1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved computer infected

Discussion in 'Malware and Virus Removal Archive' started by bracklapiper, 2010/09/08.

Page 1 of 4
  1. 2010/09/08
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    [Resolved] computer infected

    Hi my main computer has been infected with some virus. my avg gave warnings and thought it had stopped them. i had gaone out of the house for a couple of hours and when i came back in there was multipl warning on resheild. i have done a spybot which found some and got rid of them i managed to open in another user and ran the avg scan which found more and put them in the virus vault. but the computer is slow and the desktop not as it was before the infection. i have even tried a system restore but that does not work.

    here are the files from the dds.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by stewart family at 7:56:03.85 on 27/08/2010
    Internet Explorer: 8.0.6001.18702

    ============== Running Processes ===============

    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    c:\APPS\Powercinema\Kernel\TV\CLSched.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\msfeedssync.exe
    D:\Documents and Settings\stewart family\Desktop\dds.pif
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k eapsvcs
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k dot3svc
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter

    ============== Pseudo HJT Report ===============

    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
    mRun: [PCMService] "c:\apps\powercinema\PCMService.exe "
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll ",CheckUSBController
    mRun: [USBToolTip] "c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe "
    mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
    mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe
    mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
    mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
    mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
    mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [Svcthost] d:\documents and settings\stewart family\contacts\internal\svchost.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [combofix] c:\combofix\cf5147.cfxxe /c c:\combofix\Combobatch.bat
    mRunOnce: [*Restore] c:\windows\system32\restore\rstrui.exe -i
    mRunOnce: [combofix] c:\combofix\cf5147.cfxxe /c c:\ComboFixCombobatch.bat
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    TCP: {141D128E-2A01-40BB-975E-7792B5B83C40} = 208.67.220.220,208.67.222.222
    TCP: {91F1BEF2-1BDF-497A-AD58-8E01B4E21FCF} = 208.67.220.220,208.67.222.222
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ============= SERVICES / DRIVERS ===============

    R? jbridgep;jbridgep
    R? s916bus;Sony Ericsson Device 916 driver (WDM)
    R? s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter
    R? s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver
    R? USRWGU(USR);USRobotics Wireless USB Adapter(USR)
    S? ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service
    S? avg8wd;AVG8 WatchDog
    S? AvgLdx86;AVG AVI Loader Driver x86
    S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
    S? AvgRkx86;avgrkx86.sys
    S? AvgTdiX;AVG8 Network Redirector
    S? GenPort;GenPort
    S? GenPort2;GenPort2

    ============== File Associations ===============

    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "

    =============== Created Last 30 ================

    2010-08-26 22:09:23 98816 ----a-w- c:\windows\sed.exe
    2010-08-26 22:09:23 77312 ----a-w- c:\windows\MBR.exe
    2010-08-26 22:09:23 256512 ----a-w- c:\windows\PEV.exe
    2010-08-26 22:09:23 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-26 22:09:09 0 d-s---w- C:\ComboFix
    2010-08-26 20:38:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-26 11:31:09 0 d-----w- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-08-26 11:31:09 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-26 11:05:49 0 d-----w- c:\windows\system32\wbem\Repository

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 16:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2007-06-17 13:51:46 4212 -c--a-w- c:\program files\ReadMe.txt
    2009-08-26 09:56:50 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2009-08-26 19:45:56 81920 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082620090827\index.dat
    2009-08-27 20:06:08 81920 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082720090828\index.dat
    2009-08-26 09:56:50 49152 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082820090829\index.dat
    2009-08-28 10:55:22 32768 -csha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

    ============= FINISH: 7:56:54.14 ===============
     
    bracklapiper,
    #1
  2. 2010/09/08
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    here is the file attach


    ==== Installed Programs ======================

    3D Groove Playback Engine
    3DVIA player 5.0
    ABBYY FineReader 9.0 Professional Edition
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1.3
    Adobe Shockwave Player 11
    Advanced SystemCare 3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 8.5
    Bagpipe Player
    Bonjour
    CardRecovery
    Catz (remove only)
    CCleaner (remove only)
    Ceol Mor eMusic Book (A Gilles Vol 1)
    CloneDVD2
    Combined Community Codec Pack 2008-01-24
    ConvertXtoDVD 3.5.1.135
    Create Your Own Greeting Cards
    Critical Update for Windows Media Player 11 (KB959772)
    dBpoweramp m4a Codec
    DivxToDVD 0.5.2
    Dogz (remove only)
    Dogz 5
    DVD Shrink 3.2
    Epson Easy Photo Print 2
    Epson Event Manager
    Epson Print CD
    EPSON PX700W Series Printer Uninstall
    EPSON Scan
    EPSON Stylus Photo PX700W_PX800FW_TX700W_TX800FW Manual
    EPSON Stylus SX200 Series Printer Uninstall
    EPSON Web-To-Page
    EpsonNet Print
    Focus 165,000 Images
    Free Audio Converter CS
    Google Earth
    GraphicView 32
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Image Expert
    IsoBuster 2.3
    iTunes
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 17
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7
    LEGO My World First Steps
    Logitech Desktop Messenger
    Logitech SetPoint
    Macromedia Shockwave Player
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MobileMe Control Panel
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero Suite
    NVIDIA Drivers
    OpenMG Limited Patch 4.1-05-13-31-01
    OpenMG Secure Module 4.1.00
    PiobMaster
    PowerDirector Express
    PowerDVD
    PowerProducer
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    SAGEM F@st 800-840
    Samsung Samples Installer
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Sky Anytime
    Sonic MyDVD
    Sonic RecordNow!
    SonicStage 3.0
    Sony Ericsson PC Suite
    Spybot - Search & Destroy
    Theme Park World
    Tiscali Music Downloads
    Ulead COOL 360 1.0
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2279264)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USRobotics Wireless USB Adapter
    VideoEgg Publisher
    Virtools 3D Life Player
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver

    ==== End Of File ===========================


    i done these files last week and did have a thread up. i forgot to say then that i was away on holiday.
    i did try to run the dds on the computer again but it would not fully run.
    and thank you in advance for any help on this subject.
     
    bracklapiper,
    #2


  3. to hide this advert.

  4. 2010/09/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Any reason, you left this thread, couple of weeks ago?
    http://www.windowsbbs.com/malware-virus-removal/94791-inactive-computer-slow.html
    If it'll happen again, you'll never be able to receive any more help in malware forum.

    ===================================================================

    I can see, you have downloaded Combofix, which shouldn't be run by yourself. It's a very powerful program.

    ===============================================================

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #3
  5. 2010/09/09
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    hi thank you for the reply. i am sorry for starting this new threat but i went to try post in it and the option for posting had been replaced by a closed button.
    here is the log from the malware

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4578

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    09/09/2010 11:36:31
    mbam-log-2010-09-09 (11-36-31).txt

    Scan type: Quick scan
    Objects scanned: 217696
    Time elapsed: 9 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 21
    Files Infected: 40

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcthost (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcthost (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    D:\Documents and Settings\stewart family\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    D:\Documents and Settings\stewart family\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Games (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Manager (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Maps (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Movies (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Reference (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Weather (Adware.Starware) -> Quarantined and deleted successfully.

    Files Infected:
    D:\Documents and Settings\stewart family\Application Data\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    D:\Documents and Settings\stewart family\Application Data\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Maps\MapsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Maps\MapsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\amie\Application Data\Starware343\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    D:\Documents and Settings\stewart family\Contacts\Internal\svchost.exe (Trojan.Agent) -> Delete on reboot.
     
    bracklapiper,
    #4
  6. 2010/09/09
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    here is the log from the gmer

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-09 14:34:50
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\WINDOWS\TEMP\ufrdypob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? wcljq.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6C6D360, 0x32DEFD, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[256] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs B9BE9400

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

    ---- EOF - GMER 1.0.15 ----
     
    bracklapiper,
    #5
  7. 2010/09/09
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    and here is the log from the mbrcheck

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 131):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7B5B000 \WINDOWS\system32\KDCOM.DLL
    0xF7A6B000 \WINDOWS\system32\BOOTVID.dll
    0xF765B000 wcljq.sys
    0xF752C000 ACPI.sys
    0xF7B5D000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF751B000 pci.sys
    0xF766B000 isapnp.sys
    0xF7C23000 pciide.sys
    0xF78DB000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF767B000 MountMgr.sys
    0xF74FC000 ftdisk.sys
    0xF78E3000 PartMgr.sys
    0xF768B000 VolSnap.sys
    0xF74E4000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF74CC000 atapi.sys
    0xF771B000 disk.sys
    0xF772B000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7467000 fltmgr.sys
    0xF7455000 sr.sys
    0xF773B000 PxHelp20.sys
    0xF743E000 KSecDD.sys
    0xF742B000 WudfPf.sys
    0xF739E000 Ntfs.sys
    0xF7371000 NDIS.sys
    0xF776B000 ohci1394.sys
    0xF777B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7357000 Mup.sys
    0xF7B6D000 avgrkx86.sys
    0xF77EB000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF72E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF6C6D000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF6C59000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6C31000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7A1B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6C0D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A23000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6BB9000 \SystemRoot\system32\DRIVERS\slntamr.sys
    0xF7A2B000 \SystemRoot\system32\DRIVERS\SlWdmSup.sys
    0xF6B9B000 \SystemRoot\system32\DRIVERS\Mtlmnt5.sys
    0xF7A33000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF6B8A000 \SystemRoot\system32\DRIVERS\Rtlnic51.sys
    0xF72D7000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7293000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF6B76000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF72C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF72B7000 \SystemRoot\system32\DRIVERS\L8042mou.Sys
    0xF769B000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
    0xF7A3B000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A43000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF76AB000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7B79000 \SystemRoot\System32\Drivers\ElbyDelay.sys
    0xF7A4B000 \SystemRoot\System32\Drivers\ElbyCDFL.sys
    0xF7A53000 \SystemRoot\system32\drivers\ASAPIW2k.sys
    0xF76BB000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF76CB000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6B42000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7A5B000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF7D18000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF76DB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF728B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6B2B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF76EB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF76FB000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A63000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6B1A000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF770B000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF795B000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7963000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF796B000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xF774B000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xF778B000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7B7B000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6ABC000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7283000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF6A8E000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
    0xF779B000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF4368000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF4286000 \SystemRoot\system32\drivers\portcls.sys
    0xF782B000 \SystemRoot\system32\drivers\drmk.sys
    0xF786B000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7BA3000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7B37000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7BAD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D5D000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BAF000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78FB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF7903000 \SystemRoot\System32\drivers\vga.sys
    0xF7BB1000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BB3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF790B000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7913000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7B3F000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF422B000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF41D2000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF41B9000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xF4191000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF416F000 \SystemRoot\System32\drivers\afd.sys
    0xF787B000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF4144000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF40D4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF789B000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF40AE000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF78AB000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78BB000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xF791B000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
    0xF7923000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xF4035000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xF3FD1000 \SystemRoot\system32\DRIVERS\USRWGU.sys
    0xF7943000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF3FAD000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF4272000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF79A3000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C76000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBA6EC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA43B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7CFD000 \SystemRoot\System32\Drivers\GenPort.SYS
    0xF7CFE000 \SystemRoot\System32\Drivers\GenPort2.SYS
    0xBA40B000 \SystemRoot\System32\Drivers\Aspi32.SYS
    0xBA0EC000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB9F47000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA4C8000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB98A0000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB9749000 \??\C:\WINDOWS\TEMP\ufrdypob.sys
    0xB9BE9000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 44):
    0 System Idle Process
    4 System
    620 C:\WINDOWS\system32\smss.exe
    684 csrss.exe
    708 C:\WINDOWS\system32\winlogon.exe
    752 C:\WINDOWS\system32\services.exe
    764 C:\WINDOWS\system32\lsass.exe
    916 C:\WINDOWS\system32\svchost.exe
    972 svchost.exe
    1012 C:\WINDOWS\system32\svchost.exe
    1048 C:\WINDOWS\system32\svchost.exe
    1164 svchost.exe
    1196 C:\WINDOWS\system32\svchost.exe
    1260 svchost.exe
    1276 C:\WINDOWS\system32\svchost.exe
    1596 C:\WINDOWS\system32\spoolsv.exe
    1676 svchost.exe
    1708 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
    1860 C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
    1884 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    2008 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    2024 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    176 C:\Program Files\Bonjour\mDNSResponder.exe
    304 C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
    392 C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    424 C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    376 C:\Program Files\Java\jre6\bin\jqs.exe
    596 C:\Program Files\Kontiki\KService.exe
    1408 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    1492 C:\WINDOWS\system32\nvsvc32.exe
    1536 C:\WINDOWS\system32\slserv.exe
    1636 C:\WINDOWS\system32\svchost.exe
    1952 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    1892 C:\PROGRA~1\AVG\AVG8\avgam.exe
    252 C:\Program Files\AVG\AVG8\avgrsx.exe
    256 C:\WINDOWS\system32\searchindexer.exe
    484 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    2388 C:\APPS\Powercinema\Kernel\TV\CLSched.exe
    3136 alg.exe
    3956 C:\WINDOWS\system32\wscntfy.exe
    4000 C:\WINDOWS\explorer.exe
    3336 C:\WINDOWS\system32\wuauclt.exe
    1192 C:\WINDOWS\system32\svchost.exe
    2236 F:\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f3947600 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000009`73750e00 (NTFS)

    PhysicalDrive0 Model Number: ST3160023AS, Rev: 3.00

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    and once again thank you for the help and sorry for the new thread i have done.
     
    bracklapiper,
    #6
  8. 2010/09/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file and....


    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2010/09/09
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    here is the log from combofix

    ComboFix 10-09-09.03 - stewart family 10/09/2010 0:48.2.1 - x86
    Running from: d:\documents and settings\stewart family\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
    .

    2010-08-26 20:38 . 2010-08-26 20:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-26 11:31 . 2010-09-08 08:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-26 11:31 . 2010-08-26 12:47 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-26 11:29 . 2010-08-26 11:29 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.002\IETldCache
    2010-08-26 11:28 . 2010-08-26 20:25 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY.002\Local Settings\Application Data\Adobe
    2010-08-26 11:05 . 2010-08-26 11:05 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-09 23:55 . 2008-02-03 13:36 -------- d-----w- d:\documents and settings\All Users\Application Data\Kontiki
    2010-09-09 22:19 . 2005-11-03 15:47 -------- d-----w- c:\program files\AOL 9.0
    2010-09-09 07:58 . 2010-09-09 07:58 -------- d-----w- d:\documents and settings\stewart family\Application Data\Malwarebytes
    2010-09-09 07:56 . 2010-09-09 07:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-09 07:56 . 2010-09-09 07:56 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-08 08:56 . 2008-11-26 21:06 -------- d-----w- c:\program files\ABBYY FineReader 9.0
    2010-08-27 12:00 . 2009-03-08 16:26 -------- d-----w- d:\documents and settings\stewart family\Application Data\Vso
    2010-08-27 06:33 . 2007-04-03 10:11 -------- d-----w- d:\documents and settings\stewart family\Application Data\BitTorrent
    2010-08-26 23:35 . 2009-02-24 17:35 -------- d-----w- c:\program files\AVG
    2010-08-26 23:34 . 2009-02-24 17:35 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8
    2010-08-26 10:53 . 2010-04-07 13:43 -------- d-----w- c:\program files\QuickTime
    2010-08-26 09:00 . 2009-09-17 19:22 -------- d-----w- c:\program files\Microsoft
    2010-08-13 11:10 . 2009-10-18 20:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
    2010-07-14 14:01 . 2010-07-14 13:22 -------- d-----w- c:\program files\Ubisoft
    2010-07-14 13:26 . 2009-02-05 14:04 -------- d-----w- d:\documents and settings\All Users\Application Data\Ubisoft
    2010-06-30 12:31 . 2004-08-10 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-10 16:38 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-10 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-10 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-10 16:37 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-10 16:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-10 16:38 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2007-06-17 13:51 . 2007-06-17 13:51 4212 -c--a-w- c:\program files\ReadMe.txt
    2010-02-12 17:44 . 2007-09-01 19:48 72 -csh--w- c:\windows\SAE6629A6.tmp
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-06-02 12:38 1004800 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
    "nwiz "= "nwiz.exe" [2008-09-17 1657376]
    "High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-07 61952]
    "AzMixerSel "= "c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]
    "PCMService "= "c:\apps\Powercinema\PCMService.exe" [2005-05-11 127118]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "USBToolTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
    "PCLEUSBTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "SsAAD.exe "= "c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
    "CloneCDTray "= "c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
    "kdx "= "c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "Sony Ericsson PC Suite "= "c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
    "AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
    "RTHDCPL "= "RTHDCPL.EXE" [2005-09-22 14854144]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-04 198160]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
    "EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-01 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
    "c:\\Program Files\\AOL 9.0\\waol.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\APPS\\skype\\phone\\Skype.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\Kontiki\\KService.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    R3 jbridgep;jbridgep;d:\docume~1\STEWAR~1\LOCALS~1\Temp\jbridgep.sys [x]
    R3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\DRIVERS\s916bus.sys [2007-11-02 83496]
    R3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s916mdfl.sys [2007-11-02 15016]
    R3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s916mdm.sys [2007-11-02 109992]
    S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-04-30 12552]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-01 335240]
    S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-30 108552]
    S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-01 297752]
    S2 GenPort;GenPort; [x]
    S2 GenPort2;GenPort2; [x]
    S3 USRWGU(USR);USRobotics Wireless USB Adapter(USR);c:\windows\system32\DRIVERS\USRWGU.sys [2005-12-29 408064]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - ufrdypob
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-09 c:\windows\Tasks\User_Feed_Synchronization-{55094903-34AB-420C-9B96-58E3342C8920}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {141D128E-2A01-40BB-975E-7792B5B83C40} = 208.67.220.220,208.67.222.222
    TCP: {91F1BEF2-1BDF-497A-AD58-8E01B4E21FCF} = 208.67.220.220,208.67.222.222
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    .
    .
    ------- File Associations -------
    .
    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-10 00:56
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(672)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-09-10 00:59:10
    ComboFix-quarantined-files.txt 2010-09-09 23:59
    ComboFix2.txt 2010-08-27 12:29

    Pre-Run: 9,609,723,904 bytes free
    Post-Run: 9,582,653,440 bytes free

    - - End Of File - - 3CD865A14E1D0C3FFBF5FC81DC76FCC7
     
    bracklapiper,
    #8
  10. 2010/09/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unless you willingly installed Kontiki Player....
    Go Start>Control Panel>Add\Remove ( "Programs and Features" in Vista), and uninstall Sky Anytime (if present).
    Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
    NOTE: Kontiki is a known resource hog.

    ===============================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\SAE6629A6.tmp
d:\docume~1\STEWAR~1\LOCALS~1\Temp\jbridgep.sys


Driver::
jbridgep


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #9
  11. 2010/09/10
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    here is the log kclean

    Delete Reg Key: OK HKEY_CLASSES_ROOT\TypeLib\{7A59F47C-63FE-4C17-A8C8-DE3BF7FE6A35}
    Delete Reg Val: OK HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager - PendingFileRenameOperations
    Remove File : OK D:\Documents and Settings\All Users\Application Data\Kontiki\error.log
    Remove File : OK D:\Documents and Settings\All Users\Application Data\Kontiki\error2.log
    Remove File : OK D:\Documents and Settings\All Users\Application Data\Kontiki\kservice.mdmp
    Remove File : OK D:\Documents and Settings\All Users\Application Data\Kontiki\zdata.db
    Remove Dir : OK D:\Documents and Settings\All Users\Application Data\Kontiki\
     
    bracklapiper,
    #10
  12. 2010/09/10
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    and this is the log from combofix. i did notice that when running was getting lots of warnings in the res sheild in avg.

    ComboFix 10-09-09.03 - stewart family 10/09/2010 23:03:52.3.1 - x86
    Running from: D:\Documents and Settings\stewart family\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\stewart family\Desktop\CFScript.txt

    FILE ::
    "c:\windows\SAE6629A6.tmp "
    "d:\docume~1\STEWAR~1\LOCALS~1\Temp\jbridgep.sys "
    .
     
    bracklapiper,
    #11
  13. 2010/09/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    AVG should be disabled, when running Combofix.

    Combofix log is incomplete.
     
    broni,
    #12
  14. 2010/09/10
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    hi ran again with avg disabled here is the log

    ComboFix 10-09-09.03 - stewart family 11/09/2010 0:07:53.4.1 - x86
    Running from: D:\Documents and Settings\stewart family\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\stewart family\Desktop\CFScript.txt

    FILE ::
    "c:\windows\SAE6629A6.tmp "
    "d:\docume~1\STEWAR~1\LOCALS~1\Temp\jbridgep.sys "
     
    bracklapiper,
    #13
  15. 2010/09/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's incomplete too.

    Delete your Combofix file, download fresh one and run my script again.
    If you receive same, very short log, run Combofix from Safe Mode.
     
    broni,
    #14
  16. 2010/09/11
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    hi i have tried to run combofix on safe mode and it still has the same out come. i did notice when it was starting that it says CScript failed.
    i have copied and pasted it in notepad and copied and pasted what to name it.
    is there anything i'm doing wrong or anything else to try.
    i did download a new combofix and try.
    thanks for the help.
     
    bracklapiper,
    #15
  17. 2010/09/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
    Now, try to run it again (normal, or safe mode).
     
    broni,
    #16
  18. 2010/09/11
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    hi here is the log now

    ComboFix 10-09-11.01 - stewart family 11/09/2010 19:17:37.9.1 - x86
    Running from: d:\documents and settings\stewart family\Desktop\broni.exe
    Command switches used :: d:\documents and settings\stewart family\Desktop\CFScript.txt

    FILE ::
    "c:\windows\SAE6629A6.tmp "
    "d:\docume~1\STEWAR~1\LOCALS~1\Temp\jbridgep.sys "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\SAE6629A6.tmp . . . .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_JBRIDGEP
    -------\Service_jbridgep


    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-11 18:07 . 2010-09-11 18:08 -------- d-----w- C:\broni
    2010-09-11 02:00 . 2010-09-11 02:00 -------- d-sh--w- d:\documents and settings\Default User\IETldCache
    2010-09-09 07:58 . 2010-09-09 07:58 -------- d-----w- d:\documents and settings\stewart family\Application Data\Malwarebytes
    2010-09-09 07:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-09 07:56 . 2010-09-09 07:56 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-09 07:53 . 2010-09-09 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-09 07:53 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-26 20:38 . 2010-08-26 20:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-26 11:31 . 2010-09-08 08:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-26 11:31 . 2010-08-26 12:47 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-26 11:29 . 2010-08-26 11:29 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.002\IETldCache
    2010-08-26 11:28 . 2010-08-26 20:25 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY.002\Local Settings\Application Data\Adobe
    2010-08-26 11:05 . 2010-08-26 11:05 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 18:24 . 2010-09-11 18:24 0 ----a-w- c:\windows\SAE6629A6.tmp
    2010-09-11 07:46 . 2009-09-17 19:27 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-10 18:57 . 2008-10-27 11:41 -------- d-----w- d:\documents and settings\stewart family\Application Data\Teleca
    2010-09-10 18:56 . 2008-10-27 11:31 -------- d-----w- c:\program files\Common Files\Teleca Shared
    2010-09-10 18:12 . 2005-11-03 15:39 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-09 22:19 . 2005-11-03 15:47 -------- d-----w- c:\program files\AOL 9.0
    2010-09-08 08:56 . 2008-11-26 21:06 -------- d-----w- c:\program files\ABBYY FineReader 9.0
    2010-08-27 12:00 . 2009-03-08 16:26 -------- d-----w- d:\documents and settings\stewart family\Application Data\Vso
    2010-08-27 06:33 . 2007-04-03 10:11 -------- d-----w- d:\documents and settings\stewart family\Application Data\BitTorrent
    2010-08-26 23:35 . 2009-02-24 17:35 -------- d-----w- c:\program files\AVG
    2010-08-26 23:34 . 2009-02-24 17:35 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8
    2010-08-26 10:53 . 2010-04-07 13:43 -------- d-----w- c:\program files\QuickTime
    2010-08-26 09:00 . 2009-09-17 19:22 -------- d-----w- c:\program files\Microsoft
    2010-08-13 11:10 . 2009-10-18 20:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
    2010-07-14 14:01 . 2010-07-14 13:22 -------- d-----w- c:\program files\Ubisoft
    2010-07-14 13:26 . 2009-02-05 14:04 -------- d-----w- d:\documents and settings\All Users\Application Data\Ubisoft
    2010-06-30 12:31 . 2004-08-10 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-10 16:38 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-10 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 05:03 . 2010-06-22 05:03 72504 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-21 15:27 . 2004-08-10 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-10 16:37 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-10 16:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-10 16:38 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2007-06-17 13:51 . 2007-06-17 13:51 4212 -c--a-w- c:\program files\ReadMe.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-06-02 12:38 1004800 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
    "nwiz "= "nwiz.exe" [2008-09-17 1657376]
    "High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-07 61952]
    "AzMixerSel "= "c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]
    "PCMService "= "c:\apps\Powercinema\PCMService.exe" [2005-05-11 127118]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "USBToolTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
    "PCLEUSBTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "SsAAD.exe "= "c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
    "CloneCDTray "= "c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
    "AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
    "RTHDCPL "= "RTHDCPL.EXE" [2005-09-22 14854144]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-04 198160]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
    "EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    d:\documents and settings\stewart family\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    USRobotics Wireless USB Adapter.lnk - c:\program files\USRobotics\Wireless USB Manager\USR54G.exe [2006-4-14 663552]
    Camio Viewer.lnk - d:\documents and settings\stewart family\Start Menu\Programs\Image Expert\IXApplet.exe [2006-2-12 103936]
    DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-2-13 962661]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-21 67128]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-10-10 573440]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-01 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
    "c:\\Program Files\\AOL 9.0\\waol.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\APPS\\skype\\phone\\Skype.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [24/02/2009 18:35 12552]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/02/2009 18:35 335240]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/02/2009 18:35 108552]
    R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [06/12/2007 22:03 660768]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/02/2009 11:11 297752]
    R2 GenPort;GenPort;c:\windows\system32\drivers\genport.sys [23/02/2006 21:23 6112]
    R2 GenPort2;GenPort2;c:\windows\system32\drivers\genport2.sys [23/02/2006 21:23 6112]
    S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [02/11/2007 11:47 83496]
    S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [02/11/2007 11:47 15016]
    S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [02/11/2007 11:47 109992]
    S3 USRWGU(USR);USRobotics Wireless USB Adapter(USR);c:\windows\system32\drivers\USRWGU.sys [29/12/2005 10:00 408064]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-11 c:\windows\Tasks\User_Feed_Synchronization-{55094903-34AB-420C-9B96-58E3342C8920}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {141D128E-2A01-40BB-975E-7792B5B83C40} = 208.67.220.220,208.67.222.222
    TCP: {91F1BEF2-1BDF-497A-AD58-8E01B4E21FCF} = 208.67.220.220,208.67.222.222
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-kdx - c:\program files\Kontiki\KHost.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-11 19:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3212)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
    c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
    c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
    c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\system32\SearchIndexer.exe
    c:\progra~1\AVG\AVG8\avgam.exe
    c:\progra~1\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\apps\Powercinema\Kernel\TV\CLSched.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    c:\program files\Logitech\SetPoint\KHALMNPR.EXE
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-11 19:32:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-11 18:31
    ComboFix2.txt 2010-09-09 23:59
    ComboFix3.txt 2010-08-27 12:29

    Pre-Run: 9,483,059,200 bytes free
    Post-Run: 9,466,281,984 bytes free

    - - End Of File - - 0448A385C2DC87D8E7CB4807D20B664E
     
    bracklapiper,
    #17
  19. 2010/09/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\SAE6629A6.tmp

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #18
  20. 2010/09/11
    bracklapiper

    bracklapiper Inactive Thread Starter

    Joined:
    2010/01/16
    Messages:
    149
    Likes Received:
    1
    here is the log not working in my user had to use admin in safe mode


    ComboFix 10-09-11.01 - Administrator 11/09/2010 21:05:31.10.1 - x86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.764 [GMT 1:00]
    Running from: d:\documents and settings\stewart family\Desktop\broni.exe
    Command switches used :: d:\documents and settings\stewart family\Desktop\CFScript.txt
    AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\windows\SAE6629A6.tmp "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\SAE6629A6.tmp
    d:\documents and settings\amie\Application Data\64dlls.exe
    d:\documents and settings\amie\Application Data\intel64.exe
    d:\documents and settings\amie\Application Data\Kernel32.exe
    d:\documents and settings\amie\Application Data\localsys64.exe
    d:\documents and settings\amie\Application Data\ntos.exe
    d:\documents and settings\amie\Application Data\oembios.exe
    d:\documents and settings\amie\Application Data\sdra64.exe
    d:\documents and settings\amie\Application Data\sdra73.exe
    d:\documents and settings\amie\Application Data\swin32.exe
    d:\documents and settings\amie\Application Data\twex.exe
    d:\documents and settings\amie\Application Data\twext.exe
    d:\documents and settings\amie\Application Data\wsnpoema.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-11 18:07 . 2010-09-11 18:08 -------- d-----w- C:\broni
    2010-09-11 02:00 . 2010-09-11 02:00 -------- d-sh--w- d:\documents and settings\Default User\IETldCache
    2010-09-09 07:58 . 2010-09-09 07:58 -------- d-----w- d:\documents and settings\stewart family\Application Data\Malwarebytes
    2010-09-09 07:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-09 07:56 . 2010-09-09 07:56 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-09 07:53 . 2010-09-09 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-09 07:53 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-26 20:38 . 2010-08-26 20:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-26 11:31 . 2010-09-08 08:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-26 11:31 . 2010-08-26 12:47 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-26 11:29 . 2010-08-26 11:29 -------- d-sh--w- d:\documents and settings\LocalService.NT AUTHORITY.002\IETldCache
    2010-08-26 11:28 . 2010-08-26 20:25 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY.002\Local Settings\Application Data\Adobe
    2010-08-26 11:05 . 2010-08-26 11:05 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 07:46 . 2009-09-17 19:27 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-09-10 18:57 . 2008-10-27 11:41 -------- d-----w- d:\documents and settings\stewart family\Application Data\Teleca
    2010-09-10 18:56 . 2008-10-27 11:31 -------- d-----w- c:\program files\Common Files\Teleca Shared
    2010-09-10 18:12 . 2005-11-03 15:39 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-09 22:19 . 2005-11-03 15:47 -------- d-----w- c:\program files\AOL 9.0
    2010-09-08 08:56 . 2008-11-26 21:06 -------- d-----w- c:\program files\ABBYY FineReader 9.0
    2010-08-27 12:00 . 2009-03-08 16:26 -------- d-----w- d:\documents and settings\stewart family\Application Data\Vso
    2010-08-27 06:33 . 2007-04-03 10:11 -------- d-----w- d:\documents and settings\stewart family\Application Data\BitTorrent
    2010-08-26 23:35 . 2009-02-24 17:35 -------- d-----w- c:\program files\AVG
    2010-08-26 23:34 . 2009-02-24 17:35 -------- d-----w- d:\documents and settings\All Users\Application Data\avg8
    2010-08-26 10:53 . 2010-04-07 13:43 -------- d-----w- c:\program files\QuickTime
    2010-08-26 09:00 . 2009-09-17 19:22 -------- d-----w- c:\program files\Microsoft
    2010-08-13 11:10 . 2009-10-18 20:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
    2010-07-14 14:01 . 2010-07-14 13:22 -------- d-----w- c:\program files\Ubisoft
    2010-07-14 13:26 . 2009-02-05 14:04 -------- d-----w- d:\documents and settings\All Users\Application Data\Ubisoft
    2010-06-30 12:31 . 2004-08-10 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-10 16:38 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-10 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-22 05:03 . 2010-06-22 05:03 72504 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-21 15:27 . 2004-08-10 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-10 16:37 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-10 16:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-10 16:38 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2007-06-17 13:51 . 2007-06-17 13:51 4212 -c--a-w- c:\program files\ReadMe.txt
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-09_23.56.17 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-06-05 02:02 . 2010-09-11 02:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    - 2010-06-05 02:02 . 2010-06-05 02:02 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    + 2010-09-11 02:00 . 2010-09-11 02:00 20303872 c:\windows\Installer\498cf5.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-06-02 12:38 1004800 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
    "nwiz "= "nwiz.exe" [2008-09-17 1657376]
    "High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-07 61952]
    "AzMixerSel "= "c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]
    "PCMService "= "c:\apps\Powercinema\PCMService.exe" [2005-05-11 127118]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "USBToolTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "PinnacleDriverCheck "= "c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
    "PCLEUSBTip "= "c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
    "SsAAD.exe "= "c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
    "CloneCDTray "= "c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
    "RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
    "AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
    "RTHDCPL "= "RTHDCPL.EXE" [2005-09-22 14854144]
    "TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-04 198160]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
    "EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    d:\documents and settings\stewart family\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    USRobotics Wireless USB Adapter.lnk - c:\program files\USRobotics\Wireless USB Manager\USR54G.exe [2006-4-14 663552]
    Camio Viewer.lnk - d:\documents and settings\stewart family\Start Menu\Programs\Image Expert\IXApplet.exe [2006-2-12 103936]
    DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-2-13 962661]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-21 67128]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-10-10 573440]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-01 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\AOL 9.0\\aol.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe "=
    "%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
    "c:\\Program Files\\AOL 9.0\\waol.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\APPS\\skype\\phone\\Skype.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [24/02/2009 18:35 12552]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/02/2009 18:35 335240]
    S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/02/2009 18:35 108552]
    S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [06/12/2007 22:03 660768]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/02/2009 11:11 297752]
    S2 GenPort;GenPort;c:\windows\system32\drivers\genport.sys [23/02/2006 21:23 6112]
    S2 GenPort2;GenPort2;c:\windows\system32\drivers\genport2.sys [23/02/2006 21:23 6112]
    S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [02/11/2007 11:47 83496]
    S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;c:\windows\system32\drivers\s916mdfl.sys [02/11/2007 11:47 15016]
    S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;c:\windows\system32\drivers\s916mdm.sys [02/11/2007 11:47 109992]
    S3 USRWGU(USR);USRobotics Wireless USB Adapter(USR);c:\windows\system32\drivers\USRWGU.sys [29/12/2005 10:00 408064]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-11 c:\windows\Tasks\User_Feed_Synchronization-{55094903-34AB-420C-9B96-58E3342C8920}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {141D128E-2A01-40BB-975E-7792B5B83C40} = 208.67.220.220,208.67.222.222
    TCP: {91F1BEF2-1BDF-497A-AD58-8E01B4E21FCF} = 208.67.220.220,208.67.222.222
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-11 21:11
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker4 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    Completion time: 2010-09-11 21:15:12
    ComboFix-quarantined-files.txt 2010-09-11 20:15
    ComboFix2.txt 2010-09-11 18:32
    ComboFix3.txt 2010-09-09 23:59
    ComboFix4.txt 2010-08-27 12:29

    Pre-Run: 10,559,025,152 bytes free
    Post-Run: 10,534,486,016 bytes free

    - - End Of File - - F7879609CADFDAE8F699FEEAB7F02951
     
    bracklapiper,
    #19
  21. 2010/09/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks pretty good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #20
Page 1 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...