Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.
The most important thing of you I will ask is that you let me know if you are not going to able to replying with in three (3) days. The reason I ask this, is that the spare time us volunteers give up is in short supply and could be used to help others or to do real life things. Failure to reply within three(3) days will result in this thread being closed and I will stop checking it for replies. If you are going to be unable to reply, that's fine, but please let me know.
I need to see some additional information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs 1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control here
YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply.
Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.
. If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.
Please COPY/PASTEBOTH DDS logs and the ARK log back to this thread, Thanks K27
Thanks for the reply. Before I got your post I uninstalled Norton, loaded AVG, tried an AVIRA Rescue Disc Scan, and loaded Microsoft Security Essentials. Security Essentials is telling me I have Alureon.H Now that we are active here I will stop tinkering and follow your instructions.
DDS (Ver_10-03-17.01) - NTFSx86 Run by Dan at 22:07:13.59 on 04/07/2010 Internet Explorer: 7.0.6000.16982 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.1519 [GMT -6:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE} SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
DDS (Ver_10-03-17.01) - NTFSx86 Run by Dan at 22:07:13.59 on 04/07/2010 Internet Explorer: 7.0.6000.16982 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.1519 [GMT -6:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE} SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
ARK does quick scan, then when I try larger scan per instructions it freezes part way through and I get message Windows Explorer has stopped working, computer frozen. Quick scan data:
You have posted the DDS log twice, please copy/paste the attach log for me.
Also, We do not want more than one Anti-Virus program running on the system, not only will this cause the system to become unstable, it will also leave you vulnerable to infection. Please remove the AntiVir Desktop program and one of either AVG or MSE via add "programs and features" in control panel.
Please let me know which Anti-Virus you decided to keep and please post the attach.txt that DDS created.
I have uninstalled MSE, and I am assuming the AntiVir Desktop was a MalwareBytes application, which I have uninstalled as well. I am now only running AVG.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 30/08/2009 7:11:55 PM System Uptime: 07/04/2010 9:57:53 PM (2113 hours ago)
Motherboard: Dell Inc. | | 0UY253 Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Microprocessor | 2660/1066mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 466 GiB total, 184.73 GiB free. D: is CDROM () E: is CDROM () F: is CDROM () H: is Removable I: is Removable J: is Removable K: is Removable
==== Disabled Device Manager Items =============
Class GUID: Description: Bluetooth Peripheral Device Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000 Manufacturer: Name: Bluetooth Peripheral Device PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000 Service:
Class GUID: Description: Bluetooth Peripheral Device Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000 Manufacturer: Name: Bluetooth Peripheral Device PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000 Service:
==== System Restore Points ===================
==== Installed Programs ======================
Sansa Media Converter 2007 Microsoft Office system 3100_3200_3300_Help 3100_3200_3300trb 3132-W-I32-R SATARAID5 32 Bit HP CIO Components Installer 3200 Acrobat.com Adobe AIR Adobe Common File Installer Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Photoshop Elements 6.0 Adobe Premiere Elements 4.0 Adobe Premiere Elements 4.0 Templates Adobe Reader 9.3.2 Adobe SVG Viewer 6.0 Advanced Diary v2.1 AIO_CDB_ProductContext AIO_CDB_Software AIO_Scan µTorrent AutoBackup AVG 9.0 Beyond Compare Version 3.1.6 BlackBerry Desktop Software 5.0.1 BufferChm CDDRV_Installer CDisplay 1.8 ComicRack v0.9.117 Copy Dell Driver Download Manager Dell Driver Download Manager - 1 Destination Component DeviceDiscovery DeviceManagementQFolder DocProc DocProcQFolder DVDFab 7.0.6.5 Beta (26/05/2010) eSupportQFolder Fax FreeAgent Pro Tools Garmin Communicator Plugin Garmin USB Drivers Google Chrome HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Imaging Device Functions 8.0 HP OCR Software 8.0 HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B HP Solution Center 8.0 HPProductAssistant IKEA Home Planner J2SE Runtime Environment 5.0 Update 5 KhalSetup Kidizoom Plus(TM) Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 3.5 SP1 Microsoft Antimalware Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional Hybrid 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Security Essentials Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.5.10) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 8 neroxml NVIDIA Drivers NVIDIA PhysX NVIDIA Stereoscopic 3D Driver office Convert Pdf to Jpg Jpeg Tiff Free 4.9 OmniFormat Pdf995 Polar Precision Performance SW PrimoPDF -- by Nitro PDF Software Quicken 2007 QuickTax 2009 Sansa Updater Scan Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB978380) Security Update for Microsoft Office Excel 2007 (KB978382) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) SetPoint Skype Toolbars Skype™ 4.1 SmartGlobe(TM) Deluxe V3.07 SolutionCenter Status Suunto Activity Manager update 2.3.4 with language support Toolbox TrayApp UnloadSupport Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Access 2007 Help (KB963663) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office InfoPath 2007 (KB976416) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 (KB974561) Update for Microsoft Office Word 2007 Help (KB963665) Update for Outlook 2007 Junk Email Filter (kb979895) VCRedistSetup VLC media player 1.0.1 WebReg Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) WinRAR archiver WinZip 14.0 Ziepod version 1.0
Before we continue can I ask you to please read all the information in the link below as it contains information for Peer2Peer programs, Not only is it illegal to download from P2P and torrent sites it is also a breeding ground for malware and more than likely the reason you were infected. It would be futile to try and remove any infection on your system all the time P2P programs are installed.
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
Combo-fix MUST be save to your desktop before running the tool
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix, Post back and we will install it manually.
DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should
Please include the C:\ComboFix.txt in your next reply for further review.
Even though I properly disabled Resident Shield & Firewall in AVG I was getting a prompt about them so I uninstalled AVG for now. I then ran Combo Fix. I was getting AntiVir warnings as well. I do not think that is a legitimate program. Nothing to uninstall with a name like that and bleeping computers identifies it as a Trojan that MalwareBytes can handle.
ComboFix 10-07-06.02 - Dan 06/07/2010 17:53:47.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.2206 [GMT -6:00] Running from: c:\users\Dan\Desktop\ComboFix.exe SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
Sorry to be the bearer of bad new's but it looks like the lure of free copyrighted material has bitten back.
Your logs are showing a very nasty infection called a "Backdoor Trojan", this basically means that someone has total access to your machine, so much access infact that they would of been able to see what you was doing on it as if they were sitting in front of it themselves. If they had wanted, they had enough control to have even programed your disc drive to pop out every time you pushed it in for say 3 hours, thats how bad it is.
In situations like this it is considered by most if not all security experts that the best form of cleanup now is a reformat and reinstall, as this machine can never really be trusted again.
If you would like to go ahead with a clean up then that is fine, but the full extent of the damage can never really be found, and I nor no-one else can ever guarantee that this machine can ever be trusted again.
You need to DISCONNECT THE INFECTED MACHINE FROM THE INTERNET and by this I mean pull the ethernet cable out or if you are wireless then KILL THE WIRELESS CONNECTION and DO NOT USE THIS MACHINE FOR ANYTHING TO DO WITH CHANGING YOUR PASSWORDS OR VIA THE INTERNET.
The first thing I advise you to do is to call ALL financial institutions whose sites you have used on this machine and get a watch put on EVERY bank card, credit card, and any other card whether they be yours, friends or family, It they were used on this machine then phone the relevent bank and tell them that you may be the victim of identity fraud Then you need to get to a machine that is 100% clean and change every password you have, I would start with changing you email password as If the hacker has your email details then every password you change he will then have access to, After that you must change every other password you have and this includes:
Banks
Paypal
Social networking sites,(facebook, twitter, ect...
ebay
Forums
And every thing else that you have ever entered a password for.
Please read THIS very good article on how to play safe with passwords, But I cant stress enough that this MUST be done from a clean computer.
However, if you do not have the resources to reformat your computer and reinstall your operating system and programs and would like me to attempt to clean it, I will be happy to do so, but again, there is now no guarantee that this machine can ever be fully trusted again.
Should you have any questions, please feel free to ask.
I have read some of the material and I will keep reading. I have a few questions.
After waiting a few days for a reply after my initial call for help a few weeks ago I did remove the hard drive that had my C: drive, installed a brand new hard drive and started the process of re-installing operating system. When I got a reply from you I loaded infected drive back in, detached the other 3 hard drives in the computer and kept the infected drive in so that we could troubleshoot what happened. Glad now I did that and answers are coming. I have now removed that infected drive again and I am using fresh install on new drive to communicate with you. That old drive I will hold until I am confident that I did not miss anything (documents, media, etc.) when getting new system going. My question is about the other 3 drives. I have assumed that the data on those other 3 drives (mostly media-music movies, etc.) is clean and not an issue. Is there some way I can confirm this? I have AVG running on this new system, and only that for Anti-Virus, Firewall, etc. I used to used Norton but now might switch to AVG. Are we able to run scans on this new operating system, with the 3 'extra' drives now powered up, to confirm that I did not bring over malware/trojan with me on those 3 drives that has now made its way back into operating system? I have been seeing my 3 'data' drives as independent form any infections on the operating system drive. I am worried that this is not guaranteed... Anyway, are we able to scan new system? I only have AVG running and I will be certain to uninstall UTorrent prior to running first scans that you may ask of me....
Also, are you able to recommend certain Security Software over others? I am guessing no, but thought I would ask. I have always assumed that Norton would protect me, even with P2P use (UTorrent). In fact, Norton was consistently notifying me of intrusion attempts and blocks in the weeks leading up to me realizing there was a problem and seeking help here.... so it appeared to be doing its job. I am now using AVG and not getting a lot of notifications from it, although when I look at the Firewall log there seems to be more activity their then there should be.
Thanks very much for your help. Really, really valuable and much appreciated.
I will try to answer all the question's you have asked, if there is anything I miss, please ask again.
As for the fresh install being clean, well that depends on how clean the fresh install actually is, and how much data you transferred from the infected drive to the new drive, did you scan everything you moved from the infected drive to the new drive? I'm guessing no, which is not a problem, we can run some test's on the new drive to make sure it is clean.
Now we get to the other drive's. As above, these can just a easily be infected with the same back door's as your main old C:\ drive was, the reason for this is that:
A) I'm guessing this is where you have been storing all your downloaded content and as it was this that more than likely infected you in the first place it would not surprise me if the infected files were there on them three drives somewhere waiting to infect you again. There are ways to scan theses drive's, but I'm afraid that I'm not in the habit of helping to clean downloaded copyrighted material for the simple fact that it is illegal and not worth risking my place in the Security Community, I hope you understand. That being said, if there is other data on the drives and you have deleted all the copyrighted material then I will be happy to help in checking them.
B) You had a backdoor infection and that is a nasty infection to have, there are very few cases where I feel the need to suggest that a reformat and reinstall should be carried out, but due to the nature of the infection it really is the best option. That lead's me to my next point, someone has had total access to the system, and as such they could very well and very easily have hidden any little file anywhere on any drive, just waiting for you reinstall C:\, then bring over that infected film/music file and then reinfect you again. As I said above, if you are happy to delete any/all copyrighted material, or would like it removed in the clean up then I will be happy to help try and clean the other drives.
As for Security Programs, there is no right or wrong Security setup, the best one is the one that work's for you and the one that you can understand and use. There is no point having a Security Program that is always switched off or never opened and used to scan the system because you can't work out how to use it. I personally use Avast one one of my system's, Avira on another and Microsoft Security Essential on my third. Please note that these are all installed on three separate system's and there is not two AV's running one a single system.
A good Security setup is made up of more than just an Anti-Virus program, you may want to have a look at the three links below to give you some idea's on how to best secure your system. That being said, you could have your system secured to the hilt and have the National Guard protecting it, but all the while you use torrent sites you run the risk of getting infected. There will always be some new zero day infection that will eventually slip through the net and infect you.
I hope I have covered all you question's, if there is something I have missed then please let me know and I will try to answer it to the best of my knowledge. If you have more, please fire away and I will try to answer anything else you need to know.
Let me know when you have the new drive installed, and the other three drive's are connected and all the copyrighted material is deleted and we will run some scan's to see if they are indeed infected.
The new install is Vista on fresh drive, did not bring over much data. Manually carried over bookmarks, Outlook files, etc.
At this point I guess the thing to do is scan this new drive with the fresh install on it. No copyrighted material. If we can do that I can move on from here. I suspect there is nothing there but I am obviously curious.
Please run DDS and post me both the logs for the new Vista install and then please run the ARK tool for me and post that log also. (NOTE: Please remember to disable all active protection before running the ARK tool)
DDS (Ver_10-03-17.01) - NTFSx86 Run by Dan at 20:32:05.73 on Fri 07/09/2010 Internet Explorer: 7.0.6002.18005 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3068.1859 [GMT -6:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 6/25/2010 6:28:26 PM System Uptime: 7/9/2010 11:42:18 AM (9 hours ago)
Motherboard: Dell Inc. | | 0UY253 Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Microprocessor | 2660/1066mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 98 GiB total, 48.293 GiB free. D: is CDROM () E: is CDROM (CDFS) F: is CDROM () G: is Removable H: is Removable I: is Removable J: is Removable K: is FIXED (NTFS) - 368 GiB total, 243.893 GiB free. R: is FIXED (NTFS) - 932 GiB total, 122.906 GiB free. S: is FIXED (NTFS) - 932 GiB total, 148.42 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP69: 7/4/2010 10:05:52 AM - Scheduled Checkpoint RP70: 7/5/2010 7:26:31 AM - Scheduled Checkpoint RP71: 7/7/2010 4:45:50 PM - Windows Update RP72: 7/7/2010 7:24:31 PM - Windows Update RP73: 7/8/2010 8:54:49 AM - Scheduled Checkpoint RP74: 7/9/2010 8:12:02 AM - Scheduled Checkpoint
==== Installed Programs ======================
2007 Microsoft Office system 3100_3200_3300_Help 3100_3200_3300trb 32 Bit HP CIO Components Installer 3200 Adobe Flash Player 10 Plugin Adobe Photoshop Elements 6.0 Adobe Reader 9.3.3 AIO_CDB_ProductContext AIO_CDB_Software AIO_Scan AnswerWorks 5.0 English Runtime AVG 9.0 Beyond Compare Version 3.1.11 BufferChm CDDRV_Installer CDisplay 1.8 Copy Dell Driver Download Manager Destinations DeviceManagementQFolder DocProc DocProcQFolder eSupportQFolder Fax Google Chrome Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Imaging Device Functions 8.0 HP OCR Software 8.0 HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B HP Solution Center 8.0 HPProductAssistant KhalSetup Microsoft .NET Framework 3.5 SP1 Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional Hybrid 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.6.6) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 8 neroxml NVIDIA Display Control Panel NVIDIA Drivers OpenAL PrimoPDF -- by Nitro PDF Software PVSonyDll Quicken 2010 Scan Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB976321) Security Update for 2007 Microsoft Office System (KB982312) Security Update for 2007 Microsoft Office System (KB982331) Security Update for Microsoft Office Excel 2007 (KB982308) Security Update for Microsoft Office InfoPath 2007 (KB979441) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB982158) Security Update for Microsoft Office Publisher 2007 (KB982124) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB982135) SetPoint SolutionCenter Status Toolbox TrayApp UnloadSupport Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Access 2007 Help (KB963663) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 Help (KB963665) Update for Outlook 2007 Junk Email Filter (kb983486) VLC media player 1.1.0 WebReg WinRAR archiver
==== Event Viewer Messages From Past Week ========
7/9/2010 12:50:55 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. 7/8/2010 11:02:31 AM, Error: EventLog [6008] - The previous system shutdown at 10:14:57 AM on 7/8/2010 was unexpected. 7/7/2010 7:25:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows Vista (KB979683). 7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Staging(Staging) state 7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Resolved(Resolved) state 7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Installed(Installed) state 7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-23_neutral_GDR from package KB979683(Security Update) into Staging(Staging) state 7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-22_neutral_LDR from package KB979683(Security Update) into Staging(Staging) state 7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-14_neutral_GDR from package KB979683(Security Update) into Staging(Staging) state 7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-13_neutral_LDR from package KB979683(Security Update) into Staging(Staging) state 7/7/2010 4:00:55 PM, Error: BTHUSB [19] - Windows detected an error while storing the Bluetooth link key for adapter address (00:07:61:63:df:eb) on the local adapter. The event contains the vendor-specific error code. 7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk9\DR9, is not ready for access yet. 7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk8\DR8, is not ready for access yet. 7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk11\DR11, is not ready for access yet. 7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk10\DR10, is not ready for access yet. 7/2/2010 11:13:43 PM, Error: PlugPlayManager [12] - The device 'ST350063 0AS SCSI Disk Device' (SCSI\Disk&Ven_ST350063&Prod_0AS&Rev_3.AA\5&392c0851&0&010000) disappeared from the system without first being prepared for removal.
==== End Of File =========================== GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-07-09 20:47:12 Windows 6.0.6002 Service Pack 2 Running: oq1t160g.exe; Driver: C:\Users\Dan\AppData\Local\Temp\pxldipod.sys
Please tell me, have you been having any trouble with this system, like Blue Screen Error's or anything else. I only ask as there are a lot of errors about regarding update's and a memory.dmp file with normally indicates a recent BSOD.
Apart from that the log's look in pretty good shape but I would like to double check due to the nature of the recent infection.
I'd like us to scan your machine with ESET OnlineScan
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 4th, 2010 15:00
Hi djwalk,
Welcome to Dell Community Malware Removal Forums,
Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.
The most important thing of you I will ask is that you let me know if you are not going to able to replying with in three (3) days. The reason I ask this, is that the spare time us volunteers give up is in short supply and could be used to help others or to do real life things. Failure to reply within three(3) days will result in this thread being closed and I will stop checking it for replies. If you are going to be unable to reply, that's fine, but please let me know.
I need to see some additional information about what is happening in your machine.
Please perform the following scan:
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control here
YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,
Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Next, please perform a rootkit scan:
.
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.
Please COPY/PASTE BOTH DDS logs and the ARK log back to this thread,
Thanks
K27
djwalk
11 Posts
0
July 4th, 2010 23:00
Thanks for the reply. Before I got your post I uninstalled Norton, loaded AVG, tried an AVIRA Rescue Disc Scan, and loaded Microsoft Security Essentials. Security Essentials is telling me I have Alureon.H Now that we are active here I will stop tinkering and follow your instructions.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 22:07:13.59 on 04/07/2010
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.1519 [GMT -6:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\CtHelper.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Users\Dan\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dan\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Ziepod One-Click Helper: {57a30d1e-08b9-4ef4-b273-aaea1c234a5b} - c:\windows\system32\ZiepodOneClicker.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Polar Sync]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SansaDispatch] c:\users\dan\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\users\dan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CtxfiReg] CTXFIREG.EXE
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StxTrayMenu] c:\program files\seagate\systemtray\freeagentlauncher.exe c:\program files\seagate\systemtray\StxMenuMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ ]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\users\dan\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\satara~1.lnk - c:\windows\installer\{f98bf160-2b31-4613-ba35-66958f51b97c}\_95273811175B2CA0FC7A47.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\dan\appdata\roaming\mozilla\firefox\profiles\ml7plq15.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG6.dll
FF - plugin: c:\users\dan\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2010-6-24 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-24 52872]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-6-24 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-24 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-24 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-24 243024]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 MpKsl809a4610;MpKsl809a4610;c:\programdata\microsoft\microsoft antimalware\definition updates\{2e1d6423-d8ed-4773-b91b-d792425e684b}\MpKsl809a4610.sys [2010-7-4 28752]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-24 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-24 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-24 5897808]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-i32-r sataraid5\SATARaid5ConfigService.exe [2005-10-5 131072]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2010-6-24 122448]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2010-6-24 30288]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2010-6-24 27216]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-24 430152]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\drivers\9kdUSBXP.sys [2010-4-7 16000]
S3 stusb2ir;USB 2.0 IrDA Bridge;c:\windows\system32\drivers\stusb2ir.sys [2006-11-2 41728]
=============== Created Last 30 ================
2010-07-03 03:39:02 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-26 22:50:18 0 d-----w- c:\users\dan\appdata\roaming\AVG9
2010-06-25 02:23:19 162906 ----a-w- c:\users\dan\bookmarks-2010-06-24.json
2010-06-25 00:02:03 0 d--h--w- C:\$AVG
2010-06-24 22:02:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-24 21:54:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-24 21:54:04 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-24 21:54:00 0 d-----w- c:\programdata\AVG Security Toolbar
2010-06-24 21:52:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-24 21:52:45 25168 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-06-24 21:52:43 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-24 21:52:18 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-06-24 21:51:17 0 d-----w- c:\program files\AVG
2010-06-24 21:50:57 0 d-----w- c:\programdata\avg9
2010-06-24 03:53:03 0 d-----w- c:\programdata\Avira
2010-06-24 01:55:59 184320 ----a-w- c:\windows\system32\drivers\qumpvwdw.sys
2010-06-23 03:16:20 0 d-----w- c:\program files\Trend Micro
2010-06-23 02:24:09 0 d-----w- c:\users\dan\appdata\roaming\Malwarebytes
2010-06-23 02:23:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-23 02:23:53 0 d-----w- c:\programdata\Malwarebytes
2010-06-23 02:23:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-23 02:23:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 13:39:16 0 d-----w- c:\windows\system32\catroot2
2010-06-17 14:16:47 28 ----a-w- c:\windows\pdf995.ini
==================== Find3M ====================
2010-07-03 03:58:42 4404 ----a-w- c:\windows\bthservsdp.dat
2010-06-24 21:52:23 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-06-24 21:52:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-24 21:52:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-29 03:32:44 87608 ----a-w- c:\users\dan\appdata\roaming\inst.exe
2010-05-29 03:32:44 47360 ----a-w- c:\users\dan\appdata\roaming\pcouffin.sys
2010-05-13 02:06:38 116842 ----a-w- c:\windows\hpqins00.dat
2010-04-15 23:35:18 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-04-15 23:35:18 249856 ----a-w- c:\windows\system32\pdfmona.dll
2009-08-31 04:22:33 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-31 03:25:08 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-19 14:26:24 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-19 14:26:24 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-19 14:26:24 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-01-05 20:20:59 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 22:08:41.30 ===============
DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 22:07:13.59 on 04/07/2010
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.1519 [GMT -6:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\CtHelper.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Users\Dan\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dan\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Ziepod One-Click Helper: {57a30d1e-08b9-4ef4-b273-aaea1c234a5b} - c:\windows\system32\ZiepodOneClicker.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Polar Sync]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SansaDispatch] c:\users\dan\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\users\dan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CtxfiReg] CTXFIREG.EXE
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StxTrayMenu] c:\program files\seagate\systemtray\freeagentlauncher.exe c:\program files\seagate\systemtray\StxMenuMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ ]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\users\dan\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\satara~1.lnk - c:\windows\installer\{f98bf160-2b31-4613-ba35-66958f51b97c}\_95273811175B2CA0FC7A47.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\dan\appdata\roaming\mozilla\firefox\profiles\ml7plq15.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSVG6.dll
FF - plugin: c:\users\dan\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2010-6-24 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-24 52872]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-6-24 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-24 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-24 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-24 243024]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 MpKsl809a4610;MpKsl809a4610;c:\programdata\microsoft\microsoft antimalware\definition updates\{2e1d6423-d8ed-4773-b91b-d792425e684b}\MpKsl809a4610.sys [2010-7-4 28752]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-24 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-24 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-24 5897808]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-i32-r sataraid5\SATARaid5ConfigService.exe [2005-10-5 131072]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2010-6-24 122448]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2010-6-24 30288]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2010-6-24 27216]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-24 430152]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\drivers\9kdUSBXP.sys [2010-4-7 16000]
S3 stusb2ir;USB 2.0 IrDA Bridge;c:\windows\system32\drivers\stusb2ir.sys [2006-11-2 41728]
=============== Created Last 30 ================
2010-07-03 03:39:02 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-26 22:50:18 0 d-----w- c:\users\dan\appdata\roaming\AVG9
2010-06-25 02:23:19 162906 ----a-w- c:\users\dan\bookmarks-2010-06-24.json
2010-06-25 00:02:03 0 d--h--w- C:\$AVG
2010-06-24 22:02:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-24 21:54:06 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-24 21:54:04 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-24 21:54:00 0 d-----w- c:\programdata\AVG Security Toolbar
2010-06-24 21:52:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-24 21:52:45 25168 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-06-24 21:52:43 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-24 21:52:18 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-06-24 21:51:17 0 d-----w- c:\program files\AVG
2010-06-24 21:50:57 0 d-----w- c:\programdata\avg9
2010-06-24 03:53:03 0 d-----w- c:\programdata\Avira
2010-06-24 01:55:59 184320 ----a-w- c:\windows\system32\drivers\qumpvwdw.sys
2010-06-23 03:16:20 0 d-----w- c:\program files\Trend Micro
2010-06-23 02:24:09 0 d-----w- c:\users\dan\appdata\roaming\Malwarebytes
2010-06-23 02:23:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-23 02:23:53 0 d-----w- c:\programdata\Malwarebytes
2010-06-23 02:23:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-23 02:23:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 13:39:16 0 d-----w- c:\windows\system32\catroot2
2010-06-17 14:16:47 28 ----a-w- c:\windows\pdf995.ini
==================== Find3M ====================
2010-07-03 03:58:42 4404 ----a-w- c:\windows\bthservsdp.dat
2010-06-24 21:52:23 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-06-24 21:52:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-24 21:52:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-29 03:32:44 87608 ----a-w- c:\users\dan\appdata\roaming\inst.exe
2010-05-29 03:32:44 47360 ----a-w- c:\users\dan\appdata\roaming\pcouffin.sys
2010-05-13 02:06:38 116842 ----a-w- c:\windows\hpqins00.dat
2010-04-15 23:35:18 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-04-15 23:35:18 249856 ----a-w- c:\windows\system32\pdfmona.dll
2009-08-31 04:22:33 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-31 03:25:08 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-19 14:26:24 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-19 14:26:24 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-19 14:26:24 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-01-05 20:20:59 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 22:08:41.30 ===============
ARK does quick scan, then when I try larger scan per instructions it freezes part way through and I get message Windows Explorer has stopped working, computer frozen. Quick scan data:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-04 22:55:44
Windows 6.0.6000
Running: dvqhk6wm.exe; Driver: C:\Users\Dan\AppData\Local\Temp\pxrdipod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
This week I will only be able to reply after 20:00 or 21:00 EST next few days. Thanks Again.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 5th, 2010 11:00
Hi djwalk,
You have posted the DDS log twice, please copy/paste the attach log for me.
Also, We do not want more than one Anti-Virus program running on the system, not only will this cause the system to become unstable, it will also leave you vulnerable to infection. Please remove the AntiVir Desktop program and one of either AVG or MSE via add "programs and features" in control panel.
Please let me know which Anti-Virus you decided to keep and please post the attach.txt that DDS created.
Thanks,
K27.
djwalk
11 Posts
0
July 5th, 2010 15:00
Sorry about that for the attach.txt....
I have uninstalled MSE, and I am assuming the AntiVir Desktop was a MalwareBytes application, which I have uninstalled as well. I am now only running AVG.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 30/08/2009 7:11:55 PM
System Uptime: 07/04/2010 9:57:53 PM (2113 hours ago)
Motherboard: Dell Inc. | | 0UY253
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Microprocessor | 2660/1066mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 466 GiB total, 184.73 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
==== Disabled Device Manager Items =============
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-427970617373}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000
Service:
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{426C6163-6B42-6572-7279-44736B746F70}_LOCALMFG&000F\8&C2376B&0&000F86D42D54_C00000000
Service:
==== System Restore Points ===================
==== Installed Programs ======================
Sansa Media Converter
2007 Microsoft Office system
3100_3200_3300_Help
3100_3200_3300trb
3132-W-I32-R SATARAID5
32 Bit HP CIO Components Installer
3200
Acrobat.com
Adobe AIR
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Reader 9.3.2
Adobe SVG Viewer 6.0
Advanced Diary v2.1
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
µTorrent
AutoBackup
AVG 9.0
Beyond Compare Version 3.1.6
BlackBerry Desktop Software 5.0.1
BufferChm
CDDRV_Installer
CDisplay 1.8
ComicRack v0.9.117
Copy
Dell Driver Download Manager
Dell Driver Download Manager - 1
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
DVDFab 7.0.6.5 Beta (26/05/2010)
eSupportQFolder
Fax
FreeAgent Pro Tools
Garmin Communicator Plugin
Garmin USB Drivers
Google Chrome
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Solution Center 8.0
HPProductAssistant
IKEA Home Planner
J2SE Runtime Environment 5.0 Update 5
KhalSetup
Kidizoom Plus(TM)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
office Convert Pdf to Jpg Jpeg Tiff Free 4.9
OmniFormat
Pdf995
Polar Precision Performance SW
PrimoPDF -- by Nitro PDF Software
Quicken 2007
QuickTax 2009
Sansa Updater
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
SetPoint
Skype Toolbars
Skype™ 4.1
SmartGlobe(TM) Deluxe V3.07
SolutionCenter
Status
Suunto Activity Manager update 2.3.4 with language support
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb979895)
VCRedistSetup
VLC media player 1.0.1
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
WinRAR archiver
WinZip 14.0
Ziepod version 1.0
==== End Of File ===========================
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 6th, 2010 14:00
Hi,
Before we continue can I ask you to please read all the information in the link below as it contains information for Peer2Peer programs,
Not only is it illegal to download from P2P and torrent sites it is also a breeding ground for malware and more than likely the reason you were infected.
It would be futile to try and remove any infection on your system all the time P2P programs are installed.
Perils of P2P File Sharing
Then i need you to go to:
uTorrent
Then please uninstalll anything else running on the machine that may relate to P2P files sharing or cracked Software.
Please post back once you have removed all P2P programs so we may continue.
Thanks,
K27
djwalk
11 Posts
0
July 6th, 2010 15:00
Done. UTorrent is uninstalled. No other P2P, no cracked software.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 6th, 2010 16:00
PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS
Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:
Combo-fix MUST be save to your desktop before running the tool
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only
You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.
DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should
Please include the C:\ComboFix.txt in your next reply for further review.
Thanks.
djwalk
11 Posts
0
July 6th, 2010 18:00
Even though I properly disabled Resident Shield & Firewall in AVG I was getting a prompt about them so I uninstalled AVG for now. I then ran Combo Fix. I was getting AntiVir warnings as well. I do not think that is a legitimate program. Nothing to uninstall with a name like that and bleeping computers identifies it as a Trojan that MalwareBytes can handle.
ComboFix 10-07-06.02 - Dan 06/07/2010 17:53:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3069.2206 [GMT -6:00]
Running from: c:\users\Dan\Desktop\ComboFix.exe
SP: AntiVir Desktop *enabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Dan\AppData\Roaming\inst.exe
c:\users\Dan\R149559.exe
c:\windows\system32\office.exe
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.
2010-07-07 00:00 . 2010-07-07 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-07 00:00 . 2010-07-07 00:00 -------- d-----w- c:\users\Janna\AppData\Local\temp
2010-07-06 23:52 . 2010-07-06 23:53 -------- d-----w- C:\32788R22FWJFW
2010-07-05 21:12 . 2010-07-05 21:12 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2010-07-05 04:11 . 2010-07-05 04:11 184320 ----a-w- c:\windows\system32\drivers\nbvbavqk.sys
2010-06-26 22:50 . 2010-06-26 22:50 -------- d-----w- c:\users\Dan\AppData\Roaming\AVG9
2010-06-26 19:03 . 2010-06-26 19:03 -------- d-----w- c:\users\Janna\AppData\Local\AVG Security Toolbar
2010-06-25 00:02 . 2010-06-25 00:02 -------- d-----w- C:\$AVG
2010-06-24 21:51 . 2010-06-24 21:51 -------- d-----w- c:\program files\AVG
2010-06-24 01:55 . 2010-06-24 01:55 184320 ----a-w- c:\windows\system32\drivers\qumpvwdw.sys
2010-06-23 03:16 . 2010-06-23 03:16 -------- d-----w- c:\program files\Trend Micro
2010-06-23 02:24 . 2010-06-23 02:24 -------- d-----w- c:\users\Dan\AppData\Roaming\Malwarebytes
2010-06-22 13:39 . 2010-07-06 23:53 -------- d-----w- c:\windows\system32\catroot2
2010-06-17 14:16 . 2010-06-17 14:16 -------- d-----w- c:\users\Janna\AppData\Roaming\pdf995
2010-06-14 16:12 . 2006-12-07 16:45 110592 ----a-w- c:\users\Dan\AppData\Roaming\U3\temp\cleanup.exe
2010-06-14 16:10 . 2006-12-07 16:45 3096576 ---ha-w- c:\users\Dan\AppData\Roaming\U3\temp\Launchpad Removal.exe
2010-06-14 16:10 . 2010-06-14 16:12 -------- d-----w- c:\users\Dan\AppData\Roaming\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 23:49 . 2009-08-31 16:47 3308 ----a-w- c:\windows\bthservsdp.dat
2010-07-06 23:15 . 2010-05-28 21:04 -------- d-----w- c:\program files\DVDFab 7
2010-07-06 23:15 . 2009-10-07 00:31 47360 ----a-w- c:\users\Dan\AppData\Roaming\pcouffin.sys
2010-07-06 23:15 . 2009-10-07 00:31 47360 ----a-w- c:\users\Dan\AppData\Roaming\pcouffin.sys
2010-07-06 23:15 . 2009-10-07 00:31 -------- d-----w- c:\users\Dan\AppData\Roaming\Vso
2010-07-06 21:08 . 2009-08-31 14:58 -------- d-----w- c:\program files\uTorrent
2010-07-06 21:08 . 2009-08-31 13:41 -------- d-----w- c:\users\Dan\AppData\Roaming\uTorrent
2010-07-05 04:04 . 2010-04-15 23:01 -------- d-----w- c:\users\Dan\AppData\Roaming\PrimoPDF
2010-06-24 19:23 . 2009-11-02 05:23 -------- d-----w- c:\users\Janna\AppData\Roaming\vlc
2010-06-24 03:36 . 2009-09-01 22:43 -------- d-----w- c:\users\Dan\AppData\Roaming\vlc
2010-06-22 04:18 . 2009-08-31 16:38 -------- d-----w- c:\program files\SetPoint
2010-06-22 04:18 . 2009-12-22 23:58 -------- d-----w- c:\users\Dan\AppData\Roaming\dvdcss
2010-06-17 14:22 . 2010-04-15 23:35 59 ----a-w- c:\windows\wpd99.drv
2010-05-26 04:22 . 2010-02-21 02:18 -------- d-----w- c:\users\Dan\AppData\Roaming\Skype
2010-05-25 22:37 . 2010-02-21 02:42 -------- d-----w- c:\documents and settings\releaseengineer\Application Data\skypePM
2010-05-17 13:48 . 2010-05-17 13:48 10134 ----a-r- c:\users\Dan\AppData\Roaming\Microsoft\Installer\{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}\ARPPRODUCTICON.exe
2010-05-17 13:47 . 2010-05-17 13:47 10134 ----a-r- c:\users\Dan\AppData\Roaming\Microsoft\Installer\{9060B698-2B29-4A1F-B876-BEAC4C0A25D5}\ARPPRODUCTICON.exe
2010-05-16 21:45 . 2009-10-13 03:35 -------- d-----w- c:\program files\Ziepod
2010-05-16 20:11 . 2010-05-16 18:09 -------- d-----w- c:\program files\Burrrn
2010-05-13 02:06 . 2010-05-13 02:04 116842 ----a-w- c:\windows\hpqins00.dat
2010-04-15 23:35 . 2010-04-15 23:35 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-04-15 23:35 . 2010-04-15 23:35 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-04-09 04:09 . 2010-04-09 03:55 256 ----a-w- c:\windows\system32\pool.bin
2007-01-05 20:20 . 2007-01-05 20:20 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-08-31 1232896]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-12-12 132392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SansaDispatch"="c:\users\Dan\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-12-23 79872]
"Google Update"="c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-17 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech BT Wizard"="LBTWiz.exe -silent"
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-08-31 1006264]
"CTHelper"="CTHELPER.EXE" [2006-12-13 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-13 20480]
"CtxfiReg"="CTXFIREG.EXE" [2006-12-13 44032]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\FreeAgentLauncher.exe" [2007-01-18 79416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - c:\program files\Seagate\AutoBackup\MemeoLauncher.exe [2008-1-14 95456]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
SATARaid5Manager.lnk - c:\windows\Installer\{F98BF160-2B31-4613-BA35-66958F51B97C}\_95273811175B2CA0FC7A47.exe [2009-8-30 1206]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2010-5-17 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-796391387-3436633186-3327069907-1000]
"EnableNotificationsRef"=dword:00000001
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe [2005-10-06 131072]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-07-26 42280]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 stusb2ir;USB 2.0 IrDA Bridge;c:\windows\system32\DRIVERS\stusb2ir.sys [2006-11-02 41728]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-08-17 239648]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2010-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796391387-3436633186-3327069907-1000Core.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-17 18:37]
2010-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796391387-3436633186-3327069907-1000UA.job
- c:\users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-17 18:37]
2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{A6278F47-AC02-4CBD-A5F0-8023F5B8F970}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Polar Sync - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 18:01
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Polar Sync = ?:\program files\polar\polar sync\?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
SansaDispatch = c:\users\Dan\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe??k?\?S?a?n?s?a? ?U?p?d?a?t?e?r???r?u?e?)?;?????y???H?:?H?:?????P?:??
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-06 18:03:26
ComboFix-quarantined-files.txt 2010-07-07 00:03
Pre-Run: 201,953,595,392 bytes free
Post-Run: 218,284,883,968 bytes free
- - End Of File - - 6EB66CADC39AB09C0782224FCC37917F
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 7th, 2010 06:00
djwalk,
Sorry to be the bearer of bad new's but it looks like the lure of free copyrighted material has bitten back.
Your logs are showing a very nasty infection called a "Backdoor Trojan", this basically means that someone has total access to your machine, so much access infact that they would of been able to see what you was doing on it as if they were sitting in front of it themselves.
If they had wanted, they had enough control to have even programed your disc drive to pop out every time you pushed it in for say 3 hours, thats how bad it is.
In situations like this it is considered by most if not all security experts that the best form of cleanup now is a reformat and reinstall, as this machine can never really be trusted again.
If you would like to go ahead with a clean up then that is fine, but the full extent of the damage can never really be found, and I nor no-one else can ever guarantee that this machine can ever be trusted again.
You need to DISCONNECT THE INFECTED MACHINE FROM THE INTERNET and by this I mean pull the ethernet cable out or if you are wireless then KILL THE WIRELESS CONNECTION and DO NOT USE THIS MACHINE FOR ANYTHING TO DO WITH CHANGING YOUR PASSWORDS OR VIA THE INTERNET.
The first thing I advise you to do is to call ALL financial institutions whose sites you have used on this machine and get a watch put on EVERY bank card, credit card, and any other card whether they be yours, friends or family,
It they were used on this machine then phone the relevent bank and tell them that you may be the victim of identity fraud
Then you need to get to a machine that is 100% clean and change every password you have,
I would start with changing you email password as If the hacker has your email details then every password you change he will then have access to,
After that you must change every other password you have and this includes:
And every thing else that you have ever entered a password for.
Please read THIS very good article on how to play safe with passwords,
But I cant stress enough that this MUST be done from a clean computer.
After that please read these links:
What Is A Backdoor Trojan?
Danger: Remote Access Trojans
Consumers – Identity Theft
When should I re-format? How should I reinstall?
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Rootkits: The Obscure Hacker Attack
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Microsoft Says Recovery from Malware Becoming Impossible
However, if you do not have the resources to reformat your computer and reinstall your operating system and programs and would like me to attempt to clean it, I will be happy to do so, but again, there is now no guarantee that this machine can ever be fully trusted again.
Should you have any questions, please feel free to ask.
K27
djwalk
11 Posts
0
July 7th, 2010 16:00
Wow, that is some bad news.
I have read some of the material and I will keep reading. I have a few questions.
After waiting a few days for a reply after my initial call for help a few weeks ago I did remove the hard drive that had my C: drive, installed a brand new hard drive and started the process of re-installing operating system. When I got a reply from you I loaded infected drive back in, detached the other 3 hard drives in the computer and kept the infected drive in so that we could troubleshoot what happened. Glad now I did that and answers are coming. I have now removed that infected drive again and I am using fresh install on new drive to communicate with you. That old drive I will hold until I am confident that I did not miss anything (documents, media, etc.) when getting new system going. My question is about the other 3 drives. I have assumed that the data on those other 3 drives (mostly media-music movies, etc.) is clean and not an issue. Is there some way I can confirm this? I have AVG running on this new system, and only that for Anti-Virus, Firewall, etc. I used to used Norton but now might switch to AVG. Are we able to run scans on this new operating system, with the 3 'extra' drives now powered up, to confirm that I did not bring over malware/trojan with me on those 3 drives that has now made its way back into operating system? I have been seeing my 3 'data' drives as independent form any infections on the operating system drive. I am worried that this is not guaranteed... Anyway, are we able to scan new system? I only have AVG running and I will be certain to uninstall UTorrent prior to running first scans that you may ask of me....
Also, are you able to recommend certain Security Software over others? I am guessing no, but thought I would ask. I have always assumed that Norton would protect me, even with P2P use (UTorrent). In fact, Norton was consistently notifying me of intrusion attempts and blocks in the weeks leading up to me realizing there was a problem and seeking help here.... so it appeared to be doing its job. I am now using AVG and not getting a lot of notifications from it, although when I look at the Firewall log there seems to be more activity their then there should be.
Thanks very much for your help. Really, really valuable and much appreciated.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 7th, 2010 23:00
djwalk,
Your Welcome.
I will try to answer all the question's you have asked, if there is anything I miss, please ask again.
As for the fresh install being clean, well that depends on how clean the fresh install actually is, and how much data you transferred from the infected drive to the new drive, did you scan everything you moved from the infected drive to the new drive? I'm guessing no, which is not a problem, we can run some test's on the new drive to make sure it is clean.
Now we get to the other drive's. As above, these can just a easily be infected with the same back door's as your main old C:\ drive was, the reason for this is that:
A) I'm guessing this is where you have been storing all your downloaded content and as it was this that more than likely infected you in the first place it would not surprise me if the infected files were there on them three drives somewhere waiting to infect you again. There are ways to scan theses drive's, but I'm afraid that I'm not in the habit of helping to clean downloaded copyrighted material for the simple fact that it is illegal and not worth risking my place in the Security Community, I hope you understand. That being said, if there is other data on the drives and you have deleted all the copyrighted material then I will be happy to help in checking them.
B) You had a backdoor infection and that is a nasty infection to have, there are very few cases where I feel the need to suggest that a reformat and reinstall should be carried out, but due to the nature of the infection it really is the best option. That lead's me to my next point, someone has had total access to the system, and as such they could very well and very easily have hidden any little file anywhere on any drive, just waiting for you reinstall C:\, then bring over that infected film/music file and then reinfect you again. As I said above, if you are happy to delete any/all copyrighted material, or would like it removed in the clean up then I will be happy to help try and clean the other drives.
As for Security Programs, there is no right or wrong Security setup, the best one is the one that work's for you and the one that you can understand and use. There is no point having a Security Program that is always switched off or never opened and used to scan the system because you can't work out how to use it. I personally use Avast one one of my system's, Avira on another and Microsoft Security Essential on my third. Please note that these are all installed on three separate system's and there is not two AV's running one a single system.
A good Security setup is made up of more than just an Anti-Virus program, you may want to have a look at the three links below to give you some idea's on how to best secure your system. That being said, you could have your system secured to the hilt and have the National Guard protecting it, but all the while you use torrent sites you run the risk of getting infected. There will always be some new zero day infection that will eventually slip through the net and infect you.
Do's and Don'ts of Security Programs
Anti-Virus Programs Explained.
Free Security Software
I hope I have covered all you question's, if there is something I have missed then please let me know and I will try to answer it to the best of my knowledge. If you have more, please fire away and I will try to answer anything else you need to know.
Let me know when you have the new drive installed, and the other three drive's are connected and all the copyrighted material is deleted and we will run some scan's to see if they are indeed infected.
Thanks,
K27.
djwalk
11 Posts
0
July 8th, 2010 17:00
First, thanks again.
The new install is Vista on fresh drive, did not bring over much data. Manually carried over bookmarks, Outlook files, etc.
At this point I guess the thing to do is scan this new drive with the fresh install on it. No copyrighted material. If we can do that I can move on from here. I suspect there is nothing there but I am obviously curious.
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 8th, 2010 23:00
Hi lets continue with the new Vista install.
Please run DDS and post me both the logs for the new Vista install and then please run the ARK tool for me and post that log also. (NOTE: Please remember to disable all active protection before running the ARK tool)
Thanks,
K27.
djwalk
11 Posts
0
July 9th, 2010 20:00
DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 20:32:05.73 on Fri 07/09/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3068.1859 [GMT -6:00]
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\System32\CtHelper.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\SetPoint\LBTWiz.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dan\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\dan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CtxfiReg] CTXFIREG.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [ ]
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\dan\appdata\roaming\mozilla\firefox\profiles\t4k4xlpn.default\
FF - plugin: c:\users\dan\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2010-6-25 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-25 52872]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-6-25 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-25 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-25 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-25 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-25 921440]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-25 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-25 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-25 5897808]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2010-6-25 122448]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2010-6-25 30288]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2010-6-25 27216]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2010-6-26 179712]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-25 430152]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2008-7-25 42280]
=============== Created Last 30 ================
2010-07-07 21:46:02 0 d--h--w- C:\$AVG
2010-07-04 21:44:21 0 d-----w- c:\users\dan\appdata\roaming\Scooter Software
2010-07-03 04:56:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-03 04:46:27 0 d-----w- c:\program files\Beyond Compare 3
2010-07-01 13:26:17 69632 ----a-w- c:\windows\system32\KemXML.dll
2010-07-01 13:26:17 163840 ----a-w- c:\windows\system32\kemutb.dll
2010-07-01 13:26:17 131072 ----a-w- c:\windows\system32\KemUtil.dll
2010-07-01 13:26:17 110592 ----a-w- c:\windows\system32\KemWnd.dll
2010-07-01 13:03:08 0 d-----w- c:\program files\MSXML 4.0
2010-06-29 13:25:02 388955897 ----a-w- c:\windows\MEMORY.DMP
2010-06-28 03:44:13 1024 ----a-w- c:\users\dan\.rnd
2010-06-28 03:43:00 0 d-----w- c:\programdata\Nero
2010-06-28 03:43:00 0 d-----w- c:\program files\Nero
2010-06-28 03:39:46 0 d-----w- c:\users\dan\appdata\roaming\AVG9
2010-06-28 01:35:27 69 ----a-w- c:\windows\NeroDigital.ini
2010-06-27 13:35:19 0 d-----w- c:\programdata\FLEXnet
2010-06-27 04:20:40 0 d-----w- c:\program files\common files\Macrovision Shared
2010-06-27 04:17:38 209 ----a-w- c:\windows\ODBCINST.INI
2010-06-27 04:12:16 0 d-----w- c:\programdata\WEBREG
2010-06-27 04:10:10 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-06-27 04:06:58 0 d-----w- c:\program files\common files\HP
2010-06-27 04:03:16 0 d-----w- c:\program files\HP
2010-06-27 04:02:12 148931 ----a-w- c:\windows\hpoins19.dat
2010-06-27 04:02:07 0 d-----w- c:\programdata\HP
2010-06-27 04:02:06 258048 ----a-w- c:\windows\system32\hpzids01.dll
2010-06-27 04:02:05 897024 ----a-w- c:\windows\system32\hpotiop1.dll
2010-06-27 04:02:05 675840 ----a-w- c:\windows\system32\hpowiav1.dll
2010-06-27 04:02:05 303104 ----a-w- c:\windows\system32\hpovst01.dll
2010-06-27 04:02:04 26952 ----a-w- c:\windows\hpomdl19.dat
2010-06-27 01:04:58 0 d-----w- c:\program files\Advanced Diary
2010-06-27 01:04:30 293888 ----a-w- c:\windows\system32\midas.dll
2010-06-26 20:49:30 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-06-26 20:49:25 4199784 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-26 20:49:01 0 d-----w- c:\program files\common files\Intuit
2010-06-26 20:48:58 0 d-----w- c:\users\dan\appdata\roaming\Intuit
2010-06-26 20:48:58 0 d-----w- c:\program files\Quicken
2010-06-26 20:48:44 143 ----a-w- c:\windows\QUICKEN.INI
2010-06-26 20:48:33 0 d-----w- c:\programdata\Intuit
2010-06-26 20:15:48 632 --sha-r- c:\users\dan\ntuser.pol
2010-06-26 20:10:35 0 d-----w- c:\users\dan\appdata\roaming\PrimoPDF
2010-06-26 18:21:35 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-26 18:21:35 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-26 18:21:35 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-26 18:21:35 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-26 18:21:35 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-26 18:17:05 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-06-26 18:17:03 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 18:17:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-26 18:17:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-26 18:17:00 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-26 18:16:55 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-26 18:15:50 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-26 15:36:37 0 d-----w- c:\windows\system32\eu-ES
2010-06-26 15:36:37 0 d-----w- c:\windows\system32\ca-ES
2010-06-26 15:36:36 0 d-----w- c:\windows\system32\vi-VN
2010-06-26 15:36:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-06-26 15:34:23 0 d-----w- c:\windows\system32\SPReview
2010-06-26 15:27:03 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-06-26 15:27:01 57856 ----a-w- c:\windows\system32\compcln.exe
2010-06-26 15:25:59 92918 ----a-w- c:\windows\system32\slmgr.vbs
2010-06-26 15:20:04 0 d-----w- c:\windows\system32\EventProviders
2010-06-26 14:52:48 0 d-----w- C:\PerfLogs
2010-06-26 14:27:59 17408 ----a-w- c:\windows\system32\drivers\smclib.sys
2010-06-26 14:20:53 196608 ----a-w- c:\windows\SPInstall.etl
2010-06-26 13:47:14 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-06-26 13:47:12 72704 ----a-w- c:\windows\system32\admparse.dll
2010-06-26 13:47:09 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-06-26 13:45:37 98816 ----a-w- c:\windows\system32\mfps.dll
2010-06-26 13:45:37 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-06-26 13:45:37 2868224 ----a-w- c:\windows\system32\mf.dll
2010-06-26 13:45:37 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-06-26 13:45:37 2048 ----a-w- c:\windows\system32\mferror.dll
2010-06-26 13:45:08 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-06-26 13:39:18 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-06-26 13:22:05 2140 ----a-w- c:\windows\bthservsdp.dat
2010-06-26 13:18:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-06-26 13:14:31 0 d-----w- c:\users\dan\{be0c2a04-16d3-41a3-b115-5f010e3db827}
2010-06-26 13:12:11 0 d-----w- c:\programdata\Logitech
2010-06-26 13:12:09 0 d-----w- c:\program files\SetPoint
2010-06-26 13:12:07 0 d-----w- c:\program files\common files\Logitech
2010-06-26 13:11:34 0 d-----w- c:\users\dan\appdata\roaming\Dell
2010-06-26 13:07:48 356352 ----a-w- c:\windows\system32\nvusmb.exe
2010-06-26 13:07:47 1864 ----a-w- c:\windows\system32\nvsmb.nvu
2010-06-26 13:06:42 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-26 13:06:31 0 d-----w- C:\NVIDIA
2010-06-26 12:58:59 0 d-----w- c:\windows\PCHEALTH
2010-06-26 04:45:12 0 d-----w- c:\programdata\Microsoft Help
2010-06-26 04:30:52 0 d-----w- c:\program files\CDisplay
2010-06-26 04:27:19 0 d-----w- c:\programdata\Adobe
2010-06-26 04:25:48 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-06-26 04:25:46 0 d-----w- c:\program files\Nitro PDF
2010-06-26 04:19:36 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-06-26 04:19:36 28901376 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-06-26 04:19:36 196608 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-06-26 04:01:23 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-06-26 04:00:26 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-06-26 03:14:30 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-06-26 03:14:29 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-06-26 03:14:29 23552 ----a-w- c:\windows\system32\lpk.dll
2010-06-26 03:14:29 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-06-26 03:13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-06-26 03:13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-06-26 03:13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-06-26 03:13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-06-26 03:13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-06-26 03:13:49 17920 ----a-w- c:\windows\system32\netevent.dll
2010-06-26 03:13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-06-26 03:13:49 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-06-26 03:13:49 10240 ----a-w- c:\windows\system32\finger.exe
2010-06-26 03:12:06 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-06-26 03:12:06 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-06-26 03:12:06 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-06-26 03:12:06 2501921 ----a-w- c:\windows\system32\wlan.tmf
2010-06-26 03:12:06 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-06-26 03:12:05 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-06-26 03:12:05 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-06-26 03:12:04 2334 ----a-w- c:\windows\system32\wbem\L2SecHC.mof
2010-06-26 03:12:04 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-06-26 03:12:04 12880 ----a-w- c:\windows\system32\wbem\wlan.mof
2010-06-26 03:11:41 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-26 03:11:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-06-26 03:11:40 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-06-26 03:11:39 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-06-26 03:10:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-06-26 03:10:24 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-06-26 03:09:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-26 03:09:29 623616 ----a-w- c:\windows\system32\localspl.dll
2010-06-26 03:08:58 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-06-26 03:08:57 270848 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 03:06:09 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-06-26 03:05:16 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-06-26 03:05:16 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-06-26 03:05:16 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-06-26 03:05:16 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-06-26 03:05:15 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-06-26 03:05:15 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-06-26 03:05:15 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-06-26 03:04:23 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-06-26 03:03:42 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-06-26 03:03:41 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-06-26 03:03:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-06-26 03:01:56 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-06-26 02:51:31 0 d-----w- c:\program files\VideoLAN
2010-06-26 02:50:08 0 d-----w- c:\users\dan\appdata\roaming\uTorrent
2010-06-26 02:47:10 0 d-----w- c:\programdata\Creative
2010-06-26 02:45:27 64756 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
2010-06-26 02:45:27 54724 ----a-w- c:\windows\system32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
2010-06-26 02:45:27 54724 ----a-w- c:\windows\system32\BMXState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
2010-06-26 02:45:27 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-06-26 02:45:27 1080 ----a-w- c:\windows\system32\settings.sfm
2010-06-26 02:45:00 9728 ----a-w- c:\windows\system32\lsass.exe
2010-06-26 02:45:00 72704 ----a-w- c:\windows\system32\secur32.dll
2010-06-26 02:45:00 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-06-26 02:45:00 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-26 02:45:00 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-06-26 02:45:00 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-06-26 02:44:59 13780 ----a-w- c:\windows\system32\wbem\lsasrv.mof
2010-06-26 02:44:42 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-26 02:44:42 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-26 02:44:42 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-06-26 02:44:12 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-06-26 02:43:56 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-06-26 02:43:56 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-06-26 02:43:35 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-26 02:43:35 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-06-26 02:43:35 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-06-26 02:43:35 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-06-26 02:43:34 814 ----a-w- c:\windows\system32\wbem\WFP.MOF
2010-06-26 02:43:34 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-06-26 02:43:13 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-06-26 02:42:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-26 02:42:42 243712 ----a-w- c:\windows\system32\rastls.dll
2010-06-26 02:41:02 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-06-26 02:41:02 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-06-26 02:41:02 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-06-26 02:41:02 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-06-26 02:41:02 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-06-26 02:41:01 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-06-26 02:41:01 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-06-26 02:41:00 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-06-26 02:41:00 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-06-26 02:41:00 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-06-26 02:39:13 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2010-06-26 02:38:15 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-26 02:38:15 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-06-26 02:38:15 0 d-----w- c:\program files\OpenAL
2010-06-26 02:20:09 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-06-26 02:20:08 272896 ----a-w- c:\windows\system32\polstore.dll
2010-06-26 02:19:58 0 d-----w- c:\windows\Panther
2010-06-26 02:19:46 8192 --s-a-r- C:\BOOTSECT.BAK
2010-06-26 02:19:45 333257 --sha-r- C:\bootmgr
2010-06-26 02:19:45 0 d-sh--w- C:\Boot
2010-06-26 02:19:33 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-26 02:19:33 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-06-26 02:19:33 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-06-26 02:16:11 37888 ----a-w- c:\windows\system32\printcom.dll
2010-06-26 02:04:00 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-06-26 01:52:33 52501 ----a-w- c:\programdata\nvModes.dat
2010-06-26 01:52:20 0 d-----w- c:\programdata\NVIDIA
2010-06-26 01:49:33 0 d-----w- c:\program files\NVIDIA Corporation
2010-06-26 01:28:37 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-26 01:28:37 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-26 01:18:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-26 00:49:57 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-26 00:49:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-26 00:49:51 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-26 00:49:49 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-26 00:49:47 0 d-----w- c:\programdata\AVG Security Toolbar
2010-06-26 00:48:51 25168 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-06-26 00:48:24 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-06-26 00:47:32 0 d-----w- c:\program files\AVG
2010-06-26 00:47:14 0 d-----w- c:\programdata\avg9
2010-06-25 23:41:29 0 d-sh--w- c:\windows\Installer
2010-06-25 23:40:34 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-06-25 23:40:16 98304 ----a-w- c:\windows\system32\cabview.dll
2010-06-25 23:35:42 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-06-25 23:34:42 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-06-25 23:34:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-06-25 23:34:12 171608 ----a-w- c:\windows\system32\wuwebv.dll
==================== Find3M ====================
2010-07-01 14:09:14 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-01 14:09:14 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-01 14:09:14 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-27 04:17:50 129784 ------w- c:\windows\system32\pxafs.dll
2010-06-27 04:17:49 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-06-27 04:17:49 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-06-27 04:17:49 116472 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-26 15:36:30 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-26 15:33:34 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-06-26 14:59:00 174 --sha-w- c:\program files\desktop.ini
2010-06-26 14:43:36 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-06-26 14:43:29 82432 ----a-w- c:\windows\system32\axaltocm.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-01-05 20:20:59 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 20:32:53.77 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 6/25/2010 6:28:26 PM
System Uptime: 7/9/2010 11:42:18 AM (9 hours ago)
Motherboard: Dell Inc. | | 0UY253
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Microprocessor | 2660/1066mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 98 GiB total, 48.293 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is FIXED (NTFS) - 368 GiB total, 243.893 GiB free.
R: is FIXED (NTFS) - 932 GiB total, 122.906 GiB free.
S: is FIXED (NTFS) - 932 GiB total, 148.42 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP69: 7/4/2010 10:05:52 AM - Scheduled Checkpoint
RP70: 7/5/2010 7:26:31 AM - Scheduled Checkpoint
RP71: 7/7/2010 4:45:50 PM - Windows Update
RP72: 7/7/2010 7:24:31 PM - Windows Update
RP73: 7/8/2010 8:54:49 AM - Scheduled Checkpoint
RP74: 7/9/2010 8:12:02 AM - Scheduled Checkpoint
==== Installed Programs ======================
2007 Microsoft Office system
3100_3200_3300_Help
3100_3200_3300trb
32 Bit HP CIO Components Installer
3200
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.3.3
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
AnswerWorks 5.0 English Runtime
AVG 9.0
Beyond Compare Version 3.1.11
BufferChm
CDDRV_Installer
CDisplay 1.8
Copy
Dell Driver Download Manager
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Solution Center 8.0
HPProductAssistant
KhalSetup
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
NVIDIA Display Control Panel
NVIDIA Drivers
OpenAL
PrimoPDF -- by Nitro PDF Software
PVSonyDll
Quicken 2010
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
SetPoint
SolutionCenter
Status
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb983486)
VLC media player 1.1.0
WebReg
WinRAR archiver
==== Event Viewer Messages From Past Week ========
7/9/2010 12:50:55 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
7/8/2010 11:02:31 AM, Error: EventLog [6008] - The previous system shutdown at 10:14:57 AM on 7/8/2010 was unexpected.
7/7/2010 7:25:05 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows Vista (KB979683).
7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Staging(Staging) state
7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Resolved(Resolved) state
7/7/2010 7:24:41 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB979683 (Security Update) into Installed(Installed) state
7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-23_neutral_GDR from package KB979683(Security Update) into Staging(Staging) state
7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-22_neutral_LDR from package KB979683(Security Update) into Staging(Staging) state
7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-14_neutral_GDR from package KB979683(Security Update) into Staging(Staging) state
7/7/2010 7:24:38 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 979683-13_neutral_LDR from package KB979683(Security Update) into Staging(Staging) state
7/7/2010 4:00:55 PM, Error: BTHUSB [19] - Windows detected an error while storing the Bluetooth link key for adapter address (00:07:61:63:df:eb) on the local adapter. The event contains the vendor-specific error code.
7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk9\DR9, is not ready for access yet.
7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk8\DR8, is not ready for access yet.
7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk11\DR11, is not ready for access yet.
7/4/2010 1:48:43 PM, Error: disk [15] - The device, \Device\Harddisk10\DR10, is not ready for access yet.
7/2/2010 11:13:43 PM, Error: PlugPlayManager [12] - The device 'ST350063 0AS SCSI Disk Device' (SCSI\Disk&Ven_ST350063&Prod_0AS&Rev_3.AA\5&392c0851&0&010000) disappeared from the system without first being prepared for removal.
==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-09 20:47:12
Windows 6.0.6002 Service Pack 2
Running: oq1t160g.exe; Driver: C:\Users\Dan\AppData\Local\Temp\pxldipod.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwOpenProcess [0x94592730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateProcess [0x945927E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateThread [0x94592880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwWriteVirtualMemory [0x94592920]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 3F1 81EE1B34 4 Bytes [30, 27, 59, 94] {XOR [EDI], AH; POP ECX; XCHG ESP, EAX}
.text ntkrnlpa.exe!KeSetEvent + 621 81EE1D64 8 Bytes [E0, 27, 59, 94, 80, 28, 59, ...] {LOOPNZ 0x29; POP ECX; XCHG ESP, EAX; SUB BYTE [EAX], 0x59; XCHG ESP, EAX}
.text ntkrnlpa.exe!KeSetEvent + 681 81EE1DC4 4 Bytes [20, 29, 59, 94] {AND [ECX], CH; POP ECX; XCHG ESP, EAX}
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74487817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744DA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7448BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7447F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7447E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744B8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7448DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7447FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7447FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7450CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744AC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7447D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74476853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7447687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2908] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74482AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00076153a8ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00076153a8ff@00076163dfeb 0x05 0xFC 0x9C 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00076153a8ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00076153a8ff@00076163dfeb 0x05 0xFC 0x9C 0xA4 ...
---- EOF - GMER 1.0.15 ----
kevin27_b3d29f
2 Intern
•
1.5K Posts
0
July 10th, 2010 14:00
Hi djwalk,
Please tell me, have you been having any trouble with this system, like Blue Screen Error's or anything else. I only ask as there are a lot of errors about regarding update's and a memory.dmp file with normally indicates a recent BSOD.
Apart from that the log's look in pretty good shape but I would like to double check due to the nature of the recent infection.
I'd like us to scan your machine with ESET OnlineScan
ESET OnlineScan
Then please Download CKScanner from here
Important : Save it to your desktop.
Please post back the ESET report and the CKScanner Report.
Thanks,
K27.