Thinkpoint

[Pennyforthem]

Hi

I've had this virus for 4 days now and nothing seems to remove it. I've used MBAM, Avg, Avira and have now downloaded Hijack this to see if you can help. I am not PC literate with the inner workings. This is the hijack this report.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:46:04, on 13/11/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17091)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\S3trayp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\mshta.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [s3Trayp] S3trayp.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: wghwfr.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--

End of file - 8807 bytes

[kahdah]

Hello Pennyforthem

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on OTL to run it.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Please download Rootkit Unhooker and save it to your desktop.

• Note since it is in rar format and if you do not have anyhting that will open it then you can download 7 zip and use it to extract the data it can be found

here:
Right click on the .rar file and choose extract files.
Double-click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it, typically your desktop. Click Close
Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

[Pennyforthem]

Hello Pennyforthem

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on OTL to run it.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Please download Rootkit Unhooker and save it to your desktop.

• Note since it is in rar format and if you do not have anyhting that will open it then you can download 7 zip and use it to extract the data it can be found

here:
Right click on the .rar file and choose extract files.
Double-click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it, typically your desktop. Click Close
Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Thanks kahdah

This the OTL

OTL Extras logfile created on: 13/11/2010 14:54:07 - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 209.26 Gb Free Space | 89.86% Space Free | Partition Type: NTFS

Computer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"1043:TCP" = 1043:TCP:*:Enabled:Akamai NetSession Interface

"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found

"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime

"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help

"{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation®Store

"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers

"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4

"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java 6 Update 4

"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis

"{497A1721-088F-41EF-8876-B43C9DA5528B}" = ArcSoft Software Suite

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86

"{66EBD70F-A42C-475F-AEDF-277378151033}" = Nero 7 Essentials

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002

"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86

"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0

"{B2F25F71-D920-4288-A548-54CD253DEF14}" = SILKYPIX Developer Studio 3.0 SE

"{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation®Network Downloader

"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes

"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86

"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86

"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Standard 9

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"AVG9Uninstall" = AVG Free 9.0

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"Canon MP560 series User Registration" = Canon MP560 series User Registration

"CanonMyPrinter" = Canon Utilities My Printer

"CanonSolutionMenu" = Canon Utilities Solution Menu

"CCleaner" = CCleaner

"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help

"Chrome9HC" = VIA Chrome9 HC IGP Family Display 6.14.10.0137

"Coupon Printer2.0" = Coupon Printer

"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint

"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{B2F25F71-D920-4288-A548-54CD253DEF14}" = SILKYPIX Developer Studio 3.0 SE

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MP Navigator 2.0" = Canon MP Navigator 2.0

"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Picasa 3" = Picasa 3

"PictureIt_v9" = Microsoft Picture It! Photo Standard 9

"PrintMaster Gold 3.00" = PrintMaster Gold 3.00

"Shockwave" = Shockwave

"WIC" = Windows Imaging Component

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Works2004Setup" = Microsoft Works 2004 Setup Launcher

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

OTL logfile created on: 13/11/2010 14:54:07 - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 209.26 Gb Free Space | 89.86% Space Free | Partition Type: NTFS

Computer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)

PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)

PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)

PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)

PRC - C:\WINDOWS\system32\S3Trayp.exe (S3 Graphics Co., Ltd.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)

========== Win32 Services (SafeList) ==========

SRV - (Spooler) -- C:\WINDOWS\System32\spoolsv.exe File not found

SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)

SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)

DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (S3GIGP) -- C:\WINDOWS\system32\drivers\S3gIGPm.sys (S3 Graphics Co., Ltd.)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/03 02:00:34 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/08/03 11:12:02 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2004/08/12 13:19:39 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft

[Pennyforthem]

I can't find RKUnhookerLE.exe kahdah.

[kahdah]

You have to download it from the link in my first post to you.

If you cannot download it hen please let me know.

[Pennyforthem]

Found it in my docs, no idea how it got there.

RkUnhooker report generator v0.7

==============================================

Rootkit Unhooker kernel version: 3.7.300.509

==============================================

Windows Major Version: 5

Windows Minor Version: 1

Windows Build Number: 2600

==============================================

>Drivers

Driver: C:\WINDOWS\system32\drivers\RtkHDAud.sys

Address: 0xB7C40000

Size: 4911104 bytes

Driver: C:\WINDOWS\System32\s3ginv.dll

Address: 0xBF0B0000

Size: 2875392 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe

Address: 0x804D7000

Size: 2066816 bytes

Driver: PnpManager

Address: 0x804D7000

Size: 2066816 bytes

Driver: RAW

Address: 0x804D7000

Size: 2066816 bytes

Driver: WMIxWDM

Address: 0x804D7000

Size: 2066816 bytes

Driver: Win32k

Address: 0xBF800000

Size: 1855488 bytes

Driver: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000

Size: 1855488 bytes

Driver: C:\WINDOWS\System32\S3gIGP.dll

Address: 0xBF012000

Size: 647168 bytes

Driver: C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

Address: 0xB9231000

Size: 630784 bytes

Driver: Ntfs.sys

Address: 0xB9E47000

Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xAA985000

Size: 458752 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xB90F8000

Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xB4B32000

Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0x992A1000

Size: 360448 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000

Size: 286720 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0x98AF3000

Size: 266240 bytes

Driver: C:\WINDOWS\System32\Drivers\avgtdix.sys

Address: 0xB4AF8000

Size: 237568 bytes

Driver: C:\WINDOWS\System32\Drivers\avgldx86.sys

Address: 0xAA92E000

Size: 212992 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xB9156000

Size: 196608 bytes

Driver: ACPI.sys

Address: 0xB9F79000

Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0x99411000

Size: 184320 bytes

Driver: NDIS.sys

Address: 0xB9E1A000

Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xAA9F5000

Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xB91AE000

Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xAAA42000

Size: 163840 bytes

Driver: dmio.sys

Address: 0xB9F23000

Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xAF09B000

Size: 155648 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xB7C1C000

Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xB91D6000

Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avipbb.sys

Address: 0xAA962000

Size: 143360 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xB91FA000

Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xAAA20000

Size: 139264 bytes

Driver: ACPI_HAL

Address: 0x806D0000

Size: 131840 bytes

Driver: C:\WINDOWS\system32\hal.dll

Address: 0x806D0000

Size: 131840 bytes

Driver: fltmgr.sys

Address: 0xB9EEB000

Size: 131072 bytes

Driver: ftdisk.sys

Address: 0xB9F49000

Size: 126976 bytes

Driver: Mup.sys

Address: 0xB9E00000

Size: 106496 bytes

Driver: atapi.sys

Address: 0xB9F0B000

Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA916000

Size: 98304 bytes

Driver: KSecDD.sys

Address: 0xB9ED4000

Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xB9197000

Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avgntflt.sys

Address: 0x9957E000

Size: 86016 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0x99214000

Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xB921D000

Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xB4B8B000

Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000

Size: 73728 bytes

Driver: pci.sys

Address: 0xB9F68000

Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xB9186000

Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xB4C16000

Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xBA2B8000

Size: 65536 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xB9605000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xBA2C8000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xAAD52000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xBA278000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xBA0E8000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xBA2D8000

Size: 53248 bytes

Driver: VolSnap.sys

Address: 0xBA0C8000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xBA2F8000

Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xAB8D0000

Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xBA2A8000

Size: 45056 bytes

Driver: MountMgr.sys

Address: 0xBA0B8000

Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xBA2E8000

Size: 45056 bytes

Driver: uagp35.sys

Address: 0xBA108000

Size: 45056 bytes

Driver: isapnp.sys

Address: 0xBA0A8000

Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xB95F5000

Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xBA318000

Size: 40960 bytes

Driver: disk.sys

Address: 0xBA0D8000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xB406A000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xBA308000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xAB8E0000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\processr.sys

Address: 0xBA298000

Size: 36864 bytes

Driver: PxHelp20.sys

Address: 0xBA0F8000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xB407A000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\drivers\Afc.sys

Address: 0xBA3C8000

Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xBA3C0000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xB4422000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xBA3E0000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xBA3F0000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\fetnd5.sys

Address: 0xBA3E8000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xBA3A8000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xBA328000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Address: 0xB5962000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xBA3A0000

Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\avgmfx86.sys

Address: 0xB484D000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xBA410000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xBA418000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS

Address: 0xBA4A8000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

Address: 0xB4855000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xBA3D8000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xBA3B0000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

Address: 0xBA3D0000

Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xBA3B8000

Size: 20480 bytes

Driver: PartMgr.sys

Address: 0xBA330000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xBA400000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xBA408000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xBA3F8000

Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys

Address: 0xB5972000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xAC5B9000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xBA540000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xB44E4000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbscan.sys

Address: 0x98177000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xBA4BC000

Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xAB639000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xB44DC000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL

Address: 0x89BAA000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xB44CC000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xB9DC8000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xB7C10000

Size: 12288 bytes

Driver: C:\Program Files\Avira\AntiVir Desktop\avgio.sys

Address: 0xBA606000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xBA60A000

Size: 8192 bytes

Driver: dmload.sys

Address: 0xBA5AC000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA614000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xBA608000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xBA60C000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xBA60E000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xBA5D4000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xBA604000

Size: 8192 bytes

Driver: viaide.sys

Address: 0xBA5AA000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xBA5A8000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xBA7BD000

Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xB0825000

Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xBA701000

Size: 4096 bytes

Driver: pciide.sys

Address: 0xBA670000

Size: 4096 bytes

!!!!!!!!!!!Hidden driver: ?_empty_?

Loaded from:

Address: 0x89BC0292

Size: 3438 bytes

==============================================

>Stealth

==============================================

>Files

Suspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YCM83TM\k;key=key1+key2+key3+key4;grp=[group];adiframe=y;rdclick=;sub1=1000-1001;sub2=xaukrb200;sub3=dv;sub4=xaukrb200-p1302540-v5991762-sl548739;autoMute=true[1]2 Status: Hidden

Suspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0YCM83TM\YPE+AND+NOT%20MATCH%7BView%20all%20Brands%7D_PRODUCTTYPE&combine=FieldCheck&maxresults=10&minscore=30&sort=reverserelevance&DatabaseMatch=Prod_Unit[1].txtf Status: Hidden

Suspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B3G69116\b365;ord=1WGNXHM78N3CN6B1824G;s=i0;s=i1;s=i2;s=i4;s=i5;s=i6;s=i7;s=i8;s=i9;

s=81;s=36;s=281;s=95;s=u5;s=u15;s=m1;s=u9;s=m4;s=u8;z=820;z=847;z=810;tile=1[1]0 Status: Hidden

Suspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B3G69116\oSehAqoAwHoA7gB6AMi6AOZCegDA_UDAIAABA%26num%3D1%26sig%3DAGiWqtz5faHuGZgl9ZMIn1ZcK5B5ZToUFQ%26client%3Dca-pub-8225102170299886%26adurl%3D;ord=1289668119[1]0 Status: Hidden

Suspect File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LI9SJNW8\554d81a7e72f59774fe62f;ord=0P6WNHR56ZX7SG3ZZQB4;s=i0;s=i1;s=i2;s=i4;s=i5;s=

i6;s=i7;s=i8;s=i9;s=36;s=m1;s=u15;s=u5;s=u9;s=m4;s=u8;z=825;z=810;tile=2[1].htm0 Status: Hidden

==============================================

>Hooks

ntkrnlpa.exe+0x0006AA9A, Type: Inline - RelativeJump at address 0x80541A9A hook handler located in [ntkrnlpa.exe]

[1048]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page]

[1048]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page]

[1048]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page]

[1140]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page]

[1140]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page]

[1140]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page]

[1140]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump at address 0x7E42974E hook handler located in [unknown_code_page]

[1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]

[1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]

[1260]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]

[2056]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]

[2056]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page]

[2056]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page]

[2056]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page]

[3736]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040111C hook handler located in [shimeng.dll]

[3736]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401060 hook handler located in [aclayers.dll]

[3736]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010B8 hook handler located in [aclayers.dll]

[3736]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00401078 hook handler located in [aclayers.dll]

[3736]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump at address 0x7C90E47C hook handler located in [unknown_code_page]

[3736]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x7C90D6EE hook handler located in [unknown_code_page]

[3736]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x7C90DFAE hook handler located in [unknown_code_page]

[3736]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]

[3736]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]

[kahdah]

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Pennyforthem]

I take on board all you say kahdah, just a few questions. I have a PC which was previously infected (about two years ago). It hasn't been used on the net since, and it's had a system restore, would this be ok to use for changing passwords and such?

Also, I store my photos in Picasa and wonder if it would be ok to put them to disk for use on other PC.

Thank you for your help, I will follow your instructions for clean up.

[kahdah]

Yes using that pc as long as a full system recovery has been done then it is clean and yes you can use it for that purpose.

Yes that will be fine to put the pictures on disk.

It is not a file infector so the only thing to worry about would be password breaches.

[Pennyforthem]

Thanks kahdah.

Have done TDSSKiller and it rebooted but I can't find the report. Only doc it brings up is a license. Shall I carry on with combofix?

[kahdah]

Should be here > C:\Tdss*.txt where the * is for Time and date you ran it.

If it is not there run it again and let it produce a log.

[Pennyforthem]

Husband doesn't call me Dolly daydreams for nothing

2010/11/13 22:36:06.0656 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/13 22:36:06.0656 ================================================================================

2010/11/13 22:36:06.0656 SystemInfo:

2010/11/13 22:36:06.0656

2010/11/13 22:36:06.0656 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/13 22:36:06.0656 Product type: Workstation

2010/11/13 22:36:06.0656 ComputerName: USER-CC002C0461

2010/11/13 22:36:06.0656 UserName: User

2010/11/13 22:36:06.0656 Windows directory: C:\WINDOWS

2010/11/13 22:36:06.0656 System windows directory: C:\WINDOWS

2010/11/13 22:36:06.0656 Processor architecture: Intel x86

2010/11/13 22:36:06.0656 Number of processors: 1

2010/11/13 22:36:06.0656 Page size: 0x1000

2010/11/13 22:36:06.0656 Boot type: Normal boot

2010/11/13 22:36:06.0656 ================================================================================

2010/11/13 22:36:07.0078 Initialize success

2010/11/13 22:36:12.0500 ================================================================================

2010/11/13 22:36:12.0500 Scan started

2010/11/13 22:36:12.0500 Mode: Manual;

2010/11/13 22:36:12.0500 ================================================================================

2010/11/13 22:36:14.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/13 22:36:14.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/13 22:36:14.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/13 22:36:14.0390 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys

2010/11/13 22:36:14.0484 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/13 22:36:15.0000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/13 22:36:15.0093 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/13 22:36:15.0203 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/13 22:36:15.0296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/13 22:36:15.0562 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/11/13 22:36:15.0656 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys

2010/11/13 22:36:15.0750 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2010/11/13 22:36:15.0796 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/11/13 22:36:15.0906 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys

2010/11/13 22:36:16.0015 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/11/13 22:36:16.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/13 22:36:16.0203 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/13 22:36:16.0328 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/13 22:36:16.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/13 22:36:16.0484 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/13 22:36:16.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/13 22:36:16.0968 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/13 22:36:17.0031 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/13 22:36:17.0093 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/13 22:36:17.0187 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/13 22:36:17.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/13 22:36:17.0531 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/13 22:36:17.0609 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/13 22:36:17.0687 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys

2010/11/13 22:36:17.0781 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/13 22:36:17.0843 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/11/13 22:36:17.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/13 22:36:18.0031 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/13 22:36:18.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/13 22:36:18.0171 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/13 22:36:18.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/13 22:36:18.0328 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/13 22:36:18.0437 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/13 22:36:18.0609 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/13 22:36:18.0781 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2010/11/13 22:36:18.0875 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/13 22:36:19.0203 IntcAzAudAddService (7ffe2751ae9b3082cd55bfcc2e9becdb) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/11/13 22:36:19.0468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/13 22:36:19.0562 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/13 22:36:19.0640 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/13 22:36:19.0734 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/13 22:36:19.0828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/13 22:36:19.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/13 22:36:20.0000 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/13 22:36:20.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/13 22:36:20.0125 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/13 22:36:20.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/13 22:36:20.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/13 22:36:20.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/13 22:36:20.0609 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/13 22:36:20.0671 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/13 22:36:20.0765 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/13 22:36:20.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/13 22:36:20.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/13 22:36:21.0031 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/13 22:36:21.0171 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/13 22:36:21.0234 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/13 22:36:21.0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/13 22:36:21.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/13 22:36:21.0421 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/13 22:36:21.0500 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/13 22:36:21.0656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/13 22:36:21.0687 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/13 22:36:21.0765 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/13 22:36:21.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/13 22:36:21.0953 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/13 22:36:22.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/13 22:36:22.0078 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/13 22:36:22.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/13 22:36:22.0296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/13 22:36:22.0421 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/13 22:36:22.0484 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/13 22:36:22.0546 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/13 22:36:22.0640 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/11/13 22:36:22.0687 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/13 22:36:22.0734 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/13 22:36:22.0796 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/13 22:36:22.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/13 22:36:22.0984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/13 22:36:23.0390 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/13 22:36:23.0468 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/13 22:36:23.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/13 22:36:23.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/13 22:36:23.0687 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/13 22:36:23.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/13 22:36:24.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/13 22:36:24.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/13 22:36:24.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/13 22:36:24.0234 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/13 22:36:24.0312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/13 22:36:24.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/13 22:36:24.0484 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/13 22:36:24.0609 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/13 22:36:24.0859 S3GIGP (a4b81a67a158c317a22b70208f85ddf1) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys

2010/11/13 22:36:25.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/13 22:36:25.0093 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/11/13 22:36:25.0203 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/13 22:36:25.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/13 22:36:25.0484 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/13 22:36:25.0609 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/13 22:36:25.0734 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/11/13 22:36:25.0859 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/13 22:36:25.0968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/13 22:36:26.0265 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/13 22:36:26.0406 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/13 22:36:26.0531 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/13 22:36:26.0593 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/13 22:36:26.0703 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/13 22:36:26.0906 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2010/11/13 22:36:26.0984 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/13 22:36:27.0156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/13 22:36:27.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/13 22:36:27.0359 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/13 22:36:27.0421 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/13 22:36:27.0500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/13 22:36:27.0562 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/13 22:36:27.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/13 22:36:27.0703 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/13 22:36:27.0765 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/13 22:36:27.0859 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/13 22:36:27.0906 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/13 22:36:27.0984 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/13 22:36:28.0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/13 22:36:28.0468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/13 22:36:28.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/13 22:36:28.0656 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/13 22:36:28.0656 ================================================================================

2010/11/13 22:36:28.0656 Scan finished

2010/11/13 22:36:28.0656 ================================================================================

2010/11/13 22:36:28.0703 Detected object count: 1

2010/11/13 22:37:10.0171 \HardDisk0 - will be cured after reboot

2010/11/13 22:37:10.0171 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/13 22:37:40.0984 Deinitialize success

[Pennyforthem]

ComboFix 10-11-12.06 - User 14/11/2010 0:05.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1153 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Application Data\install

c:\windows\system32\yqovgbjv.ini

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\Tasks\qrzuasmj.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))

.

2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\program files\7-Zip

2010-11-13 10:45 . 2010-11-13 10:45 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-13 10:45 . 2010-11-13 10:45 -------- d-----w- c:\program files\Trend Micro

2010-11-12 11:02 . 2010-11-12 11:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-11 20:53 . 2010-11-11 20:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-11 18:40 . 2010-11-11 18:40 -------- d-----w- c:\documents and settings\User\Application Data\Avira

2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\PrivacIE

2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\IECompatCache

2010-11-11 18:31 . 2010-11-11 18:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-11-11 18:29 . 2010-11-11 18:29 -------- d-sh--w- c:\documents and settings\User\IETldCache

2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-11-11 16:35 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-11 16:35 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-11 16:35 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-11-11 16:35 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\program files\Avira

2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-11-11 13:00 . 2010-11-11 13:01 -------- d-----w- c:\documents and settings\Administrator

2010-11-06 06:58 . 2010-11-06 06:58 279896 ---ha-r- c:\windows\system32\cpnprtuk.cid

2010-11-06 06:58 . 2010-11-06 06:58 398744 ---ha-r- c:\windows\system32\cpnprt2.cid

2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\windows\Cache

2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\program files\Coupon Printer

2010-11-06 06:55 . 2010-11-06 06:55 31 ---ha-w- c:\windows\UKCpInfo.sys

2010-11-04 12:11 . 2010-11-04 12:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-12 13:21 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-12 13:21 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-09 13:38 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2004-08-12 13:20 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2004-08-12 13:19 389120 ----a-w- c:\windows\system32\html.iec

2010-09-01 11:51 . 2004-08-12 13:17 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-12 13:33 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-12 13:30 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-12 13:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-15 16:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-12 13:17 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-16 08:45 . 2004-08-12 13:27 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

------- Sigcheck -------

[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe

[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe

[7] 2004-08-12 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"VTTimer"="VTTimer.exe" [2008-09-10 81920]

"S3Trayp"="S3trayp.exe" [2008-09-10 200704]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-13 16862720]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-11-10 2069856]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-17 00:18 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1043:TCP"= 1043:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [28/10/2008 13:42 216400]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [28/10/2008 13:42 243024]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2010 16:35 135336]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [17/07/2010 00:17 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 00:18 308136]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-AdobeBridge - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-14 00:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\VTTimer.exe

c:\windows\system32\S3trayp.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

.

**************************************************************************

.

Completion time: 2010-11-14 00:46:51 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-14 00:46

Pre-Run: 224,496,218,112 bytes free

Post-Run: 224,741,855,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 25D756CA1FFF4B774F7C8BCD3D995744

[kahdah]

1. Please open Notepad

• Click Start , then Run
  
• type in notepad in the Run Box then hit ok.
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
c:\windows\system32\dllcache\spoolsv.exe|c:\windows\System32\spoolsv.exe

Driver::
rkhdrv40

DDS::
uInternet Settings,ProxyOverride = *.local

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

• Combofix.txt
  

=============

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Pennyforthem]

combofix is asking me to uninstall AVG kahdah, where do I uninstall it from? Add and renove?

[kahdah]

Yes go to Start > Control Panel > Add\Remove Programs.

[Pennyforthem]

Did that kahdah and it stopped at

Local machine: installation failed

Installation:

Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....

Access is denied.

[kahdah]

Please download the removal tool from here

[Pennyforthem]

ComboFix 10-11-12.06 - User 14/11/2010 2:32.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1282 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\system32\dllcache\spoolsv.exe --> c:\windows\System32\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_RKHDRV40

-------\Service_rkhdrv40

((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))

.

2010-11-14 02:32 . 2010-08-17 13:17 58880 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe

2010-11-14 02:32 . 2010-08-17 13:17 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-11-13 15:20 . 2010-11-13 15:20 -------- d-----w- c:\program files\7-Zip

2010-11-13 10:45 . 2010-11-13 10:45 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-13 10:45 . 2010-11-13 10:45 -------- d-----w- c:\program files\Trend Micro

2010-11-12 11:02 . 2010-11-12 11:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-11 20:53 . 2010-11-11 20:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-11 18:40 . 2010-11-11 18:40 -------- d-----w- c:\documents and settings\User\Application Data\Avira

2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\PrivacIE

2010-11-11 18:37 . 2010-11-11 18:37 -------- d-sh--w- c:\documents and settings\User\IECompatCache

2010-11-11 18:31 . 2010-11-11 18:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-11-11 18:29 . 2010-11-11 18:29 -------- d-sh--w- c:\documents and settings\User\IETldCache

2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-11-11 18:25 . 2010-09-09 13:38 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-11-11 16:35 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-11 16:35 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-11-11 16:35 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-11-11 16:35 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\program files\Avira

2010-11-11 16:35 . 2010-11-11 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-11-11 13:00 . 2010-11-11 13:01 -------- d-----w- c:\documents and settings\Administrator

2010-11-06 06:58 . 2010-11-06 06:58 279896 ---ha-r- c:\windows\system32\cpnprtuk.cid

2010-11-06 06:58 . 2010-11-06 06:58 398744 ---ha-r- c:\windows\system32\cpnprt2.cid

2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\windows\Cache

2010-11-06 06:55 . 2010-11-06 06:55 -------- d-----w- c:\program files\Coupon Printer

2010-11-06 06:55 . 2010-11-06 06:55 31 ---ha-w- c:\windows\UKCpInfo.sys

2010-11-04 12:11 . 2010-11-04 12:11 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 11:23 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-12 13:21 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-12 13:21 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-12 13:21 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-09 13:38 . 2004-08-12 13:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-09-09 13:38 . 2004-08-12 13:20 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-09 13:38 . 2004-08-12 13:18 17408 ----a-w- c:\windows\system32\corpol.dll

2010-09-08 15:57 . 2004-08-12 13:19 389120 ----a-w- c:\windows\system32\html.iec

2010-09-01 11:51 . 2004-08-12 13:17 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-12 13:33 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-12 13:30 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-12 13:30 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-12 13:30 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-15 16:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-12 13:17 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-16 08:45 . 2004-08-12 13:27 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"VTTimer"="VTTimer.exe" [2008-09-10 81920]

"S3Trayp"="S3trayp.exe" [2008-09-10 200704]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-13 16862720]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1043:TCP"= 1043:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2010 16:35 135336]

.

Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-14 02:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3372)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\VTTimer.exe

c:\windows\system32\S3trayp.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-11-14 02:47:40 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-14 02:47

ComboFix2.txt 2010-11-14 00:46

Pre-Run: 224,995,708,928 bytes free

Post-Run: 224,936,669,184 bytes free

- - End Of File - - 6F28FFDE932494D11E2299491A5241EB

[Pennyforthem]

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5111

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

14/11/2010 03:06:49

mbam-log-2010-11-14 (03-06-49).txt

Scan type: Quick scan

Objects scanned: 146876

Time elapsed: 11 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Pennyforthem]

Not sure if my machine is clean yet kahdah, need your say so for that, but I'd like to thank you so very much for the time and trouble you've gone to over the last day and night, I really appreciate it.

Hope you don't mind me asking you a few questions because, as already stated, I'm not computer literate. I will not take your answers as a 100% gaurantee but it would be helpful to know the views of a professional.

I have Malwarebytes AM, CCleaner, Avira and did have AVG. What else would you recommend that I need to help prevent my computer being attacked again? Is it worth buying Norton?

Which browser do you believe to be the safest?

I use my PC for many things like banking, bill paying, shopping, and as I can't afford a new one would you suggest I reformat. Not sure I can because I didn't get a Windows CD with it. Any advice you can give would be appreciated.

And lastly, what should I do with all of these little notepad reports on my desktop? Can I delte them?

[kahdah]

I have Malwarebytes AM, CCleaner, Avira and did have AVG. What else would you recommend that I need to help prevent my computer being attacked again? Is it worth buying Norton?

Well you can if you want but I see people infected with any type of antivirus so really it does not matter what you buy you could always get infected.

I personally use Kaspersky for all of the computers in my household of 3 computers and really have had no complaints.

Which browser do you believe to be the safest?

Any one will do I prefer google chrome but not saying it is the safest I think they are all one in the same to be honest I see no difference in the infection rate from IE,Firefox,Chrome,Opera etc... browsers.

I use my PC for many things like banking, bill paying, shopping, and as I can't afford a new one would you suggest I reformat. Not sure I can because I didn't get a Windows CD with it. Any advice you can give would be appreciated.

If you do not want to reformat that is fine the threat has been removed and typically it is only a danger if the infection is active.

You can use the recovery partition that is usually shipped with computers or you can order a set of recovery disks from the manufacturer.

Yes you can delete the text files on your desktop.

Please proceed with the eset scan and post that log and we will wrap it up.

Instructions were under the mbam update\run.

[Pennyforthem]

Thanks for the advice kahdah. The ESET scan is disappointing. Can I download a firewall or is it best to wait until the machine is clean?

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0f2f5a5c45e5694db793d28a08d64050

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-11-14 02:20:28

# local_time=2010-11-14 02:20:28 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 100776 100776 0 0

# compatibility_mode=1797 16775141 100 93 159216 26271625 151679 0

# compatibility_mode=8192 67108863 100 0 3891 3891 0 0

# compatibility_mode=9217 16777214 0 9 47349344 58030418 0 0

# scanned=58024

# found=3

# cleaned=3

# scan_time=2153

C:\Qoobox\Quarantine\C\WINDOWS\system32\yqovgbjv.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{FDD8DD0C-139E-4893-8CF1-D4D1D8F05F86}\RP1\A0000017.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\234.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[kahdah]

Ahh those are not bad just leftovers nothing to worry about.

Sure you can install a firewall if you want.

Open OTL and click on Run scan at the top.

Let me know of any remaining problems please.

[Pennyforthem]

OTL logfile created on: 14/11/2010 14:36:23 - Run 2

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 209.38 Gb Free Space | 89.91% Space Free | Partition Type: NTFS

Computer Name: USER-CC002C0461 | User Name: User | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)

PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)

PRC - C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe ()

PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)

PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)

PRC - C:\WINDOWS\system32\S3Trayp.exe (S3 Graphics Co., Ltd.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)

PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)

SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\ComboFix\catchme.sys File not found

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)

DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)

DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)

DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)

DRV - (S3GIGP) -- C:\WINDOWS\system32\drivers\S3gIGPm.sys (S3 Graphics Co., Ltd.)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/11/14 02:42:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [s3Trayp] C:\WINDOWS\System32\S3Trayp.exe (S3 Graphics Co., Ltd.)

O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/10/28 11:12:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/14 13:39:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/11/14 02:32:10 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\spoolsv.exe

[2010/11/14 02:20:17 | 001,086,304 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\User\Desktop\avg_remover_stf_x86_2011_1165.exe

[2010/11/14 00:03:37 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/11/13 23:58:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/11/13 23:58:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/11/13 23:58:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/11/13 23:58:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/11/13 23:58:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/11/13 23:58:07 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/11/13 22:35:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdsskiller

[2010/11/13 20:40:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509

[2010/11/13 15:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip

[2010/11/13 14:52:40 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe

[2010/11/13 10:45:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/11/13 00:54:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent

[2010/11/12 11:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/11/11 18:40:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Avira

[2010/11/11 18:37:12 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\PrivacIE

[2010/11/11 18:37:06 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\IECompatCache

[2010/11/11 18:29:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\User\IETldCache

[2010/11/11 18:25:39 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll

[2010/11/11 18:25:39 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieencode.dll

[2010/11/11 16:35:48 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys

[2010/11/11 16:35:47 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys

[2010/11/11 16:35:47 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/11/11 16:35:47 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys

[2010/11/11 16:35:47 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys

[2010/11/11 16:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Avira

[2010/11/11 16:35:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira

[2010/11/10 18:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/11/10 18:33:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2010/11/10 11:04:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/11/10 11:04:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/11/08 10:55:10 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\TDSSKiller.exe

[2010/11/06 06:58:12 | 000,279,896 | RH-- | C] (Couponstar LTD) -- C:\WINDOWS\System32\cpnprtuk.cid

[2010/11/06 06:58:05 | 000,398,744 | RH-- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

[2010/11/06 06:55:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\Cache

[2010/11/06 06:55:46 | 000,000,000 | ---D | C] -- C:\Program Files\Coupon Printer

[2010/11/04 12:11:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/14 14:24:27 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job

[2010/11/14 10:06:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/11/14 10:04:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/11/14 02:42:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/11/14 02:20:17 | 001,086,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\User\Desktop\avg_remover_stf_x86_2011_1165.exe

[2010/11/14 00:03:44 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2010/11/13 23:50:55 | 003,909,080 | R--- | M] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe

[2010/11/13 22:35:22 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User\Desktop\TDSSKiller.exe

[2010/11/13 22:33:26 | 001,215,581 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip

[2010/11/13 15:23:36 | 000,087,354 | ---- | M] () -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509.rar

[2010/11/13 15:17:55 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\User\Desktop\7z465.exe

[2010/11/13 14:52:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe

[2010/11/13 10:45:42 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk

[2010/11/12 19:54:20 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2010/11/11 16:36:03 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk

[2010/11/11 10:24:23 | 000,023,200 | ---- | M] () -- C:\Documents and Settings\User\Application Data\wklnhst.dat

[2010/11/11 10:24:02 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv done2.doc

[2010/11/10 14:25:50 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv done.doc

[2010/11/10 10:15:05 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cv.doc

[2010/11/09 18:34:51 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\User\My Documents\cartoons.doc

[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe

[2010/11/06 06:58:14 | 000,398,744 | RH-- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

[2010/11/06 06:58:12 | 000,279,896 | RH-- | M] (Couponstar LTD) -- C:\WINDOWS\System32\cpnprtuk.cid

[2010/11/06 06:55:46 | 000,000,031 | -H-- | M] () -- C:\WINDOWS\UKCpInfo.sys

[2010/11/02 16:25:02 | 000,477,262 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/11/02 16:25:02 | 000,084,292 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/10/31 00:54:04 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\User\My Documents\The King and Rafa.doc

[2010/10/30 01:09:26 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2010/10/28 12:01:04 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/10/28 11:25:20 | 000,000,077 | ---- | M] () -- C:\Documents and Settings\User\default.pls

[2010/10/27 21:52:28 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\User\My Documents\carra and gerrard.doc

[2010/10/27 06:00:42 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Hiya Claire.doc

[2010/10/25 05:49:05 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Bacon Roly Poly.doc

[2010/10/25 04:11:26 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spreads.doc

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/14 00:03:44 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/11/14 00:03:42 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2010/11/13 23:58:58 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/11/13 23:58:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/11/13 23:58:58 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/11/13 23:58:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/11/13 23:58:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/11/13 23:50:46 | 003,909,080 | R--- | C] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe

[2010/11/13 22:33:24 | 001,215,581 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip

[2010/11/13 20:40:59 | 000,095,744 | ---- | C] () -- C:\Documents and Settings\User\Desktop\rku37300509.exe

[2010/11/13 15:12:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\User\Desktop\7z465.exe

[2010/11/13 15:10:46 | 000,087,354 | ---- | C] () -- C:\Documents and Settings\User\Desktop\20071210_182632_rku37300509.rar

[2010/11/13 10:45:00 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk

[2010/11/11 18:37:05 | 000,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2B1572A8-695E-4DC3-B037-F9A7A08CC279}.job

[2010/11/11 16:36:02 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk

[2010/11/11 10:24:01 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv done2.doc

[2010/11/10 13:50:07 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv done.doc

[2010/11/10 10:15:04 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cv.doc

[2010/11/09 18:34:50 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\User\My Documents\cartoons.doc

[2010/11/06 06:55:46 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\UKCpInfo.sys

[2010/10/31 00:54:04 | 000,103,424 | ---- | C] () -- C:\Documents and Settings\User\My Documents\The King and Rafa.doc

[2010/10/27 21:52:28 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\User\My Documents\carra and gerrard.doc

[2010/10/23 09:01:32 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Hiya Claire.doc

[2010/06/11 17:45:07 | 000,000,021 | ---- | C] () -- C:\WINDOWS\progman.ini

[2010/05/22 07:33:04 | 000,000,026 | ---- | C] () -- C:\WINDOWS\month.ini

[2010/05/22 07:33:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI

[2010/05/22 07:32:55 | 000,000,104 | ---- | C] () -- C:\WINDOWS\OAMSHELL.INI

[2009/07/25 08:57:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI

[2009/06/03 08:32:44 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/01/25 09:46:53 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2009/01/24 11:25:51 | 000,023,200 | ---- | C] () -- C:\Documents and Settings\User\Application Data\wklnhst.dat

[2009/01/24 11:13:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/01/19 12:20:59 | 000,000,110 | ---- | C] () -- C:\WINDOWS\PhEdit.INI

[2009/01/19 12:03:14 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/12/28 11:50:24 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

[2008/12/28 10:22:05 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL

[2008/12/28 10:17:22 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI

[2008/10/28 10:44:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

< End of report >