Solved Malware Taking Over

Sorry I overlooked that part - I'm doing it now.

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, April 17, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, April 17, 2010 03:03:26
Records in database: 3949730
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 51821
Threats found: 5
Infected objects found: 8
Suspicious objects found: 0
Scan duration: 02:26:30


File name / Threat / Threats count
C:\Documents and Settings\Sampson\Application Data\Sun\Java\Deployment\cache\6.0\22\647a8416-77e807de Infected: Exploit.Java.CVE-2009-3867.c 1
C:\Documents and Settings\Sampson\Application Data\Sun\Java\Deployment\cache\6.0\4\25677bc4-4b11f33e Infected: Exploit.Java.CVE-2009-3867.c 1
C:\Documents and Settings\Sampson\Application Data\Sun\Java\Deployment\cache\6.0\62\11715efe-4baf4e83 Infected: Exploit.Java.CVE-2009-3867.c 1
C:\Program Files\AKProg\AKProg.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.2301 1
C:\Program Files\AKProg\hkdll.dll Infected: not-a-virus:Monitor.Win32.ActualSpy.27 1
C:\Program Files\AKProg\hprog.dll Infected: not-a-virus:Monitor.Win32.ActualSpy.252 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir Infected: Packed.Win32.Katusha.j 1
C:\System Volume Information\_restore{67C4541F-D3F2-450D-8BA3-DE79D55388CD}\RP262\A0059302.exe Infected: Packed.Win32.Katusha.j 1

Selected area has been scanned.

 

Did you install the keylogger on your pc?

Can you go to the control panel and open the Java applet. Once in there, in the General Tab, go to the "Temporary Internet Files bit at the bottom and select 'settings.'
Select the 'delete files' and then ok out.

How is the pc at the moment?

 

ok did it.

Clicks from google still redirects to other pages and no I did not install a keylogger.

 

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

Folder::
C:\Program Files\AKProg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

ComboFix 10-04-17.02 - Sampson 04/17/2010 18:59:26.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.599 [GMT -4:00]
Running from: c:\documents and settings\Sampson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sampson\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AKProg
c:\program files\AKProg\AK.chm
c:\program files\AKProg\AKProg.exe
c:\program files\AKProg\AKProg.exe.manifest
c:\program files\AKProg\hkdll.dll
c:\program files\AKProg\hprog.dll
c:\program files\AKProg\license.txt
c:\program files\AKProg\logs\key.dat
c:\program files\AKProg\readme.txt
c:\program files\AKProg\unins000.dat
c:\program files\AKProg\unins000.exe

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-17 01:57 . 2010-04-17 01:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-04-16 14:40 . 2010-04-16 14:40 3911239 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{43B820EB-C7E1-BA8A-A752-341526E9D0AE}-ComboFix.exe
2010-04-16 14:40 . 2010-04-16 14:40 3911239 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{683ED95A-ABBF-EE9D-10B5-281651854DD4}-ComboFix.exe
2010-04-14 07:04 . 2008-04-14 20:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-13 03:44 . 2010-04-13 03:44 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FA92E1DB-5140-3ED3-BE0B-7E7EA9361750}-qttask .exe
2010-04-12 20:35 . 2010-04-12 20:35 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{25AAC0DA-1079-78DA-00F3-F8B1FE2B74CD}-dwtrig20.exe
2010-04-12 20:30 . 2010-04-12 20:30 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7A6E8AB2-D246-4461-DC43-B8466BFD85FA}-dwtrig20.exe
2010-04-09 23:30 . 2010-04-12 07:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-09 16:17 . 2010-04-09 16:17 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-09 16:17 . 2010-04-09 16:17 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-09 16:17 . 2010-04-09 16:17 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-08 17:36 . 2010-04-13 03:00 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-08 17:30 . 2010-04-17 19:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:30 . 2010-04-08 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 17:30 . 2010-04-16 21:03 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 15:47 . 2010-04-09 15:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 15:43 . 2010-04-08 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 12:17 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 12:16 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 21:01 . 2010-04-07 21:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-05 07:58 . 2010-04-05 07:58 -------- d-----w- c:\documents and settings\Sampson\Local Settings\Application Data\PCHealth
2010-03-27 18:17 . 2010-03-27 18:25 -------- d-----w- c:\documents and settings\Sampson\Local Settings\Application Data\ctrxmt
2010-03-27 01:45 . 2010-03-27 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-22 20:04 . 2010-03-22 20:04 255472 ----a-w- c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 00:29 . 2009-12-26 02:42 -------- d-----w- c:\program files\QuickTime
2010-04-16 21:03 . 2010-01-09 20:41 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-16 21:03 . 2009-01-20 18:43 -------- d-----w- c:\program files\Launch Manager
2010-04-16 04:05 . 2008-04-14 20:00 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-16 04:03 . 2009-08-02 07:15 -------- d-----w- c:\documents and settings\Sampson\Application Data\uTorrent
2010-04-14 07:06 . 2009-01-20 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-09 15:44 . 2010-04-09 15:44 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys4E5EA5B4
2010-04-08 15:43 . 2009-01-20 19:22 -------- d-----w- c:\program files\Google
2010-04-08 12:17 . 2010-01-09 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 21:01 . 2009-08-24 16:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-11 12:38 . 2008-10-16 20:38 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 20:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-05-09 10:53 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:58 . 2010-03-08 03:58 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-06 05:18 . 2010-03-05 20:50 256 ----a-w- c:\windows\system32\pool.bin
2010-03-05 20:56 . 2010-03-05 20:56 -------- d-----w- c:\documents and settings\Sampson\Application Data\Blackberry Desktop
2010-03-05 20:49 . 2010-03-05 20:49 -------- d-----w- c:\documents and settings\Sampson\Application Data\Research In Motion
2010-03-05 20:47 . 2010-03-05 20:47 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-05 20:47 . 2010-03-05 20:47 -------- d-----w- c:\program files\Research In Motion
2010-02-24 14:16 . 2010-01-09 20:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2008-10-24 11:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 16:25 . 2010-02-22 16:25 -------- d-----w- c:\documents and settings\Sampson\Application Data\UltraVNC
2010-02-16 14:08 . 2008-08-14 10:09 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-08-14 09:33 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_15.01.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 23:07 . 2010-04-17 23:07 16384 c:\windows\temp\Perflib_Perfdata_7d8.dat
+ 2009-01-20 20:20 . 2010-04-17 23:03 72134 c:\windows\system32\perfc009.dat
- 2009-01-20 20:20 . 2010-04-16 14:38 72134 c:\windows\system32\perfc009.dat
+ 2009-01-20 20:20 . 2010-04-17 23:03 443034 c:\windows\system32\perfh009.dat
- 2009-01-20 20:20 . 2010-04-16 14:38 443034 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 68856]
"Google Update "= "c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"BlackBerryAutoUpdate "= "c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"HitmanPro35 "= "c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-08 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 10:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 23:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2008-10-03 19:18 294544 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2008-09-04 05:46 425984 ----a-w- c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-01-20 19:22 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-16 16:05 133104 ----atw- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 20:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 06:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-12-30 21:58 18082304 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-09 20:50 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-24 08:14 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-25 16:32 1044480 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP "= 5910:TCP:vnc5910

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [2/22/2010 10:11 AM 560792]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/10/2008 2:43 AM 345336]
S1 adfyiqew;adfyiqew;\??\c:\windows\system32\drivers\adfyiqew.sys --> c:\windows\system32\drivers\adfyiqew.sys [?]
S1 afiwatfs;afiwatfs;\??\c:\windows\system32\drivers\afiwatfs.sys --> c:\windows\system32\drivers\afiwatfs.sys [?]
S1 ailgulld;ailgulld;\??\c:\windows\system32\drivers\ailgulld.sys --> c:\windows\system32\drivers\ailgulld.sys [?]
S1 aisggsig;aisggsig;\??\c:\windows\system32\drivers\aisggsig.sys --> c:\windows\system32\drivers\aisggsig.sys [?]
S1 alruyfvg;alruyfvg;\??\c:\windows\system32\drivers\alruyfvg.sys --> c:\windows\system32\drivers\alruyfvg.sys [?]
S1 apkxbpue;apkxbpue;\??\c:\windows\system32\drivers\apkxbpue.sys --> c:\windows\system32\drivers\apkxbpue.sys [?]
S1 atmmxame;atmmxame;\??\c:\windows\system32\drivers\atmmxame.sys --> c:\windows\system32\drivers\atmmxame.sys [?]
S1 bumfnder;bumfnder;\??\c:\windows\system32\drivers\bumfnder.sys --> c:\windows\system32\drivers\bumfnder.sys [?]
S1 busaarbc;busaarbc;\??\c:\windows\system32\drivers\busaarbc.sys --> c:\windows\system32\drivers\busaarbc.sys [?]
S1 bxydhbzh;bxydhbzh;\??\c:\windows\system32\drivers\bxydhbzh.sys --> c:\windows\system32\drivers\bxydhbzh.sys [?]
S1 cifivddr;cifivddr;\??\c:\windows\system32\drivers\cifivddr.sys --> c:\windows\system32\drivers\cifivddr.sys [?]
S1 cpoxzgoh;cpoxzgoh;\??\c:\windows\system32\drivers\cpoxzgoh.sys --> c:\windows\system32\drivers\cpoxzgoh.sys [?]
S1 cvermjmb;cvermjmb;\??\c:\windows\system32\drivers\cvermjmb.sys --> c:\windows\system32\drivers\cvermjmb.sys [?]
S1 cxiotagl;cxiotagl;\??\c:\windows\system32\drivers\cxiotagl.sys --> c:\windows\system32\drivers\cxiotagl.sys [?]
S1 cyyymcxa;cyyymcxa;\??\c:\windows\system32\drivers\cyyymcxa.sys --> c:\windows\system32\drivers\cyyymcxa.sys [?]
S1 daxohfla;daxohfla;\??\c:\windows\system32\drivers\daxohfla.sys --> c:\windows\system32\drivers\daxohfla.sys [?]
S1 dwttwlcm;dwttwlcm;\??\c:\windows\system32\drivers\dwttwlcm.sys --> c:\windows\system32\drivers\dwttwlcm.sys [?]
S1 eluhfmvh;eluhfmvh;\??\c:\windows\system32\drivers\eluhfmvh.sys --> c:\windows\system32\drivers\eluhfmvh.sys [?]
S1 enrwgrwn;enrwgrwn;\??\c:\windows\system32\drivers\enrwgrwn.sys --> c:\windows\system32\drivers\enrwgrwn.sys [?]
S1 envjojgn;envjojgn;\??\c:\windows\system32\drivers\envjojgn.sys --> c:\windows\system32\drivers\envjojgn.sys [?]
S1 eoypwiud;eoypwiud;\??\c:\windows\system32\drivers\eoypwiud.sys --> c:\windows\system32\drivers\eoypwiud.sys [?]
S1 excptvku;excptvku;\??\c:\windows\system32\drivers\excptvku.sys --> c:\windows\system32\drivers\excptvku.sys [?]
S1 fneemrct;fneemrct;\??\c:\windows\system32\drivers\fneemrct.sys --> c:\windows\system32\drivers\fneemrct.sys [?]
S1 fyzzajvd;fyzzajvd;\??\c:\windows\system32\drivers\fyzzajvd.sys --> c:\windows\system32\drivers\fyzzajvd.sys [?]
S1 gcgtyqnz;gcgtyqnz;\??\c:\windows\system32\drivers\gcgtyqnz.sys --> c:\windows\system32\drivers\gcgtyqnz.sys [?]
S1 glgrkqgo;glgrkqgo;\??\c:\windows\system32\drivers\glgrkqgo.sys --> c:\windows\system32\drivers\glgrkqgo.sys [?]
S1 gxkhluqx;gxkhluqx;\??\c:\windows\system32\drivers\gxkhluqx.sys --> c:\windows\system32\drivers\gxkhluqx.sys [?]
S1 hcmqfbkr;hcmqfbkr;\??\c:\windows\system32\drivers\hcmqfbkr.sys --> c:\windows\system32\drivers\hcmqfbkr.sys [?]
S1 hemwhtco;hemwhtco;\??\c:\windows\system32\drivers\hemwhtco.sys --> c:\windows\system32\drivers\hemwhtco.sys [?]
S1 hnflobwb;hnflobwb;\??\c:\windows\system32\drivers\hnflobwb.sys --> c:\windows\system32\drivers\hnflobwb.sys [?]
S1 hsdzegox;hsdzegox;\??\c:\windows\system32\drivers\hsdzegox.sys --> c:\windows\system32\drivers\hsdzegox.sys [?]
S1 htiattnr;htiattnr;\??\c:\windows\system32\drivers\htiattnr.sys --> c:\windows\system32\drivers\htiattnr.sys [?]
S1 htiffrkc;htiffrkc;\??\c:\windows\system32\drivers\htiffrkc.sys --> c:\windows\system32\drivers\htiffrkc.sys [?]
S1 iemmvdae;iemmvdae;\??\c:\windows\system32\drivers\iemmvdae.sys --> c:\windows\system32\drivers\iemmvdae.sys [?]
S1 iigpwxuz;iigpwxuz;\??\c:\windows\system32\drivers\iigpwxuz.sys --> c:\windows\system32\drivers\iigpwxuz.sys [?]
S1 ivmxxizo;ivmxxizo;\??\c:\windows\system32\drivers\ivmxxizo.sys --> c:\windows\system32\drivers\ivmxxizo.sys [?]
S1 jigqmujs;jigqmujs;\??\c:\windows\system32\drivers\jigqmujs.sys --> c:\windows\system32\drivers\jigqmujs.sys [?]
S1 jkxixymb;jkxixymb;\??\c:\windows\system32\drivers\jkxixymb.sys --> c:\windows\system32\drivers\jkxixymb.sys [?]
S1 jodvzvic;jodvzvic;\??\c:\windows\system32\drivers\jodvzvic.sys --> c:\windows\system32\drivers\jodvzvic.sys [?]
S1 jrsbflhy;jrsbflhy;\??\c:\windows\system32\drivers\jrsbflhy.sys --> c:\windows\system32\drivers\jrsbflhy.sys [?]
S1 jwjstrcn;jwjstrcn;\??\c:\windows\system32\drivers\jwjstrcn.sys --> c:\windows\system32\drivers\jwjstrcn.sys [?]
S1 jyaajtlb;jyaajtlb;\??\c:\windows\system32\drivers\jyaajtlb.sys --> c:\windows\system32\drivers\jyaajtlb.sys [?]
S1 kcknzwpd;kcknzwpd;\??\c:\windows\system32\drivers\kcknzwpd.sys --> c:\windows\system32\drivers\kcknzwpd.sys [?]
S1 kdhzzjrp;kdhzzjrp;\??\c:\windows\system32\drivers\kdhzzjrp.sys --> c:\windows\system32\drivers\kdhzzjrp.sys [?]
S1 keagzpqu;keagzpqu;\??\c:\windows\system32\drivers\keagzpqu.sys --> c:\windows\system32\drivers\keagzpqu.sys [?]
S1 kjzewzjg;kjzewzjg;\??\c:\windows\system32\drivers\kjzewzjg.sys --> c:\windows\system32\drivers\kjzewzjg.sys [?]
S1 klikbyhe;klikbyhe;\??\c:\windows\system32\drivers\klikbyhe.sys --> c:\windows\system32\drivers\klikbyhe.sys [?]
S1 kqqjhrxt;kqqjhrxt;\??\c:\windows\system32\drivers\kqqjhrxt.sys --> c:\windows\system32\drivers\kqqjhrxt.sys [?]
S1 ldmhzbfv;ldmhzbfv;\??\c:\windows\system32\drivers\ldmhzbfv.sys --> c:\windows\system32\drivers\ldmhzbfv.sys [?]
S1 leuaoesr;leuaoesr;\??\c:\windows\system32\drivers\leuaoesr.sys --> c:\windows\system32\drivers\leuaoesr.sys [?]
S1 lgpeogpg;lgpeogpg;\??\c:\windows\system32\drivers\lgpeogpg.sys --> c:\windows\system32\drivers\lgpeogpg.sys [?]
S1 lnbhhpva;lnbhhpva;\??\c:\windows\system32\drivers\lnbhhpva.sys --> c:\windows\system32\drivers\lnbhhpva.sys [?]
S1 lnemnyam;lnemnyam;\??\c:\windows\system32\drivers\lnemnyam.sys --> c:\windows\system32\drivers\lnemnyam.sys [?]
S1 lnlshdlv;lnlshdlv;\??\c:\windows\system32\drivers\lnlshdlv.sys --> c:\windows\system32\drivers\lnlshdlv.sys [?]
S1 lotqaikm;lotqaikm;\??\c:\windows\system32\drivers\lotqaikm.sys --> c:\windows\system32\drivers\lotqaikm.sys [?]
S1 lsadewkd;lsadewkd;\??\c:\windows\system32\drivers\lsadewkd.sys --> c:\windows\system32\drivers\lsadewkd.sys [?]
S1 mdosmnaq;mdosmnaq;\??\c:\windows\system32\drivers\mdosmnaq.sys --> c:\windows\system32\drivers\mdosmnaq.sys [?]
S1 mkbxtgce;mkbxtgce;\??\c:\windows\system32\drivers\mkbxtgce.sys --> c:\windows\system32\drivers\mkbxtgce.sys [?]
S1 mkjkywdx;mkjkywdx;\??\c:\windows\system32\drivers\mkjkywdx.sys --> c:\windows\system32\drivers\mkjkywdx.sys [?]
S1 mpbptoxg;mpbptoxg;\??\c:\windows\system32\drivers\mpbptoxg.sys --> c:\windows\system32\drivers\mpbptoxg.sys [?]
S1 MpKsl99f20418;MpKsl99f20418;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41DFD1F1-65AD-45EC-8545-DC6EDCAB87F4}\MpKsl99f20418.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41DFD1F1-65AD-45EC-8545-DC6EDCAB87F4}\MpKsl99f20418.sys [?]
S1 MpKslf9fd7228;MpKslf9fd7228;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{525AEC6A-FB13-4240-83B4-26F43F814CD5}\MpKslf9fd7228.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{525AEC6A-FB13-4240-83B4-26F43F814CD5}\MpKslf9fd7228.sys [?]
S1 mxghughy;mxghughy;\??\c:\windows\system32\drivers\mxghughy.sys --> c:\windows\system32\drivers\mxghughy.sys [?]
S1 nlanccde;nlanccde;\??\c:\windows\system32\drivers\nlanccde.sys --> c:\windows\system32\drivers\nlanccde.sys [?]
S1 npmyxkah;npmyxkah;\??\c:\windows\system32\drivers\npmyxkah.sys --> c:\windows\system32\drivers\npmyxkah.sys [?]
S1 octroxqf;octroxqf;\??\c:\windows\system32\drivers\octroxqf.sys --> c:\windows\system32\drivers\octroxqf.sys [?]
S1 oewprgpm;oewprgpm;\??\c:\windows\system32\drivers\oewprgpm.sys --> c:\windows\system32\drivers\oewprgpm.sys [?]
S1 ofepepqd;ofepepqd;\??\c:\windows\system32\drivers\ofepepqd.sys --> c:\windows\system32\drivers\ofepepqd.sys [?]
S1 pioikkst;pioikkst;\??\c:\windows\system32\drivers\pioikkst.sys --> c:\windows\system32\drivers\pioikkst.sys [?]
S1 pjgooijz;pjgooijz;\??\c:\windows\system32\drivers\pjgooijz.sys --> c:\windows\system32\drivers\pjgooijz.sys [?]
S1 plucvslj;plucvslj;\??\c:\windows\system32\drivers\plucvslj.sys --> c:\windows\system32\drivers\plucvslj.sys [?]
S1 ppefzsvk;ppefzsvk;\??\c:\windows\system32\drivers\ppefzsvk.sys --> c:\windows\system32\drivers\ppefzsvk.sys [?]
S1 ppvopmjx;ppvopmjx;\??\c:\windows\system32\drivers\ppvopmjx.sys --> c:\windows\system32\drivers\ppvopmjx.sys [?]
S1 pseexmir;pseexmir;\??\c:\windows\system32\drivers\pseexmir.sys --> c:\windows\system32\drivers\pseexmir.sys [?]
S1 qfohcaif;qfohcaif;\??\c:\windows\system32\drivers\qfohcaif.sys --> c:\windows\system32\drivers\qfohcaif.sys [?]
S1 qgtuwpbk;qgtuwpbk;\??\c:\windows\system32\drivers\qgtuwpbk.sys --> c:\windows\system32\drivers\qgtuwpbk.sys [?]
S1 qtfqfaua;qtfqfaua;\??\c:\windows\system32\drivers\qtfqfaua.sys --> c:\windows\system32\drivers\qtfqfaua.sys [?]
S1 rkxiudjf;rkxiudjf;\??\c:\windows\system32\drivers\rkxiudjf.sys --> c:\windows\system32\drivers\rkxiudjf.sys [?]
S1 sgpszqvc;sgpszqvc;\??\c:\windows\system32\drivers\sgpszqvc.sys --> c:\windows\system32\drivers\sgpszqvc.sys [?]
S1 svfexkuk;svfexkuk;\??\c:\windows\system32\drivers\svfexkuk.sys --> c:\windows\system32\drivers\svfexkuk.sys [?]
S1 tbwvivmo;tbwvivmo;\??\c:\windows\system32\drivers\tbwvivmo.sys --> c:\windows\system32\drivers\tbwvivmo.sys [?]
S1 tcjsouln;tcjsouln;\??\c:\windows\system32\drivers\tcjsouln.sys --> c:\windows\system32\drivers\tcjsouln.sys [?]
S1 tcxftcir;tcxftcir;\??\c:\windows\system32\drivers\tcxftcir.sys --> c:\windows\system32\drivers\tcxftcir.sys [?]
S1 teoblrbl;teoblrbl;\??\c:\windows\system32\drivers\teoblrbl.sys --> c:\windows\system32\drivers\teoblrbl.sys [?]
S1 tfttfuvx;tfttfuvx;\??\c:\windows\system32\drivers\tfttfuvx.sys --> c:\windows\system32\drivers\tfttfuvx.sys [?]
S1 tidfpoko;tidfpoko;\??\c:\windows\system32\drivers\tidfpoko.sys --> c:\windows\system32\drivers\tidfpoko.sys [?]
S1 toqfbdod;toqfbdod;\??\c:\windows\system32\drivers\toqfbdod.sys --> c:\windows\system32\drivers\toqfbdod.sys [?]
S1 tutpypmd;tutpypmd;\??\c:\windows\system32\drivers\tutpypmd.sys --> c:\windows\system32\drivers\tutpypmd.sys [?]
S1 uajvtaov;uajvtaov;\??\c:\windows\system32\drivers\uajvtaov.sys --> c:\windows\system32\drivers\uajvtaov.sys [?]
S1 uqabyyyb;uqabyyyb;\??\c:\windows\system32\drivers\uqabyyyb.sys --> c:\windows\system32\drivers\uqabyyyb.sys [?]
S1 uxmsljlj;uxmsljlj;\??\c:\windows\system32\drivers\uxmsljlj.sys --> c:\windows\system32\drivers\uxmsljlj.sys [?]
S1 vbetfiky;vbetfiky;\??\c:\windows\system32\drivers\vbetfiky.sys --> c:\windows\system32\drivers\vbetfiky.sys [?]
S1 vczqsput;vczqsput;\??\c:\windows\system32\drivers\vczqsput.sys --> c:\windows\system32\drivers\vczqsput.sys [?]
S1 vdsyuxmu;vdsyuxmu;\??\c:\windows\system32\drivers\vdsyuxmu.sys --> c:\windows\system32\drivers\vdsyuxmu.sys [?]
S1 vfseajww;vfseajww;\??\c:\windows\system32\drivers\vfseajww.sys --> c:\windows\system32\drivers\vfseajww.sys [?]
S1 vrmxrfzv;vrmxrfzv;\??\c:\windows\system32\drivers\vrmxrfzv.sys --> c:\windows\system32\drivers\vrmxrfzv.sys [?]
S1 vrnrdnbt;vrnrdnbt;\??\c:\windows\system32\drivers\vrnrdnbt.sys --> c:\windows\system32\drivers\vrnrdnbt.sys [?]
S1 vspqeuet;vspqeuet;\??\c:\windows\system32\drivers\vspqeuet.sys --> c:\windows\system32\drivers\vspqeuet.sys [?]
S1 wbcksbzu;wbcksbzu;\??\c:\windows\system32\drivers\wbcksbzu.sys --> c:\windows\system32\drivers\wbcksbzu.sys [?]
S1 weeqjijd;weeqjijd;\??\c:\windows\system32\drivers\weeqjijd.sys --> c:\windows\system32\drivers\weeqjijd.sys [?]
S1 wgppprhv;wgppprhv;\??\c:\windows\system32\drivers\wgppprhv.sys --> c:\windows\system32\drivers\wgppprhv.sys [?]
S1 wjjinjiw;wjjinjiw;\??\c:\windows\system32\drivers\wjjinjiw.sys --> c:\windows\system32\drivers\wjjinjiw.sys [?]
S1 wkaoilby;wkaoilby;\??\c:\windows\system32\drivers\wkaoilby.sys --> c:\windows\system32\drivers\wkaoilby.sys [?]
S1 wvcrotwx;wvcrotwx;\??\c:\windows\system32\drivers\wvcrotwx.sys --> c:\windows\system32\drivers\wvcrotwx.sys [?]
S1 xdtmlija;xdtmlija;\??\c:\windows\system32\drivers\xdtmlija.sys --> c:\windows\system32\drivers\xdtmlija.sys [?]
S1 xhlsrnsk;xhlsrnsk;\??\c:\windows\system32\drivers\xhlsrnsk.sys --> c:\windows\system32\drivers\xhlsrnsk.sys [?]
S1 xkjwarsp;xkjwarsp;\??\c:\windows\system32\drivers\xkjwarsp.sys --> c:\windows\system32\drivers\xkjwarsp.sys [?]
S1 xmaiqrfy;xmaiqrfy;\??\c:\windows\system32\drivers\xmaiqrfy.sys --> c:\windows\system32\drivers\xmaiqrfy.sys [?]
S1 xqljlier;xqljlier;\??\c:\windows\system32\drivers\xqljlier.sys --> c:\windows\system32\drivers\xqljlier.sys [?]
S1 xumzmlmm;xumzmlmm;\??\c:\windows\system32\drivers\xumzmlmm.sys --> c:\windows\system32\drivers\xumzmlmm.sys [?]
S1 xvrqezgj;xvrqezgj;\??\c:\windows\system32\drivers\xvrqezgj.sys --> c:\windows\system32\drivers\xvrqezgj.sys [?]
S1 xvtsyrth;xvtsyrth;\??\c:\windows\system32\drivers\xvtsyrth.sys --> c:\windows\system32\drivers\xvtsyrth.sys [?]
S1 xwcdgmtg;xwcdgmtg;\??\c:\windows\system32\drivers\xwcdgmtg.sys --> c:\windows\system32\drivers\xwcdgmtg.sys [?]
S1 xxrjdfft;xxrjdfft;\??\c:\windows\system32\drivers\xxrjdfft.sys --> c:\windows\system32\drivers\xxrjdfft.sys [?]
S1 zazgskap;zazgskap;\??\c:\windows\system32\drivers\zazgskap.sys --> c:\windows\system32\drivers\zazgskap.sys [?]
S1 zdcxqdaw;zdcxqdaw;\??\c:\windows\system32\drivers\zdcxqdaw.sys --> c:\windows\system32\drivers\zdcxqdaw.sys [?]
S1 zgunwcaw;zgunwcaw;\??\c:\windows\system32\drivers\zgunwcaw.sys --> c:\windows\system32\drivers\zgunwcaw.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 3:22 PM 30192]
S3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [7/24/2009 4:08 AM 5248]
S3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [7/24/2009 4:08 AM 115200]
S3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2/17/2009 12:42 AM 103680]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 uvnc_service;uvnc_service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\winvnc.exe [2/22/2010 10:11 AM 1590216]
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-24 15:43]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006Core.job
- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006UA.job
- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

2010-04-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Actual Keylogger_is1 - c:\program files\AKProg\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-04-17 19:12:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-17 23:12
ComboFix2.txt 2010-04-17 02:06
ComboFix3.txt 2010-04-16 21:23
ComboFix4.txt 2010-04-16 15:07
ComboFix5.txt 2010-04-17 22:54

Pre-Run: 135,268,179,968 bytes free
Post-Run: 135,398,662,144 bytes free

- - End Of File - - 024BF0D2552069D0203943E6BA75BE61

 

I have a really big job for you now. I need you to check a heap of files for infection, but mainly to check if they actually exist on the pc.

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\system32\drivers\adfyiqew.sys
c:\windows\system32\drivers\afiwatfs.sys
c:\windows\system32\drivers\ailgulld.sys
c:\windows\system32\drivers\aisggsig.sys
c:\windows\system32\drivers\alruyfvg.sys
c:\windows\system32\drivers\apkxbpue.sys
c:\windows\system32\drivers\atmmxame.sys
c:\windows\system32\drivers\bumfnder.sys
c:\windows\system32\drivers\busaarbc.sys
c:\windows\system32\drivers\bxydhbzh.sys
c:\windows\system32\drivers\cifivddr.sys
c:\windows\system32\drivers\cpoxzgoh.sys
c:\windows\system32\drivers\cvermjmb.sys
c:\windows\system32\drivers\cxiotagl.sys
c:\windows\system32\drivers\cyyymcxa.sys
c:\windows\system32\drivers\daxohfla.sys
c:\windows\system32\drivers\dwttwlcm.sys
c:\windows\system32\drivers\eluhfmvh.sys
c:\windows\system32\drivers\enrwgrwn.sys
c:\windows\system32\drivers\envjojgn.sys
c:\windows\system32\drivers\eoypwiud.sys
c:\windows\system32\drivers\excptvku.sys
c:\windows\system32\drivers\fneemrct.sys
c:\windows\system32\drivers\gcgtyqnz.sys
c:\windows\system32\drivers\glgrkqgo.sys
c:\windows\system32\drivers\gxkhluqx.sys
c:\windows\system32\drivers\hcmqfbkr.sys
c:\windows\system32\drivers\hemwhtco.sys
c:\windows\system32\drivers\hnflobwb.sys
c:\windows\system32\drivers\hsdzegox.sys
c:\windows\system32\drivers\htiattnr.sys
c:\windows\system32\drivers\htiffrkc.sys
c:\windows\system32\drivers\iemmvdae.sys
c:\windows\system32\drivers\iigpwxuz.sys
c:\windows\system32\drivers\ivmxxizo.sys
c:\windows\system32\drivers\jigqmujs.sys
c:\windows\system32\drivers\jkxixymb.sys
c:\windows\system32\drivers\jodvzvic.sys
c:\windows\system32\drivers\jrsbflhy.sys
c:\windows\system32\drivers\jwjstrcn.sys
c:\windows\system32\drivers\jyaajtlb.sys
c:\windows\system32\drivers\kcknzwpd.sys
c:\windows\system32\drivers\kdhzzjrp.sys
c:\windows\system32\drivers\keagzpqu.sys
c:\windows\system32\drivers\kjzewzjg.sys
c:\windows\system32\drivers\klikbyhe.sys
c:\windows\system32\drivers\kqqjhrxt.sys
c:\windows\system32\drivers\ldmhzbfv.sys
c:\windows\system32\drivers\leuaoesr.sys
c:\windows\system32\drivers\lgpeogpg.sys
c:\windows\system32\drivers\lnbhhpva.sys
c:\windows\system32\drivers\lnemnyam.sys
c:\windows\system32\drivers\lnlshdlv.sys
c:\windows\system32\drivers\lotqaikm.sys
c:\windows\system32\drivers\lsadewkd.sys
c:\windows\system32\drivers\mdosmnaq.sys
c:\windows\system32\drivers\mkbxtgce.sys
c:\windows\system32\drivers\mkjkywdx.sys
c:\windows\system32\drivers\mpbptoxg.sys
c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41dfd1f1-65ad-45ec-8545-dc6edcab87f4}\MpKsl99f20418.sys
c:\windows\system32\drivers\mxghughy.sys
c:\windows\system32\drivers\nlanccde.sys
c:\windows\system32\drivers\npmyxkah.sys
c:\windows\system32\drivers\octroxqf.sys
c:\windows\system32\drivers\oewprgpm.sys
c:\windows\system32\drivers\ofepepqd.sys
c:\windows\system32\drivers\pioikkst.sys
c:\windows\system32\drivers\pjgooijz.sys
c:\windows\system32\drivers\plucvslj.sys
c:\windows\system32\drivers\ppefzsvk.sys
c:\windows\system32\drivers\ppvopmjx.sys
c:\windows\system32\drivers\pseexmir.sys
c:\windows\system32\drivers\qfohcaif.sys
c:\windows\system32\drivers\qgtuwpbk.sys
c:\windows\system32\drivers\qtfqfaua.sys
c:\windows\system32\drivers\rkxiudjf.sys
c:\windows\system32\drivers\sgpszqvc.sys
c:\windows\system32\drivers\svfexkuk.sys
c:\windows\system32\drivers\tbwvivmo.sys
c:\windows\system32\drivers\tcjsouln.sys
c:\windows\system32\drivers\tcxftcir.sys
c:\windows\system32\drivers\teoblrbl.sys
c:\windows\system32\drivers\tfttfuvx.sys
c:\windows\system32\drivers\tidfpoko.sys
c:\windows\system32\drivers\toqfbdod.sys
c:\windows\system32\drivers\tutpypmd.sys
c:\windows\system32\drivers\uajvtaov.sys
c:\windows\system32\drivers\uqabyyyb.sys
c:\windows\system32\drivers\vbetfiky.sys
c:\windows\system32\drivers\vczqsput.sys
c:\windows\system32\drivers\vdsyuxmu.sys
c:\windows\system32\drivers\vfseajww.sys
c:\windows\system32\drivers\vrmxrfzv.sys
c:\windows\system32\drivers\vrnrdnbt.sys
c:\windows\system32\drivers\vspqeuet.sys
c:\windows\system32\drivers\wbcksbzu.sys
c:\windows\system32\drivers\weeqjijd.sys
c:\windows\system32\drivers\wgppprhv.sys
c:\windows\system32\drivers\wjjinjiw.sys
c:\windows\system32\drivers\wkaoilby.sys
c:\windows\system32\drivers\wvcrotwx.sys
c:\windows\system32\drivers\xdtmlija.sys
c:\windows\system32\drivers\xhlsrnsk.sys
c:\windows\system32\drivers\xkjwarsp.sys
c:\windows\system32\drivers\xmaiqrfy.sys
c:\windows\system32\drivers\xqljlier.sys
c:\windows\system32\drivers\xumzmlmm.sys
c:\windows\system32\drivers\xvrqezgj.sys
c:\windows\system32\drivers\xvtsyrth.sys
c:\windows\system32\drivers\xwcdgmtg.sys
c:\windows\system32\drivers\xxrjdfft.sys
c:\windows\system32\drivers\zazgskap.sys
c:\windows\system32\drivers\zdcxqdaw.sys
c:\windows\system32\drivers\zgunwcaw.sys

 

None of the files listed are on my computer

 

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

Domains::

Driver::
adfyiqew
afiwatfs
ailgulld
aisggsig
alruyfvg
apkxbpue
atmmxame
bumfnder
busaarbc
bxydhbzh
cifivddr
cpoxzgoh
cvermjmb
cxiotagl
cyyymcxa
daxohfla
dwttwlcm
eluhfmvh
enrwgrwn
envjojgn
eoypwiud
excptvku
fneemrct
fyzzajvd
gcgtyqnz
glgrkqgo
gxkhluqx
hcmqfbkr
hemwhtco
hnflobwb
hsdzegox
htiattnr
htiffrkc
iemmvdae
iigpwxuz
ivmxxizo
jigqmujs
jkxixymb
jodvzvic
jrsbflhy
jwjstrcn
jyaajtlb
kcknzwpd
kdhzzjrp
keagzpqu
kjzewzjg
klikbyhe
kqqjhrxt
ldmhzbfv
leuaoesr
lgpeogpg
lnbhhpva
lnemnyam
lnlshdlv
lotqaikm
lsadewkd
mdosmnaq
mkbxtgce
mkjkywdx
mpbptoxg
MpKsl99f20418
MpKslf9fd7228
mxghughy
nlanccde
npmyxkah
octroxqf
oewprgpm
ofepepqd
pioikkst
pjgooijz
plucvslj
ppefzsvk
ppvopmjx
pseexmir
qfohcaif
qgtuwpbk
qtfqfaua
rkxiudjf
sgpszqvc
svfexkuk
tbwvivmo
tcjsouln
tcxftcir
teoblrbl
tfttfuvx
tidfpoko
toqfbdod
tutpypmd
uajvtaov
uqabyyyb
uxmsljlj
vbetfiky
vczqsput
vdsyuxmu
vfseajww
vrmxrfzv
vrnrdnbt
vspqeuet
wbcksbzu
weeqjijd
wgppprhv
wjjinjiw
wkaoilby
wvcrotwx
xdtmlija
xhlsrnsk
xkjwarsp
xmaiqrfy
xqljlier
xumzmlmm
xvrqezgj
xvtsyrth
xwcdgmtg
xxrjdfft
zazgskap
zdcxqdaw
zgunwcaw
RkPavproc1

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==

Let me know how the PC is now please.

 

ComboFix 10-04-17.05 - Sampson 04/18/2010 9:15.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.289 [GMT -4:00]
Running from: c:\documents and settings\Sampson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sampson\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPKSL99F20418
-------\Legacy_MPKSLF9FD7228
-------\Service_adfyiqew
-------\Service_afiwatfs
-------\Service_ailgulld
-------\Service_aisggsig
-------\Service_alruyfvg
-------\Service_apkxbpue
-------\Service_atmmxame
-------\Service_bumfnder
-------\Service_busaarbc
-------\Service_bxydhbzh
-------\Service_cifivddr
-------\Service_cpoxzgoh
-------\Service_cvermjmb
-------\Service_cxiotagl
-------\Service_cyyymcxa
-------\Service_daxohfla
-------\Service_dwttwlcm
-------\Service_eluhfmvh
-------\Service_enrwgrwn
-------\Service_envjojgn
-------\Service_eoypwiud
-------\Service_excptvku
-------\Service_fneemrct
-------\Service_fyzzajvd
-------\Service_gcgtyqnz
-------\Service_glgrkqgo
-------\Service_gxkhluqx
-------\Service_hcmqfbkr
-------\Service_hemwhtco
-------\Service_hnflobwb
-------\Service_hsdzegox
-------\Service_htiattnr
-------\Service_htiffrkc
-------\Service_iemmvdae
-------\Service_iigpwxuz
-------\Service_ivmxxizo
-------\Service_jigqmujs
-------\Service_jkxixymb
-------\Service_jodvzvic
-------\Service_jrsbflhy
-------\Service_jwjstrcn
-------\Service_jyaajtlb
-------\Service_kcknzwpd
-------\Service_kdhzzjrp
-------\Service_keagzpqu
-------\Service_kjzewzjg
-------\Service_klikbyhe
-------\Service_kqqjhrxt
-------\Service_ldmhzbfv
-------\Service_leuaoesr
-------\Service_lgpeogpg
-------\Service_lnbhhpva
-------\Service_lnemnyam
-------\Service_lnlshdlv
-------\Service_lotqaikm
-------\Service_lsadewkd
-------\Service_mdosmnaq
-------\Service_mkbxtgce
-------\Service_mkjkywdx
-------\Service_mpbptoxg
-------\Service_MpKsl99f20418
-------\Service_MpKslf9fd7228
-------\Service_mxghughy
-------\Service_nlanccde
-------\Service_npmyxkah
-------\Service_octroxqf
-------\Service_oewprgpm
-------\Service_ofepepqd
-------\Service_pioikkst
-------\Service_pjgooijz
-------\Service_plucvslj
-------\Service_ppefzsvk
-------\Service_ppvopmjx
-------\Service_pseexmir
-------\Service_qfohcaif
-------\Service_qgtuwpbk
-------\Service_qtfqfaua
-------\Service_RkPavproc1
-------\Service_rkxiudjf
-------\Service_sgpszqvc
-------\Service_svfexkuk
-------\Service_tbwvivmo
-------\Service_tcjsouln
-------\Service_tcxftcir
-------\Service_teoblrbl
-------\Service_tfttfuvx
-------\Service_tidfpoko
-------\Service_toqfbdod
-------\Service_tutpypmd
-------\Service_uajvtaov
-------\Service_uqabyyyb
-------\Service_uxmsljlj
-------\Service_vbetfiky
-------\Service_vczqsput
-------\Service_vdsyuxmu
-------\Service_vfseajww
-------\Service_vrmxrfzv
-------\Service_vrnrdnbt
-------\Service_vspqeuet
-------\Service_wbcksbzu
-------\Service_weeqjijd
-------\Service_wgppprhv
-------\Service_wjjinjiw
-------\Service_wkaoilby
-------\Service_wvcrotwx
-------\Service_xdtmlija
-------\Service_xhlsrnsk
-------\Service_xkjwarsp
-------\Service_xmaiqrfy
-------\Service_xqljlier
-------\Service_xumzmlmm
-------\Service_xvrqezgj
-------\Service_xvtsyrth
-------\Service_xwcdgmtg
-------\Service_xxrjdfft
-------\Service_zazgskap
-------\Service_zdcxqdaw
-------\Service_zgunwcaw


((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-17 01:57 . 2010-04-17 01:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-04-16 14:40 . 2010-04-16 14:40 3911239 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{43B820EB-C7E1-BA8A-A752-341526E9D0AE}-ComboFix.exe
2010-04-16 14:40 . 2010-04-16 14:40 3911239 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{683ED95A-ABBF-EE9D-10B5-281651854DD4}-ComboFix.exe
2010-04-14 07:04 . 2008-04-14 20:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-13 03:44 . 2010-04-13 03:44 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FA92E1DB-5140-3ED3-BE0B-7E7EA9361750}-qttask .exe
2010-04-12 20:35 . 2010-04-12 20:35 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{25AAC0DA-1079-78DA-00F3-F8B1FE2B74CD}-dwtrig20.exe
2010-04-12 20:30 . 2010-04-12 20:30 41476 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7A6E8AB2-D246-4461-DC43-B8466BFD85FA}-dwtrig20.exe
2010-04-09 23:30 . 2010-04-12 07:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-09 16:17 . 2010-04-09 16:17 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-09 16:17 . 2010-04-09 16:17 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-09 16:17 . 2010-04-09 16:17 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-08 17:36 . 2010-04-13 03:00 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-08 17:30 . 2010-04-17 19:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 17:30 . 2010-04-08 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-08 17:30 . 2010-04-16 21:03 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 15:47 . 2010-04-09 15:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 15:43 . 2010-04-08 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 12:17 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 12:16 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 21:01 . 2010-04-07 21:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-05 07:58 . 2010-04-05 07:58 -------- d-----w- c:\documents and settings\Sampson\Local Settings\Application Data\PCHealth
2010-03-27 18:17 . 2010-03-27 18:25 -------- d-----w- c:\documents and settings\Sampson\Local Settings\Application Data\ctrxmt
2010-03-27 01:45 . 2010-03-27 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-22 20:04 . 2010-03-22 20:04 255472 ----a-w- c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 13:14 . 2009-08-02 07:15 -------- d-----w- c:\documents and settings\Sampson\Application Data\uTorrent
2010-04-17 00:29 . 2009-12-26 02:42 -------- d-----w- c:\program files\QuickTime
2010-04-16 21:03 . 2010-01-09 20:41 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-16 21:03 . 2009-01-20 18:43 -------- d-----w- c:\program files\Launch Manager
2010-04-16 04:05 . 2008-04-14 20:00 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-14 07:06 . 2009-01-20 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-09 15:44 . 2010-04-09 15:44 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys4E5EA5B4
2010-04-08 15:43 . 2009-01-20 19:22 -------- d-----w- c:\program files\Google
2010-04-08 12:17 . 2010-01-09 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 21:01 . 2009-08-24 16:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-11 12:38 . 2008-10-16 20:38 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 20:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-05-09 10:53 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 03:58 . 2010-03-08 03:58 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-06 05:18 . 2010-03-05 20:50 256 ----a-w- c:\windows\system32\pool.bin
2010-03-05 20:56 . 2010-03-05 20:56 -------- d-----w- c:\documents and settings\Sampson\Application Data\Blackberry Desktop
2010-03-05 20:49 . 2010-03-05 20:49 -------- d-----w- c:\documents and settings\Sampson\Application Data\Research In Motion
2010-03-05 20:47 . 2010-03-05 20:47 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-05 20:47 . 2010-03-05 20:47 -------- d-----w- c:\program files\Research In Motion
2010-02-24 14:16 . 2010-01-09 20:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2008-10-24 11:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 16:25 . 2010-02-22 16:25 -------- d-----w- c:\documents and settings\Sampson\Application Data\UltraVNC
2010-02-16 14:08 . 2008-08-14 10:09 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-08-14 09:33 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_15.01.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-18 13:22 . 2010-04-18 13:22 16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2009-01-20 20:20 . 2010-04-17 23:11 72134 c:\windows\system32\perfc009.dat
- 2009-01-20 20:20 . 2010-04-16 14:38 72134 c:\windows\system32\perfc009.dat
+ 2009-01-20 20:20 . 2010-04-17 23:11 443034 c:\windows\system32\perfh009.dat
- 2009-01-20 20:20 . 2010-04-16 14:38 443034 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-24 68856]
"Google Update "= "c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"BlackBerryAutoUpdate "= "c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"HitmanPro35 "= "c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-08 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 10:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 23:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2008-10-03 19:18 294544 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2008-09-04 05:46 425984 ----a-w- c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-01-20 19:22 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-16 16:05 133104 ----atw- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 20:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 06:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-12-30 21:58 18082304 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-09 20:50 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-24 08:14 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-25 16:32 1044480 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Documents and Settings\\Sampson\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP "= 5910:TCP:vnc5910

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [2/22/2010 10:11 AM 560792]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [11/10/2008 2:43 AM 345336]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 3:22 PM 30192]
S3 QCFilterGAD;Gobi AD USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterGAD.sys [7/24/2009 4:08 AM 5248]
S3 qcusbnetGAD;Gobi AD USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetGAD.sys [7/24/2009 4:08 AM 115200]
S3 qcusbserGAD;Gobi AD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserGAD.sys [2/17/2009 12:42 AM 103680]
S3 uvnc_service;uvnc_service;c:\documents and settings\Sampson\Local Settings\Application Data\CrossLoop\winvnc.exe [2/22/2010 10:11 AM 1590216]
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-24 15:43]

2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006Core.job
- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776817393-1407352519-815249355-1006UA.job
- c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-16 16:05]

2010-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\Firefox\Profiles\l85e7cm8.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Sampson\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Sampson\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-04-18 09:25:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 13:25
ComboFix2.txt 2010-04-17 23:12
ComboFix3.txt 2010-04-17 02:06
ComboFix4.txt 2010-04-16 21:23
ComboFix5.txt 2010-04-18 13:14

Pre-Run: 135,184,826,368 bytes free
Post-Run: 135,094,743,040 bytes free

- - End Of File - - 066F2686BA76797A7E7AD6FE3B773E79

 

How we going now?

 

wow... seems like everything is back to normal! Thanks a lot Crunchie!! Can you tell me what was wrong with it?

 

Seems you picked up some extra baggage from somewhere. Just make sure that all Windows updates are installed and keep your anti-virus definitions up-to-date and hopefully, that will help prevent a re-occurrence. Safe surfing habits need to be observed too .

==

Can you please do one more kaspersky on-line scan to see if anything else has popped it's head up.

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 19, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 19, 2010 02:44:12
Records in database: 3947387
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 44379
Threats found: 8
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 02:13:43


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\41\6aa23129-6c5b9259 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-45d5220f Infected: Trojan-Downloader.Java.Agent.br 3
C:\Documents and Settings\Sampson\Application Data\Sun\Java\Deployment\cache\6.0\22\647a8416-77e807de Infected: Exploit.Java.CVE-2009-3867.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe.vir Infected: Packed.Win32.Katusha.j 1
C:\Qoobox\Quarantine\C\Program Files\AKProg\AKProg.exe.vir Infected: not-a-virus:Monitor.Win32.ActualSpy.2301 1
C:\Qoobox\Quarantine\C\Program Files\AKProg\hkdll.dll.vir Infected: not-a-virus:Monitor.Win32.ActualSpy.27 1
C:\Qoobox\Quarantine\C\Program Files\AKProg\hprog.dll.vir Infected: not-a-virus:Monitor.Win32.ActualSpy.252 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

 

You have some more **** in your Java temp folder. Perhaps you should disable the temp files folder in Java to prevent any infection(s) being passed on to the pc?
Other than that, it looks ok. The stuff in the quarantine folder we will get rid of now;

Launch OTL and click on the Cleanup button. Follow the prompts.

 

Disable it. Thanks a lot Crunchie - you're the best!

 

No worries .