Jump to content

Recommended Posts

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6256

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/3/2011 12:11:35 PM

mbam-log-2011-04-03 (12-11-35).txt

Scan type: Quick scan

Objects scanned: 180358

Time elapsed: 16 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\nvappsv.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by A at 12:38:58.31 on Sun 04/03/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.1667 [GMT -4:00]

.

AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FW: Smart Internet Protection 2011 *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\NlsSrv32.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\Ikakya.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\A\Desktop\dds.pif

.

============== Pseudo HJT Report ===============

.

uSearch Page =

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Jenkat Arcade] c:\documents and settings\a\application data\jenkat\jenkat games arcade\notifyapp.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [EM_EXEC] c:\progra~1\mousew~1\system\EM_EXEC.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [sciwepazucowopo] rundll32.exe "c:\windows\egubaqeyuhasaj.dll",Startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

StartupFolder: c:\docume~1\a\startm~1\programs\startup\imvu.lnk - c:\documents and settings\a\application data\imvuclient\IMVUQualityAgent.exe

StartupFolder: c:\docume~1\a\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\a\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234166809488

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234166799878

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: itlnfw32 - itlnfw32.dll

Notify: itlntfy - itlnfw32.dll

Notify: ypml - itlnfw32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

IFEO: image file execution options - svchost.exe

Hosts: 64.34.212.90 www.google.com

Hosts: 64.34.212.90 google.com

Hosts: 64.34.212.90 google.com.au

Hosts: 64.34.212.90 www.google.com.au

Hosts: 64.34.212.90 google.be

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-3 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-9 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-9 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-7 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1405384]

R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-11-21 61440]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-17 24652]

S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\google\update\GoogleUpdate.exe [2009-2-22 133104]

S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]

S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [2011-3-25 339968]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-5 1684736]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

.

=============== Created Last 30 ================

.

2011-04-03 14:40:53 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Toacpa

2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Odupyg

2011-04-03 12:20:03 163328 ----a-w- c:\windows\Ikakya.exe

2011-04-03 12:09:59 -------- d-----w- c:\docume~1\a\locals~1\applic~1\Secunia PSI

2011-04-03 12:09:52 -------- d-----w- c:\program files\Secunia

2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-03-26 00:12:45 34816 ----a-w- c:\windows\system32\itlnfw32.dll

2011-03-25 18:58:41 339968 ----a-w- c:\windows\mc76487.exe

2011-03-25 18:54:44 0 ----a-w- c:\windows\Qforoqeso.bin

2011-03-25 18:54:42 -------- d-----w- c:\docume~1\a\locals~1\applic~1\{F49866CF-2D30-4769-9AD5-413689DB18C3}

2011-03-25 18:51:33 -------- d-----w- c:\docume~1\a\applic~1\DB03EF406BCBDAABF830264BA9FBEEFD

2011-03-15 15:25:01 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-03-05 01:24:00 -------- d-----w- c:\docume~1\a\applic~1\Armagetron

2011-03-05 01:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Armagetron

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD3200AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A221439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2277d0]; MOV EAX, [0x8a22784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A234AB8]

3 CLASSPNP[0xB80F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000069[0x8A2629E8]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A304D98]

\Driver\atapi[0x8A26BA08] -> IRP_MJ_CREATE -> 0x8A221439

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&29ddb8c4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A22127F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 12:41:40.79 ===============

attach.zip

Link to post
Share on other sites

Hello DaveUpNorth! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG 9.0, so please uninstall Ad-Aware.

Step 2

Please, uninstall the following applications:

  1. Search Toolbar

You can read, how to do this here:

Step 3

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: -http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 4

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

In your next reply, please post the following logs:

  1. TDSSKiller log
  2. a new fresh DDS log only

Link to post
Share on other sites

Thanks, Borislav.

I completed Step 1. When attempting to complete Step 2, I encountered an Uninstaller Error, which said, "An error occurred when trying to remove Search Toolbar. I may have already been uninstalled. Would you like to remove Search Toolbar from the Add or Remove programs list?" (The publisher is Zugo Ltd. The version is 1.2)

Shall I remove it from the list or attempt to remove the toolbar some other way? If so, what would that be?

Also, I don't know if this is of interest, but when rebooting, I receive the following error message: " Error Loading c:\windows\egubaqeyuhasaj.dll" That's recent; it occurred before and after I followed the steps that led me first post.

Thanks.

Link to post
Share on other sites

Step 2, I encountered an Uninstaller Error, which said, "An error occurred when trying to remove Search Toolbar. I may have already been uninstalled. Would you like to remove Search Toolbar from the Add or Remove programs list?" (The publisher is Zugo Ltd. The version is 1.2)

Please choose "Yes" or similiar.

Also, I don't know if this is of interest, but when rebooting, I receive the following error message: " Error Loading c:\windows\egubaqeyuhasaj.dll" That's recent; it occurred before and after I followed the steps that led me first post.

It's due to malware, don't worry.

Go Ahead.

Link to post
Share on other sites

I completed steps 1, 3 and 4 and removed the Search Toolbar from listed programs in Add/Remove. Thanks.

2011/04/03 14:11:45.0921 11716 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/04/03 14:11:46.0156 11716 ================================================================================

2011/04/03 14:11:46.0156 11716 SystemInfo:

2011/04/03 14:11:46.0156 11716

2011/04/03 14:11:46.0156 11716 OS Version: 5.1.2600 ServicePack: 3.0

2011/04/03 14:11:46.0156 11716 Product type: Workstation

2011/04/03 14:11:46.0156 11716 ComputerName: A-96D32C871F104

2011/04/03 14:11:46.0156 11716 UserName: A

2011/04/03 14:11:46.0156 11716 Windows directory: C:\WINDOWS

2011/04/03 14:11:46.0156 11716 System windows directory: C:\WINDOWS

2011/04/03 14:11:46.0156 11716 Processor architecture: Intel x86

2011/04/03 14:11:46.0156 11716 Number of processors: 2

2011/04/03 14:11:46.0156 11716 Page size: 0x1000

2011/04/03 14:11:46.0156 11716 Boot type: Normal boot

2011/04/03 14:11:46.0156 11716 ================================================================================

2011/04/03 14:11:46.0515 11716 Initialize success

2011/04/03 14:12:13.0640 11880 ================================================================================

2011/04/03 14:12:13.0656 11880 Scan started

2011/04/03 14:12:13.0656 11880 Mode: Manual;

2011/04/03 14:12:13.0656 11880 ================================================================================

2011/04/03 14:12:15.0265 11880 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/04/03 14:12:15.0312 11880 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/04/03 14:12:15.0390 11880 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/04/03 14:12:15.0453 11880 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys

2011/04/03 14:12:15.0515 11880 AFD (4d43e74f2a1239d53929b82600f1971c) C:\WINDOWS\System32\drivers\afd.sys

2011/04/03 14:12:15.0687 11880 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys

2011/04/03 14:12:15.0781 11880 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/04/03 14:12:15.0953 11880 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/04/03 14:12:16.0000 11880 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/04/03 14:12:16.0046 11880 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/04/03 14:12:16.0171 11880 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/04/03 14:12:16.0250 11880 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys

2011/04/03 14:12:16.0296 11880 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys

2011/04/03 14:12:16.0343 11880 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys

2011/04/03 14:12:16.0406 11880 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/04/03 14:12:16.0453 11880 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/04/03 14:12:16.0515 11880 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/04/03 14:12:16.0578 11880 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/04/03 14:12:16.0640 11880 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/04/03 14:12:16.0828 11880 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/04/03 14:12:16.0890 11880 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/04/03 14:12:16.0937 11880 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/04/03 14:12:16.0968 11880 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/04/03 14:12:17.0031 11880 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/04/03 14:12:17.0109 11880 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/04/03 14:12:17.0140 11880 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/04/03 14:12:17.0171 11880 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/04/03 14:12:17.0203 11880 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/04/03 14:12:17.0312 11880 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/04/03 14:12:17.0375 11880 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/04/03 14:12:17.0421 11880 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/04/03 14:12:17.0468 11880 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/04/03 14:12:17.0515 11880 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/04/03 14:12:17.0578 11880 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/04/03 14:12:17.0625 11880 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/04/03 14:12:17.0671 11880 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/04/03 14:12:17.0734 11880 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/04/03 14:12:17.0812 11880 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/04/03 14:12:17.0859 11880 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/04/03 14:12:18.0046 11880 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/04/03 14:12:18.0234 11880 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/04/03 14:12:18.0281 11880 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/04/03 14:12:18.0328 11880 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/04/03 14:12:18.0453 11880 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/04/03 14:12:18.0515 11880 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/04/03 14:12:18.0578 11880 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/04/03 14:12:18.0640 11880 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/04/03 14:12:18.0687 11880 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/04/03 14:12:18.0718 11880 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/04/03 14:12:18.0765 11880 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/04/03 14:12:18.0828 11880 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/04/03 14:12:18.0890 11880 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2011/04/03 14:12:18.0968 11880 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/04/03 14:12:19.0031 11880 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/04/03 14:12:19.0109 11880 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys

2011/04/03 14:12:19.0171 11880 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/04/03 14:12:19.0218 11880 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/04/03 14:12:19.0250 11880 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/04/03 14:12:19.0296 11880 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/04/03 14:12:19.0359 11880 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/04/03 14:12:19.0390 11880 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/04/03 14:12:19.0453 11880 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/04/03 14:12:19.0578 11880 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/04/03 14:12:19.0609 11880 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/04/03 14:12:19.0640 11880 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/04/03 14:12:19.0687 11880 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys

2011/04/03 14:12:19.0765 11880 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys

2011/04/03 14:12:19.0781 11880 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/04/03 14:12:19.0843 11880 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/04/03 14:12:19.0859 11880 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/04/03 14:12:19.0921 11880 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/04/03 14:12:19.0937 11880 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/04/03 14:12:19.0968 11880 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/04/03 14:12:20.0015 11880 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/04/03 14:12:20.0093 11880 Ntfs (a0857c97770034fd2af17dc4014b5abd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/04/03 14:12:20.0171 11880 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/04/03 14:12:20.0359 11880 nv (da8c5723ad3a73f57ffd4dd64aba2c77) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/04/03 14:12:20.0593 11880 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2011/04/03 14:12:20.0718 11880 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2011/04/03 14:12:20.0781 11880 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/04/03 14:12:20.0796 11880 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/04/03 14:12:20.0859 11880 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/04/03 14:12:20.0890 11880 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/04/03 14:12:20.0937 11880 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/04/03 14:12:20.0968 11880 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/04/03 14:12:21.0015 11880 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/04/03 14:12:21.0046 11880 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/04/03 14:12:21.0234 11880 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/04/03 14:12:21.0250 11880 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/04/03 14:12:21.0312 11880 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

2011/04/03 14:12:21.0343 11880 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/04/03 14:12:21.0375 11880 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/04/03 14:12:21.0484 11880 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/04/03 14:12:21.0515 11880 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/04/03 14:12:21.0546 11880 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/04/03 14:12:21.0562 11880 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/04/03 14:12:21.0593 11880 Rdbss (9629383f70db691cb6aa5bbd828cd9a9) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/04/03 14:12:21.0609 11880 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/04/03 14:12:21.0656 11880 rdpdr (3a99642ed25a2fad5b0ba55f09ba2f93) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/04/03 14:12:21.0703 11880 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/04/03 14:12:21.0828 11880 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/04/03 14:12:21.0921 11880 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys

2011/04/03 14:12:22.0000 11880 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/04/03 14:12:22.0078 11880 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/04/03 14:12:22.0093 11880 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/04/03 14:12:22.0171 11880 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/04/03 14:12:22.0312 11880 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/04/03 14:12:22.0406 11880 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/04/03 14:12:22.0453 11880 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/04/03 14:12:22.0515 11880 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/04/03 14:12:22.0562 11880 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/04/03 14:12:22.0718 11880 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/04/03 14:12:22.0796 11880 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/04/03 14:12:22.0921 11880 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/04/03 14:12:22.0953 11880 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/04/03 14:12:23.0000 11880 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/04/03 14:12:23.0078 11880 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/04/03 14:12:23.0125 11880 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/04/03 14:12:23.0171 11880 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/04/03 14:12:23.0187 11880 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/04/03 14:12:23.0234 11880 usbehci (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/04/03 14:12:23.0281 11880 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/04/03 14:12:23.0328 11880 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/04/03 14:12:23.0390 11880 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/04/03 14:12:23.0453 11880 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/04/03 14:12:23.0484 11880 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/04/03 14:12:23.0546 11880 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/04/03 14:12:23.0578 11880 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/04/03 14:12:23.0625 11880 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/04/03 14:12:23.0703 11880 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/04/03 14:12:23.0796 11880 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/04/03 14:12:23.0843 11880 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/04/03 14:12:23.0921 11880 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/04/03 14:12:23.0921 11880 ================================================================================

2011/04/03 14:12:23.0921 11880 Scan finished

2011/04/03 14:12:23.0921 11880 ================================================================================

2011/04/03 14:12:23.0937 11872 Detected object count: 1

2011/04/03 14:12:34.0890 11872 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/04/03 14:12:34.0890 11872 \HardDisk0 - ok

2011/04/03 14:12:34.0890 11872 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/04/03 14:12:42.0890 11708 Deinitialize success

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by A at 14:17:57.98 on Sun 04/03/2011

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2215 [GMT -4:00]

.

AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Smart Internet Protection 2011 *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\NlsSrv32.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Documents and Settings\A\Desktop\dds.pif

.

============== Pseudo HJT Report ===============

.

uSearch Page =

uStart Page = hxxp://www.bing.com/

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client for internet explorer\YontooIEClient.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Jenkat Arcade] c:\documents and settings\a\application data\jenkat\jenkat games arcade\notifyapp.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [EM_EXEC] c:\progra~1\mousew~1\system\EM_EXEC.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [sciwepazucowopo] rundll32.exe "c:\windows\egubaqeyuhasaj.dll",Startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

StartupFolder: c:\docume~1\a\startm~1\programs\startup\imvu.lnk - c:\documents and settings\a\application data\imvuclient\IMVUQualityAgent.exe

StartupFolder: c:\docume~1\a\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\a\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234166809488

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234166799878

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: itlnfw32 - itlnfw32.dll

Notify: itlntfy - itlnfw32.dll

Notify: ypml - itlnfw32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

IFEO: image file execution options - svchost.exe

Hosts: 64.34.212.90 www.google.com

Hosts: 64.34.212.90 google.com

Hosts: 64.34.212.90 google.com.au

Hosts: 64.34.212.90 www.google.com.au

Hosts: 64.34.212.90 google.be

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-3 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-9 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-9 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-7 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-11-21 61440]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]

S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\google\update\GoogleUpdate.exe [2009-2-22 133104]

S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]

S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [2011-3-25 339968]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-5 1684736]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]

.

=============== Created Last 30 ================

.

2011-04-03 14:40:53 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Toacpa

2011-04-03 12:20:23 -------- d-----w- c:\docume~1\a\applic~1\Odupyg

2011-04-03 12:20:03 163328 ----a-w- c:\windows\Ikakya.exe

2011-04-03 12:09:59 -------- d-----w- c:\docume~1\a\locals~1\applic~1\Secunia PSI

2011-04-03 12:09:52 -------- d-----w- c:\program files\Secunia

2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-03-28 15:04:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-03-26 00:12:45 34816 ----a-w- c:\windows\system32\itlnfw32.dll

2011-03-25 18:58:41 339968 ----a-w- c:\windows\mc76487.exe

2011-03-25 18:54:44 0 ----a-w- c:\windows\Qforoqeso.bin

2011-03-25 18:54:42 -------- d-----w- c:\docume~1\a\locals~1\applic~1\{F49866CF-2D30-4769-9AD5-413689DB18C3}

2011-03-25 18:51:33 -------- d-----w- c:\docume~1\a\applic~1\DB03EF406BCBDAABF830264BA9FBEEFD

2011-03-15 15:25:01 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2011-03-12 16:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-03-05 01:24:00 -------- d-----w- c:\docume~1\a\applic~1\Armagetron

2011-03-05 01:21:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Armagetron

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:42:25 439808 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:31 290048 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 14:18:12.17 ===============

Link to post
Share on other sites

Nope, but wait... one by one.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**


  1. If you are using Firefox, make sure that your download settings are as follows:

    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif-

CFAF8-download_rename.gif

[gBd-It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------



  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Thanks. After my last post on Sunday, I turned the computer off and did not turn it on again until after receiving these instructions. I am unable to get a browser to open on the infected computer. Shall I download the combofix to a flash drive using my good computer and somehow run it on the bad one?

Link to post
Share on other sites

I'm unable to get that to work either now. It seemed to start from a command prompt, but encountered an AVG barrier. No icons are visible on my tray, and clicking the AVG user interface produces no result. All I'm getting is the XP 2011 malware. I've tried in normal mode and safe mode with networking, to no avail. And again, I went to safe mode with command prompt. Next steps (that do not involve a sledgehammer?)

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

SecCenter::
AV: Smart Internet Protection 2011 *Enabled/Updated* {30D2F759-8D05-49B1-B3D8-093C8F7092F3}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Smart Internet Protection 2011 *Enabled*

KillAll::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

I attempted to open the AVG User Interface by renaming it with a .com extension. The interface did not open; instead, it launched the scanner. I forgot to copy the log from that run, and can't find it now. It did heal a three-letter file, which I'm pretty sure is the malware.

I launched ComboFix. Below is the log:

ComboFix 11-04-05.02 - A 04/05/2011 22:28:56.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2250 [GMT -4:00]

Running from: E:\ComboFix.exe

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

ADS - WINDOWS: deleted 128 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\A\Application Data\Adobe\plugs

c:\documents and settings\A\Application Data\Adobe\shed

c:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFD

c:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFD\enemies-names.txt

c:\documents and settings\A\Application Data\DB03EF406BCBDAABF830264BA9FBEEFD\local.ini

c:\documents and settings\A\Application Data\Odupyg

c:\documents and settings\A\Application Data\Odupyg\emhee.exe

c:\documents and settings\A\Application Data\Toacpa

c:\documents and settings\A\Application Data\Toacpa\ubli.ihs

c:\documents and settings\A\Application Data\Toacpa\ubli.tmp

c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}

c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome.manifest

c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome\content\_cfg.js

c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\chrome\content\overlay.xul

c:\documents and settings\A\Local Settings\Application Data\{F49866CF-2D30-4769-9AD5-413689DB18C3}\install.rdf

c:\documents and settings\A\Local Settings\Application Data\ctp.exe

c:\documents and settings\A\Local Settings\Application Data\mcn.exe

c:\documents and settings\A\Recent\cid.exe

c:\documents and settings\A\Recent\CLSV.drv

c:\documents and settings\A\Recent\DBOLE.dll

c:\documents and settings\A\Recent\DBOLE.exe

c:\documents and settings\A\Recent\DBOLE.tmp

c:\documents and settings\A\Recent\delfile.sys

c:\documents and settings\A\Recent\energy.exe

c:\documents and settings\A\Recent\fix.drv

c:\documents and settings\A\Recent\fix.sys

c:\documents and settings\A\Recent\hymt.exe

c:\documents and settings\A\Recent\PE.exe

c:\documents and settings\A\Recent\PE.sys

c:\documents and settings\A\Recent\PE.tmp

c:\documents and settings\A\Recent\ppal.dll

c:\documents and settings\A\Recent\ppal.drv

c:\documents and settings\A\Recent\runddlkey.exe

c:\documents and settings\A\Recent\runddlkey.tmp

c:\documents and settings\A\Recent\SICKBOY.exe

c:\documents and settings\A\Recent\sld.exe

c:\documents and settings\A\Recent\SM.exe

c:\documents and settings\A\Recent\tjd.dll

c:\documents and settings\A\Recent\tjd.exe

c:\documents and settings\A\Recent\tjd.tmp

c:\documents and settings\All Users\Application Data\5ed4b4

c:\documents and settings\All Users\Application Data\5ed4b4\5ed4b4a0d7d7495ef463256e2bb4a502.ocx

c:\documents and settings\All Users\Application Data\5ed4b4\77.mof

c:\documents and settings\All Users\Application Data\5ed4b4\BackUp\IMVU.lnk

c:\documents and settings\All Users\Application Data\5ed4b4\BackUp\OneNote 2007 Screen Clipper and Launcher.lnk

c:\documents and settings\All Users\Application Data\5ed4b4\mozcrt19.dll

c:\documents and settings\All Users\Application Data\5ed4b4\SIP.ico

c:\documents and settings\All Users\Application Data\5ed4b4\sqlite3.dll

c:\documents and settings\All Users\Application Data\5ed4b4\y2p45e7txfm9q01u8z6gignu8zokfghgw.dll

c:\documents and settings\All Users\Application Data\Toolbar4

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\basis.xml

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bg.bmp

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\bing_logo.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\celebrity.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_images.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_maps.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_news.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_videos.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\drop_web.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\facebook.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\favicon.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\games.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\hotmail.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\icon.ico

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\images.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\include.xml

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\info.txt

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\lifestyle.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\maps.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\messenger.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\msn.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\news.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\twitter.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\version.txt

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\video.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\videos.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\weather.png

c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\web.png

c:\program files\QUAD Utilities

c:\program files\Search Toolbar

c:\program files\Search Toolbar\basis.xml

c:\program files\Search Toolbar\bg.bmp

c:\program files\Search Toolbar\bing_logo.png

c:\program files\Search Toolbar\celebrity.png

c:\program files\Search Toolbar\drop_images.png

c:\program files\Search Toolbar\drop_maps.png

c:\program files\Search Toolbar\drop_news.png

c:\program files\Search Toolbar\drop_videos.png

c:\program files\Search Toolbar\drop_web.png

c:\program files\Search Toolbar\facebook.png

c:\program files\Search Toolbar\favicon.png

c:\program files\Search Toolbar\games.png

c:\program files\Search Toolbar\hotmail.png

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\images.png

c:\program files\Search Toolbar\include.xml

c:\program files\Search Toolbar\info.txt

c:\program files\Search Toolbar\lifestyle.png

c:\program files\Search Toolbar\maps.png

c:\program files\Search Toolbar\messenger.png

c:\program files\Search Toolbar\msn.png

c:\program files\Search Toolbar\news.png

c:\program files\Search Toolbar\Thumbs.db

c:\program files\Search Toolbar\twitter.png

c:\program files\Search Toolbar\version.txt

c:\program files\Search Toolbar\video.png

c:\program files\Search Toolbar\videos.png

c:\program files\Search Toolbar\weather.png

c:\program files\Search Toolbar\web.png

c:\windows\135885zr9s144.bin

c:\windows\13596not-a-virus257z.bin

c:\windows\13905spy2d5z.bin

c:\windows\15506hackto9l4za.bin

c:\windows\195z6not-9-5irus1e2.bin

c:\windows\1z4959ro5fa.bin

c:\windows\202295pambot43z.bin

c:\windows\2181z9ot-a-vir5s104.bin

c:\windows\21927hacztoo54f1.bin

c:\windows\229bthrezt70115.bin

c:\windows\23b9backd5or12z1.bin

c:\windows\25549acktool40z.bin

c:\windows\259fad5zare281.bin

c:\windows\2619259t-a-virus53dz.bin

c:\windows\265vi985z.bin

c:\windows\28139hazktool3945.bin

c:\windows\28184viz5977.bin

c:\windows\29925wo9mz4e.bin

c:\windows\31999hackto5l1z6.bin

c:\windows\31z195wnloader3061.bin

c:\windows\32288tr9z45c.bin

c:\windows\32z77ha5kt9ol281.bin

c:\windows\34f55iz17209.bin

c:\windows\3e3zs9ea51845.bin

c:\windows\3f62z9eal2596.bin

c:\windows\4039troj1fz5.bin

c:\windows\410est59lz724.bin

c:\windows\4345v9r3z05.bin

c:\windows\45dd9iz2015.bin

c:\windows\4655w9rzf5.bin

c:\windows\48b0thr5zt90108.bin

c:\windows\4903threat95z88.bin

c:\windows\4e59zhief161.bin

c:\windows\5295downlo5dez775.bin

c:\windows\5314zro956e.bin

c:\windows\56102s9zmbot39.bin

c:\windows\5853a5d9aze2379.bin

c:\windows\59045ackdo9rz555.bin

c:\windows\596zadd5are2720.bin

c:\windows\5975vi95z43.bin

c:\windows\59799virzs6df.bin

c:\windows\599dthiez27065.bin

c:\windows\59c5spzr9e1990.bin

c:\windows\5z6hacktool6965.bin

c:\windows\6754thief9z57.bin

c:\windows\695downlz5der1356.bin

c:\windows\6b93z5r9267.bin

c:\windows\6zef5parse3966.bin

c:\windows\7176t5izf1859.bin

c:\windows\7195tzre5t21932.bin

c:\windows\7831spa5sz2795.bin

c:\windows\7948s5azbo9517.bin

c:\windows\79eb5teal2978z.bin

c:\windows\7adbzi95809.bin

c:\windows\7d7dzpy9are1165.bin

c:\windows\8411hackto956z9.bin

c:\windows\8433h5cktzol329.bin

c:\windows\918395zy129.bin

c:\windows\92z0add5are2989.bin

c:\windows\93465zorm3d.bin

c:\windows\9525spz5d9.bin

c:\windows\97b25pyware13z4.bin

c:\windows\9z56tro91f.bin

c:\windows\Ikakya.exe

c:\windows\system32\10752spz589.bin

c:\windows\system32\10f6sp9zar53112.bin

c:\windows\system32\12108worm5z9.bin

c:\windows\system32\12946s5zmbot3d2.bin

c:\windows\system32\13505i98z3.bin

c:\windows\system32\13579tzal5745.bin

c:\windows\system32\145z9spambot5f9.bin

c:\windows\system32\18946zpa5bot668.bin

c:\windows\system32\19059not-a-5izus3f9.bin

c:\windows\system32\193z9spy4915.bin

c:\windows\system32\195005orz5f9.bin

c:\windows\system32\1az4s9yware5880.bin

c:\windows\system32\1z6729orm67d5.bin

c:\windows\system32\210f5hzef9.bin

c:\windows\system32\21667ha5ktoo97z9.bin

c:\windows\system32\23399wor55zb.bin

c:\windows\system32\2459znot9a-virus189.bin

c:\windows\system32\2493stealz58.bin

c:\windows\system32\25354szy95a.bin

c:\windows\system32\25909worm3dcz.bin

c:\windows\system32\28387not-a-5iru943z.bin

c:\windows\system32\289bspzrse3057.bin

c:\windows\system32\28cdspywzre25799.bin

c:\windows\system32\29316s59z80.bin

c:\windows\system32\29906notza-59rus41a.bin

c:\windows\system32\29926not-a-v9rus652z.bin

c:\windows\system32\299695ac9tool1e9z.bin

c:\windows\system32\299985zrus5c8.bin

c:\windows\system32\2a1e9hreat10529z.bin

c:\windows\system32\2f96downlo5dez990.bin

c:\windows\system32\30z51worm919.bin

c:\windows\system32\31z62spy5b95.bin

c:\windows\system32\3456adzware9380.bin

c:\windows\system32\3689hac5tool543z.bin

c:\windows\system32\39568hackt5zl7e6.bin

c:\windows\system32\3c9zdow5loader2895.bin

c:\windows\system32\3d0a5hiez1997.bin

c:\windows\system32\4262hzc59ool6fa.bin

c:\windows\system32\4435tz9ef2465.bin

c:\windows\system32\47c4do5nload9r6z8.bin

c:\windows\system32\4905v9zus554.bin

c:\windows\system32\495fspzwa9e3175.bin

c:\windows\system32\4ze79d5ware2155.bin

c:\windows\system32\50936wormz9.bin

c:\windows\system32\55325pyware248z9.bin

c:\windows\system32\5673w9rm66z.bin

c:\windows\system32\5721noz9a-viru53f0.bin

c:\windows\system32\577dt9reaz25654.bin

c:\windows\system32\58e9spywa5e1z94.bin

c:\windows\system32\5a885zie9531.bin

c:\windows\system32\5aat9zeat29394.bin

c:\windows\system32\5c5fst9al185z.bin

c:\windows\system32\5f36sp5r9z99.bin

c:\windows\system32\5za4down5o9der2271.bin

c:\windows\system32\606zsteal92065.bin

c:\windows\system32\693thr5at80z2.bin

c:\windows\system32\6995vir3924z.bin

c:\windows\system32\6ab0spyware9534z.bin

c:\windows\system32\6d4es9ea5z750.bin

c:\windows\system32\79f6thre5t23z05.bin

c:\windows\system32\7zc5bac59oor2887.bin

c:\windows\system32\90a3steal34z5.bin

c:\windows\system32\91141trz5564.bin

c:\windows\system32\92z89spambot10a5.bin

c:\windows\system32\9459hacktoz9329.bin

c:\windows\system32\9536not-a-virus957z.bin

c:\windows\system32\99488zorm255.bin

c:\windows\system32\9b3dspywzre2105.bin

c:\windows\system32\9d35zpyware253.bin

c:\windows\system32\9ec3sp5rse144z.bin

c:\windows\system32\a5thz9f2581.bin

c:\windows\system32\d75z9ief2446.bin

c:\windows\system32\d94thre5t16z89.bin

c:\windows\system32\edazo9nloader645.bin

c:\windows\system32\fdesp5rz9503.bin

c:\windows\system32\itlnfw32.dll

c:\windows\system32\regobj.dll

c:\windows\system32\z187spambo95f0.bin

c:\windows\system32\z2b5addwar9144.bin

c:\windows\system32\z4971tr955d9.bin

c:\windows\system32\z533spy55e9.bin

c:\windows\system32\z6519t9oj258.bin

c:\windows\system32\z799hac5tool231.bin

c:\windows\system32\z9895vir5s5fc.bin

c:\windows\system32\zf73spar5e1597.bin

c:\windows\system32\zfbft9reat30950.bin

c:\windows\z1370troj5509.bin

c:\windows\z556t9ief2101.bin

c:\windows\z5d2thre9t4037.bin

c:\windows\z683v592935.bin

c:\windows\z8519vi5us4f0.bin

c:\windows\z863addware9150.bin

c:\windows\z997spambot385.bin

c:\windows\zd57ba9kdoor2596.bin

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_ITLPERF

-------\Service_itlperf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))

.

.

2011-04-03 14:40 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-03 12:09 . 2011-04-03 12:09 -------- d-----w- c:\documents and settings\A\Local Settings\Application Data\Secunia PSI

2011-04-03 12:09 . 2011-04-03 12:09 -------- d-----w- c:\program files\Secunia

2011-04-01 12:58 . 2011-04-01 13:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-03-28 15:04 . 2011-03-28 15:04 -------- d-----w- c:\windows\system32\wbem\Repository

2011-03-27 21:35 . 2011-03-27 21:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-25 18:58 . 2011-03-25 18:57 339968 ----a-w- c:\windows\mc76487.exe

2011-03-25 18:54 . 2011-03-25 18:54 0 ----a-w- c:\windows\Qforoqeso.bin

2011-03-15 15:25 . 2011-03-15 15:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

2011-03-10 15:26 . 2011-03-28 15:04 -------- d-----w- c:\documents and settings\Administrator

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2009-02-09 05:28 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-02-09 05:28 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:42 . 2008-04-14 12:00 439808 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2008-05-27 17:29 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-05-26 19:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-03-15 2071904]

"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-01 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-08 13762560]

"nwiz"="nwiz.exe" [2009-07-08 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-08 86016]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

.

c:\documents and settings\A\Start Menu\Programs\Startup\

IMVU.lnk - c:\documents and settings\A\Application Data\IMVUClient\IMVUQualityAgent.exe [N/A]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 13:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\WINDOWS\\mc76487.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1422:TCP"= 1422:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/3/2010 3:00 PM 64288]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/9/2009 4:34 AM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/7/2010 4:35 PM 243024]

R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [11/21/2010 5:57 PM 61440]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [1/10/2011 10:24 AM 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [1/10/2011 10:24 AM 399416]

S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]

S2 gupdate1c994ae50cdb1e;Google Update Service (gupdate1c994ae50cdb1e);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2009 1:25 AM 133104]

S2 MemChecker;Memory Checker;c:\windows\mc76487.exe [3/25/2011 2:58 PM 339968]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/5/2010 1:27 PM 1684736]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-04-06 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-22 16:50]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 05:25]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-22 05:25]

.

2011-04-05 c:\windows\Tasks\User_Feed_Synchronization-{72D63DCE-BCBF-4F22-BEB4-2B0C18061408}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bing.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\A\Start Menu\Programs\IMVU\Run IMVU.lnk

LSP: %SYSTEMROOT%\system32\nvLsp.dll

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

Toolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

WebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)

HKCU-Run-Jenkat Arcade - c:\documents and settings\A\Application Data\Jenkat\Jenkat Games Arcade\notifyapp.exe

HKLM-Run-Sciwepazucowopo - c:\windows\egubaqeyuhasaj.dll

Notify-itlntfy - itlnfw32.dll

Notify-LC - (no file)

Notify-ypml - itlnfw32.dll

AddRemove-AVG9Uninstall - c:\program files\AVG\AVG9\setup.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-05 22:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(756)

c:\windows\system32\nvLsp.dll

.

- - - - - - - > 'explorer.exe'(11972)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\rundll32.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-04-05 22:38:50 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-06 02:38

.

Pre-Run: 245,907,677,184 bytes free

Post-Run: 246,681,792,512 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 3274A9D1A1C8CEBEED125460365C77AC

Link to post
Share on other sites

This is the log for the AVG that ran when I tried to simply open the interface:

AVG 9.0 Anti-Virus command line scanner

Copyright © 1992 - 2010 AVG Technologies

Program version 9.0.870, engine 10.0.1495

Virus Database: Version 271.1.1/3547 2011-04-02

HKCR\exefile\shell\open\command\\ Found registry key with reference to file C:\Documents and Settings\A\Local Settings\Application Data\ctp.exe Object was healed.

C:\Documents and Settings\A\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.

C:\Documents and Settings\A\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.

C:\Documents and Settings\A\ntuser.dat Locked file. Not tested.

C:\Documents and Settings\A\ntuser.dat.LOG Locked file. Not tested.

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.

C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested.

C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.

C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.

C:\pagefile.sys Locked file. Not tested.

C:\System Volume Information\ Locked file. Not tested.

C:\WINDOWS\system32\config\default Locked file. Not tested.

C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\SAM Locked file. Not tested.

C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.

C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\software Locked file. Not tested.

C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\system Locked file. Not tested.

C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

C:\WINDOWS\Tasks\oaaltlb.job Locked file. Not tested.

------------------------------------------------------------

Objects scanned : 572417

Found infections : 0

Found PUPs : 0

Healed infections : 0

Healed PUPs : 0

Warnings : 1

------------------------------------------------------------

Link to post
Share on other sites

Here is the response I received, followed by the previous report. Shall I ask virustotal to reanalyze it?

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 8ab0842b08b314bacddb47a1f5a74bed

Date first seen: 2011-03-25 17:27:13 (UTC)

Date last seen: 2011-04-06 06:57:14 (UTC)

Detection ratio: 5/40

What do you wish to do? I CHOSE SHOW REPORT

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

8ab0842b08b314bacddb47a1f5a74bed

Submission date:

2011-04-06 06:57:14 (UTC)

Current status:

finished

Result:

5 /40 (12.5%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.04.06.02 2011.04.06 -

AntiVir 7.11.5.203 2011.04.06 -

Antiy-AVL 2.0.3.7 2011.04.06 -

Avast 4.8.1351.0 2011.04.05 -

Avast5 5.0.677.0 2011.04.05 -

AVG 10.0.0.1190 2011.04.05 -

BitDefender 7.2 2011.04.06 -

CAT-QuickHeal 11.00 2011.04.06 -

ClamAV 0.97.0.0 2011.04.06 -

Commtouch 5.2.11.5 2011.04.06 -

Comodo 8239 2011.04.06 Heur.Suspicious

DrWeb 5.0.2.03300 2011.04.06 -

eSafe 7.0.17.0 2011.04.05 -

eTrust-Vet 36.1.8255 2011.04.05 -

F-Prot 4.6.2.117 2011.04.05 -

Fortinet 4.2.254.0 2011.04.06 W32/VB.WL!tr

GData 22 2011.04.06 -

Ikarus T3.1.1.103.0 2011.04.06 -

Jiangmin 13.0.900 2011.04.06 -

K7AntiVirus 9.96.4303 2011.04.05 -

Kaspersky 7.0.0.125 2011.04.06 -

McAfee 5.400.0.1158 2011.04.06 -

McAfee-GW-Edition 2010.1C 2011.04.05 -

Microsoft 1.6702 2011.04.06 -

NOD32 6017 2011.04.06 -

Norman 6.07.07 2011.04.05 -

Panda 10.0.3.5 2011.04.05 Suspicious file

PCTools 7.0.3.5 2011.04.06 Trojan.Generic

Prevx 3.0 2011.04.06 -

Rising 23.51.05.05 2011.04.02 -

Sophos 4.64.0 2011.04.06 -

SUPERAntiSpyware 4.40.0.1006 2011.04.06 -

Symantec 20101.3.2.89 2011.04.06 Trojan Horse

TheHacker 6.7.0.1.168 2011.04.06 -

TrendMicro 9.200.0.1012 2011.04.06 -

TrendMicro-HouseCall 9.200.0.1012 2011.04.06 -

VBA32 3.12.14.3 2011.04.05 -

VIPRE 8933 2011.04.06 -

ViRobot 2011.4.6.4395 2011.04.06 -

VirusBuster 13.6.288.0 2011.04.05 -

Additional information

Show all

MD5 : 8ab0842b08b314bacddb47a1f5a74bed

SHA1 : fd2bc52b9013f6519521c7b660881de6099bcaf2

SHA256: 3eafdc8d6d9addc5bc9971750b3d355df4d08733ad553c3b802f310c8b3afb01

ssdeep: 3072:3WmnC+qVGNBLsoUdcu6nNxdMy+P1F7fW3VSbRpvnqwCmi8/7GAsNxRKauU+Ll43D:3WgQM

bgPWFSJHi8zKRKfdlO8n4csL

File size : 339968 bytes

First seen: 2011-03-25 17:27:13

Last seen : 2011-04-06 06:57:14

Magic: MS-DOS executable, MZ for MS-DOS

TrID:

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: MediaChance

copyright....: Copyright www.photobrush.com © 2001

product......: PhotoBRUSH Application

description..: Photo-Brush Application

original name: PhotoBrush.EXE

internal name: Photo-Brush

file version.: 3.02

comments.....:

signers......: -

signing date.: -

verified.....: Unsigned

PEiD: -

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x1220

timedatestamp....: 0x4D8AA744 (Thu Mar 24 02:07:00 2011)

machinetype......: 0x14C (Intel I386)

[[ 3 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x20488, 0x21000, 5.3, 259510f893bc9d545744464d29a9ab1c

.data, 0x22000, 0x185C, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e

.rsrc, 0x24000, 0x30BB0, 0x31000, 5.6, 377c5fce3f20db8572f8f0fab2207334

[[ 1 import(s) ]]

msvbvm60.dll: -, -, -, MethCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, -, -, DllFunctionCall, -, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

ExifTool:

file metadata

FileSize: 332 kB

FileType: DOS EXE

MIMEType: application/octet-stream

Symantec reputation:Suspicious.Insight

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.