:000000b5[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2010-08-17 23:41:08ComboFix-quarantined-files.txt 2010-08-17 22:41Pre-Run: 25,047,867,392 bytes freePost-Run: 25,093,369,856 bytes free- - End Of File - - 34B03216A40597396CF18FDB2227987C Link to post Share on other sites More sharing options...
Maniac Posted August 17, 2010 ID:301686 Share Posted August 17, 2010 Please upload this file in www.virustotal.com and post the resaults in your next reply:c:\windows\System32\user32.dll Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301701 Share Posted August 17, 2010 File name:user32.dllSubmission date:2010-08-17 23:29:09 (UTC)Current status:queued queued (#1) analysing finishedResult:0/ 42 (0.0%) Link to post Share on other sites More sharing options...
BassCreator Posted August 17, 2010 Author ID:301702 Share Posted August 17, 2010 Antivirus Version Last update ResultAhnLab-V3 2010.08.18.00 2010.08.17 -AntiVir 8.2.4.34 2010.08.17 -Antiy-AVL 2.0.3.7 2010.08.16 -Authentium 5.2.0.5 2010.08.18 -Avast 4.8.1351.0 2010.08.17 -Avast5 5.0.332.0 2010.08.17 -AVG 9.0.0.851 2010.08.17 -BitDefender 7.2 2010.08.18 -CAT-QuickHeal 11.00 2010.08.16 -ClamAV 0.96.2.0-git 2010.08.18 -Comodo 5776 2010.08.17 -DrWeb 5.0.2.03300 2010.08.18 -Emsisoft 5.0.0.39 2010.08.17 -eSafe 7.0.17.0 2010.08.17 -eTrust-Vet 36.1.7797 2010.08.17 -F-Prot 4.6.1.107 2010.08.18 -F-Secure 9.0.15370.0 2010.08.18 -Fortinet 4.1.143.0 2010.08.16 -GData 21 2010.08.18 -Ikarus T3.1.1.88.0 2010.08.17 -Jiangmin 13.0.900 2010.08.17 -Kaspersky 7.0.0.125 2010.08.18 -McAfee 5.400.0.1158 2010.08.18 -Microsoft 1.6004 2010.08.17 -NOD32 5374 2010.08.17 -Norman 6.05.11 2010.08.17 -nProtect 2010-08-17.01 2010.08.17 -Panda 10.0.2.7 2010.08.17 -PCTools 7.0.3.5 2010.08.18 -Prevx 3.0 2010.08.18 -Rising 22.61.01.04 2010.08.17 -Sophos 4.56.0 2010.08.17 -Sunbelt 6749 2010.08.17 -SUPERAntiSpyware 4.40.0.1006 2010.08.17 -Symantec 20101.1.1.7 2010.08.18 -TheHacker 6.5.2.1.349 2010.08.16 -TrendMicro 9.120.0.1004 2010.08.17 -TrendMicro-HouseCall 9.120.0.1004 2010.08.18 -VBA32 3.12.14.0 2010.08.17 -ViRobot 2010.8.17.3993 2010.08.17 -VirusBuster 5.0.27.0 2010.08.17 -MD5: 7bd7f45ff37fa0669cd32ca0ef46e22cSHA1: 03c47973f52800a6ae21f1a5992e331b4a9b2837SHA256: 88cf562d5f8c803a4ff8db28c355073c58be6c02ce950149584749d2d72cc6deFile size: 811520 bytes Link to post Share on other sites More sharing options...
Maniac Posted August 18, 2010 ID:301849 Share Posted August 18, 2010 Please locate to C:\Qoobox\Qoobox and open Add or Remove Programs.txt . Please post its content in your next reply.Let me know how are things now. Link to post Share on other sites More sharing options...
BassCreator Posted August 18, 2010 Author ID:301868 Share Posted August 18, 2010 Everything seems ok, the firefox problem is fixed now too. Link to post Share on other sites More sharing options...
Maniac Posted August 18, 2010 ID:301877 Share Posted August 18, 2010 Step 1Please, uninstall the following applications:Adobe Reader 9Ask ToolbarYou can read, how to do this here:Windows XPWindows VistaWindows 7Step 2Going over your logs I noticed that you have Link to post Share on other sites More sharing options...
BassCreator Posted August 18, 2010 Author ID:301941 Share Posted August 18, 2010 Removed all though ask toolbar was not there but I removed AIM toolbar, thanks for all your great help as well. Link to post Share on other sites More sharing options...
Maniac Posted August 18, 2010 ID:302049 Share Posted August 18, 2010 Any other problem? Link to post Share on other sites More sharing options...
BassCreator Posted August 18, 2010 Author ID:302052 Share Posted August 18, 2010 No, everything seems ok. So im clean now ?. Link to post Share on other sites More sharing options...
BassCreator Posted August 19, 2010 Author ID:302301 Share Posted August 19, 2010 Quick bump . Link to post Share on other sites More sharing options...
Maniac Posted August 19, 2010 ID:302527 Share Posted August 19, 2010 Don't bump it! Last steps:Step 1To enable CD Emulation programs using DeFogger please perform these steps: Please download DeFogger to your desktop. Once downloaded, double-click on the DeFogger icon to start the tool. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers When it prompts you whether or not you want to continue, please click on the Yes button to continue When the program has completed you will see a Finished! message. Click on the OK button to exit the program. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.Step 2* Go to start > run and copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Step 3Please manually delete Defogger, DDS and GMER.Step 4Please download and install the latest version of Adobe Reader from:www.adobe.comStep 5Some malware preventions:http://forums.malwarebytes.org/index.php?showtopic=9365Safe surfing! Link to post Share on other sites More sharing options...
BassCreator Posted August 19, 2010 Author ID:302540 Share Posted August 19, 2010 Thanks for all your great help !. Link to post Share on other sites More sharing options...
Maniac Posted August 19, 2010 ID:302542 Share Posted August 19, 2010 You're welcome! Link to post Share on other sites More sharing options...
Recommended Posts