Yesterday, when attempting to install software, my resident AVG Free edition immediately gave three Trojan warnings and, although it then said it was unable to quarantine or delete them, optimistically reported that "your PC is safe". On checking Task Manager, I found two processes that I did not recognise, viz a.exe and msa.exe. After Googling these, I terminated them.
I then ran A-Squared which found only tracking cookies.
Next, did an online scan Windows Live OneCare Safety Scanner. This reported "5 issues not able to be cleaned", then listed them and invited me to "Delete detected resources". The issues detected were: Trojan: JS/Agent.FA, Trojan: WIN32/Porlis, Trojan Downloader: WIN32/Renos.JM, Trojan Downloader: WIN32/Renos.JR, and Software Bundler: WIN32/MessengerPlus.B. I left all of these ticked for deletion, clicked Next and received the report: "The Safety Scanner has helped fix your computer today. 6 Issues found, 10 items detected. 5 issues and 7 items already cleaned". However, as it does not report which issues/items were successfully resolved, I am left in the dark as to which remain unresolved.
I then ran a full scan with my "usual" antivirus, AVG Free edition. This reported only three Tracking cookies (Komtrak) which it quarantined/deleted.
Other than the warnings from my antivirus, the only symptoms I have observed were the original ill-advised install failing and the downloaded file from which it ran disappearing and then the two unrecognised processes appearing in Task Manager. What I would really appreciate is an expert eye to look at my current status and determine whether any potential nasties are still lurking.
Before posting this, I have stepped through the procedures detailed in Ironbender's "Before Asking For Help, Please read Carefully". Here is the MBAM Report:-
Malwarebytes' Anti-Malware 1.41
Database version: 2795
Windows 5.1.2600 Service Pack 3
14/09/2009 18:07:13
mbam-log-2009-09-14 (18-07-13).txt
Scan type: Full Scan (C:\|Z:\|)
Objects scanned: 380941
Time elapsed: 1 hour(s), 53 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 200
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a81a7a14-1ffb-11d1-94c5-00609778ea69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0dec0e40-eea6-11d1-8989-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3111bcc0-eac5-11d1-8989-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{46f56d92-af23-11d1-8010-00600896c25c} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{55d922a1-6a97-11d1-9dd9-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{612bff71-e37e-11d1-9dec-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7b712335-509f-11d1-b308-006097c9b3e0} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8cec14d0-a7c3-11d1-b31c-006097c9b3e0} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a81a7a13-1ffb-11d1-94c5-00609778ea69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a81a7a15-1ffb-11d1-94c5-00609778ea69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca12a562-9be7-11d1-9de1-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca12a564-9be7-11d1-9de1-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca12a565-9be7-11d1-9de1-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ca12a566-9be7-11d1-9de1-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d607e200-efaf-11d1-898a-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dc91fc21-debe-11d1-88fb-006097d2df52} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0c765b0-b858-11d1-b31f-006097c9b3e0} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665311-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665314-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665315-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665316-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665317-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665318-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0665319-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f066531c-dbc7-11d1-9dea-006097d2df69} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a0-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a1-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a2-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a3-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a4-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a5-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a6-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a7-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01c3d4a8-a701-11d1-8324-00a024caa292} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06e60c54-07cd-11d2-8732-00aa00a42c71} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a02-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a03-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a04-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a05-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a06-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a07-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a08-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a09-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a0b-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a0c-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a0d-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ecc7a0e-1b96-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606986-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606987-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60698a-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60698b-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60698c-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606990-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606991-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606993-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606994-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606995-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606996-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606997-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606998-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a606999-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699a-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699b-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699c-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699d-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699e-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a60699f-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a1-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a2-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a3-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a4-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a6-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a7-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a8-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069a9-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069aa-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069ab-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069ac-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069ad-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069ae-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069af-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b0-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b1-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b2-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b3-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b4-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b5-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b6-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b7-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b8-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069b9-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069ba-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069bb-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069be-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069bf-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069c1-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a6069c2-1b69-11d2-a099-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c1a0d02-360a-11d2-89a8-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3c1a0d03-360a-11d2-89a8-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{486340f0-eebb-11d1-8989-00a0c9b644e1} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5a5a8281-3e96-11d2-89a9-00a0c9b63d10} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{696c6156-a3ff-11d1-9782-00a0c913820b} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{696c6156-a402-11d1-9782-00a0c913820b} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{696c6156-a412-11d1-9782-00a0c913820b} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{696c6156-a422-11d1-9782-00a0c913820b} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c91-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c92-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c93-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c94-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c95-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c96-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c97-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c98-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{743d9c99-b465-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d04-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d05-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d06-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d07-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d08-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d13-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d14-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d15-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d16-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d17-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d18-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d19-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1a-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1b-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1c-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1d-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1e-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d1f-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d20-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d22-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d23-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d24-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d25-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d26-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d27-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d28-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d29-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d2a-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d2b-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85980d2c-9851-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8931fac9-a4c7-11d1-a0fd-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8931facb-a4c7-11d1-a0fd-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabd8-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabd9-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabda-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabdb-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabdc-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabdd-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabde-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabdf-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabe1-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabe2-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabe3-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a04fabe4-98f7-11d1-a0f4-00c04fb67cf6} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd8cd1e2-3215-11d2-89a6-00a0c9b63d10} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd8cd1e3-3215-11d2-89a6-00a0c9b63d10} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046551-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046552-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046553-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046554-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046555-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046556-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046557-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046558-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046559-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655a-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655b-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655c-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655d-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655e-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304655f-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046560-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046561-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046562-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046563-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046564-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046565-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046566-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046567-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046568-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046569-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304656a-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304656b-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304656c-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f304656f-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046570-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046571-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046572-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046573-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3046574-b3cd-11d1-b59e-00a0c90540d9} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fbbb8184-0bb8-11d2-a095-00a0c9b6359a} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fc8d424f-0246-11d2-8904-006097d2df52} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Microsoft Picture It! 9\piedit.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Microsoft Picture It! 9\piservr5.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Microsoft Picture It! 9\pitask.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Microsoft Picture It! 9\1033\pitres.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Microsoft Shared\Grphflt\fpx32.flt (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Microsoft Shared\Picture It!\pibase.dll (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\bundle\PictureIt\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PISETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\COMMON\MSSHARED\PI\PIBASE.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\CUTOUT.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\PIBASE.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\PIEDIT.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\PISERVR5.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\PITASK.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\PictureIt\PIP\PI9\1033\PITRES.DLL (Rogue.Installer) -> Quarantined and deleted successfully.
C:\bundle\Works\COMMON\MSSHARED\GRPHFLT\FPX32.FLT (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chloe\Desktop\WebfettiSetup2.3.50.26.ZKfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\cutout.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\pibase.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\piedit.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\piservr5.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\pitask.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Picture It! 9\1033\pitres.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Yahoo!\Yahoo! Desktop Search\textExtractor.exe (Spyware.Banker) -> Delete on reboot.
C:\Program Files\Common Files\Microsoft Shared\Grphflt\fpx32.flt (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Microsoft Shared\Picture It!\pibase.dll (Rogue.Installer) -> Quarantined and deleted successfully.
And here is the HijackThis report:-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:04, on 14/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe
C:\Program Files\VirginMedia\V Stuff Backup\AGMailAgent.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\freeCommander2006\FreeCommander.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\lotus\wordpro\wordpro.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Trend Micro\HijackThis\Hcheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30f8d2d0-cbea-11da-a94d-0800200c9a66} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MXC Software ProBHO - {9E3FB5AA-F0A3-497A-8FFF-476A1A315A29} - C:\Program Files\MXC Software\iSafeguard Freeware\ProBHO.dll
O2 - BHO: Schmap Local - {AC89BF9C-4296-476C-86BC-6CAA3B398AB5} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O2 - BHO: (no name) - {CCB3638E-35AB-45B3-A96F-8D45295CA9E2} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ExaleadDesktop] "C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe" /startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [V Stuff Backup] "C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" /delayed
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MP: Save and Describe Image - C:\Program Files\MediaPurveyor\ImageDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save and Describe Target - C:\Program Files\MediaPurveyor\LinkDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save Image - C:\Program Files\MediaPurveyor\ImageDownloadScript.js
O8 - Extra context menu item: MP: Save Target - C:\Program Files\MediaPurveyor\LinkDownloadScript.js
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Schmap Local - {f53a1294-34c5-4e48-afbd-5f5d5f081d2a} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138356300984
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/...rg/ESTPTest.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - C:\Program Files\Exalead\Exalead Desktop\ExaScheme.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: AVGRSSTX.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: ExaleadDesktop Redirector (Redirector) - Exalead - C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 13328 bytes
Thanks in advance for any assistance you can offer.
Regards,
Olavatar
Full Version: [Resolved] Multiple Trojan Infection
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Hi olavatar
Fix this one using HJT:
O2 - BHO: (no name) - {CCB3638E-35AB-45B3-A96F-8D45295CA9E2} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.
You can safely ignore warnings about not having the recovery console installed. Run it only once !
Post the ComboFix report along with a fresh HJT log,
Chris
Fix this one using HJT:
O2 - BHO: (no name) - {CCB3638E-35AB-45B3-A96F-8D45295CA9E2} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.
You can safely ignore warnings about not having the recovery console installed. Run it only once !
Post the ComboFix report along with a fresh HJT log,
Chris
QUOTE(Ironbender @ Sep 14 2009, 06:57 PM) 
Hi olavatar
Fix this one using HJT:
O2 - BHO: (no name) - {CCB3638E-35AB-45B3-A96F-8D45295CA9E2} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.
You can safely ignore warnings about not having the recovery console installed. Run it only once !
Post the ComboFix report along with a fresh HJT log,
Chris
Hi Chris -
Thanks for the prompt response.
I carried out the first part of this successfully, downloaded Combofix, quit all running programs and exited those in the SystemTray, incl AVG Free. However, when I attempted to run Combofix, it warned that AVG was still running and that this could affect results or cause damage. When I examined Task Manager, I found no current Applications but five Processes starting with the letters AVG, shown as owner "System". Attempting to terminate these did not work as they appeared to be immediately relaunched.
I then used Start/Run/msconfig/Startup to try to prevent automatic launch of AVG by unticking the only AVG component shown under the Startup tab, viz AVG.tray which I doubt would stop the actual application launching. I then stopped Combofix by clicking the X on the warning message box and again on the next blue window immediately it appeared. I restarted the computer and, while AVG no longer appeared in the System Tray, Combofix again warned that AVG was running, the same five processes appeared in Task Manager and again, they could not be terminated. At this point, given the dire warnings from Combofix about continuing, I again terminated Combofix in the same way as above and am now seeking further advice.
Regards,
Olavatar
Ignore the Combofix warning about AVG. It may be the internet protection toolbar.
Run it and post both logs.
Chris
Run it and post both logs.
Chris
Combofix Log:-
ComboFix 09-09-14.02 - Main User 15/09/2009 21:34.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.999 [GMT 1:00]
Running from: c:\documents and settings\Main User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-151410248-527893949-2894407518-1003
c:\recycler\S-1-5-21-1982119604-2169939202-907907668-1003
c:\recycler\S-1-5-21-2593487118-3338580547-3721235257-1003
c:\recycler\S-1-5-21-2769272960-1222442457-172917305-1003
c:\recycler\S-1-5-21-3517405786-1589643353-556683598-1003
c:\recycler\S-1-5-21-3730212439-2308373432-2410770087-1003
c:\recycler\S-1-5-21-4252247103-2332851692-2144515827-1003
c:\recycler\S-1-5-21-67331621-58016854-3798957841-1003
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\34a7600d.msi
c:\windows\Installer\b973f.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\FTPx.dll
c:\windows\system32\Packet.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\winhelp.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 16:53 . 2009-09-15 16:53 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Exalead
2009-09-15 16:53 . 2009-09-15 16:53 -------- d-----w- c:\documents and settings\Amy\Application Data\Malwarebytes
2009-09-15 16:52 . 2009-09-15 16:52 -------- d-sh--w- c:\documents and settings\Amy\IETldCache
2009-09-15 15:36 . 2009-09-15 15:36 -------- d-----w- C:\zee_store
2009-09-15 15:03 . 2009-09-15 15:03 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2009-09-15 14:17 . 2009-09-15 14:17 -------- d-----w- c:\documents and settings\Chloe\Local Settings\Application Data\Exalead
2009-09-15 14:16 . 2009-09-15 14:16 -------- d-----w- c:\documents and settings\Chloe\Application Data\Malwarebytes
2009-09-14 10:58 . 2009-09-14 14:27 -------- d-----w- c:\windows\BDOSCAN8
2009-09-13 23:32 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 23:32 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 22:23 . 2009-09-13 22:23 -------- d-----w- c:\program files\Alwil Software
2009-09-13 21:37 . 2009-09-13 21:40 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-13 10:57 . 2009-09-13 10:57 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Exalead
2009-09-11 18:43 . 2009-09-11 18:43 -------- d-----w- c:\documents and settings\Main User\Local Settings\Application Data\Exalead
2009-09-11 18:42 . 2009-09-11 18:42 -------- d-----w- c:\program files\Exalead
2009-09-11 18:40 . 2009-09-11 18:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-09 23:36 . 2009-09-09 23:46 -------- d-----w- c:\program files\ABC Amber Lotus 1-2-3 Converter
2009-09-09 09:01 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 11:27 . 2009-09-08 11:27 -------- d-----w- c:\documents and settings\Main User\Application Data\OpenOffice.org
2009-09-08 11:11 . 2009-09-08 11:11 -------- d-----w- c:\program files\JRE
2009-09-08 11:11 . 2009-09-08 11:11 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-08 11:09 . 2009-09-08 11:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-08 09:14 . 2009-09-08 09:14 -------- d-----w- c:\documents and settings\Main User\IBM
2009-09-08 09:14 . 2009-09-08 09:14 -------- d-----w- c:\program files\IBM
2009-08-31 19:04 . 2009-08-31 19:04 287256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-31 00:55 . 2009-09-13 21:22 -------- d-----w- c:\documents and settings\Main User\Local Settings\Application Data\CutePDF Writer
2009-08-31 00:52 . 2009-08-31 00:52 -------- d-----w- c:\program files\GPLGS
2009-08-31 00:47 . 2007-07-12 21:33 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-08-31 00:47 . 2009-08-31 00:47 -------- d-----w- c:\program files\Acro Software
2009-08-25 16:57 . 2009-08-25 16:57 -------- d-----w- c:\documents and settings\Sam\.jagex_cache_32
2009-08-18 14:18 . 2009-08-18 14:18 -------- d-sh--w- c:\documents and settings\Chloe\PrivacIE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 19:44 . 2008-01-31 17:35 -------- d-----w- c:\documents and settings\Main User\Application Data\HPAppData
2009-09-15 19:25 . 2008-05-12 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 16:59 . 2008-06-10 16:57 -------- d-----w- c:\documents and settings\Amy\Application Data\HPAppData
2009-09-15 15:20 . 2008-02-05 15:47 -------- d-----w- c:\documents and settings\Sam\Application Data\HPAppData
2009-09-14 17:07 . 2002-01-01 05:54 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-09-14 14:52 . 2006-01-27 09:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-14 14:34 . 2006-01-27 09:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 14:34 . 2008-04-30 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 21:56 . 2006-01-23 00:25 115168 ----a-w- c:\documents and settings\Main User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 11:32 . 2006-10-22 23:21 -------- d-----w- c:\program files\a-squared Free
2009-09-13 08:47 . 2008-04-26 08:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-10 10:51 . 2008-09-16 01:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 14:50 . 2006-10-01 12:50 115168 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 11:09 . 2006-02-09 01:29 -------- d-----w- c:\program files\Java
2009-09-04 18:07 . 2006-06-17 19:23 -------- d-----w- c:\program files\ChrisTV Lite
2009-08-31 18:47 . 2006-03-16 00:39 -------- d-----w- c:\documents and settings\Main User\Application Data\Skype
2009-08-25 00:09 . 2006-04-29 11:06 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
2009-08-23 23:37 . 2006-10-28 19:28 -------- d-----w- c:\documents and settings\Main User\Application Data\TrueCrypt
2009-08-23 08:18 . 2008-12-08 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-08-20 08:04 . 2008-05-12 10:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 08:04 . 2008-05-12 10:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 08:04 . 2008-05-12 10:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 08:31 . 2009-08-16 08:31 -------- d-----w- c:\program files\MSBuild
2009-08-16 08:31 . 2009-08-16 08:31 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 15:02 . 2007-04-08 13:20 -------- d-----w- c:\program files\Mozy
2009-08-13 15:05 . 2006-01-27 09:20 -------- d-----w- c:\program files\SpywareBlaster
2009-08-11 14:20 . 2009-08-11 14:20 -------- d-----w- c:\program files\Near Reality
2009-08-05 09:01 . 2006-02-20 15:34 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 14:52 . 2006-11-01 22:36 -------- d-----w- c:\program files\freeCommander2006
2009-08-02 00:36 . 2007-02-09 15:46 -------- d-----w- c:\program files\Dan Elwell's Broadband Speed Test
2009-07-24 10:22 . 2009-07-24 10:22 -------- d-----w- c:\program files\WinDjView
2009-07-23 12:29 . 2008-12-09 16:24 -------- d-----w- c:\documents and settings\Daniel.WJHNEWPC\Application Data\HPAppData
2009-07-22 15:47 . 2008-05-12 10:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-22 15:42 . 2009-07-22 15:42 -------- d-----w- c:\documents and settings\Main User\Application Data\AVG8
2009-07-17 19:01 . 2004-07-16 21:42 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-09-22 18:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 10:58 . 2006-11-13 16:37 110992 ----a-w- c:\documents and settings\Chloe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2005-10-21 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 19:28 . 2009-07-01 19:28 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-07-16 21:42 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-07-16 21:42 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-07-16 21:42 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-07-16 21:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-07-16 21:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 14:03 . 2007-04-08 13:20 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-06-24 11:18 . 2004-07-16 21:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2007-01-25 02:52 . 2007-01-25 02:52 65536 ----a-w- c:\program files\Common Files\NMSAccessU.exe
2006-02-28 20:30 . 2006-01-29 19:43 1733 ----a-w- c:\program files\AutoSave.brd
2006-02-27 22:27 . 2006-01-29 19:58 19033 ---ha-w- c:\program files\EasyBridge.GID
2006-01-29 19:39 . 2006-01-29 19:39 3707 ----a-w- c:\program files\DeIsL1.isu
2001-03-21 21:52 . 2006-01-29 19:39 14886 ----a-w- c:\program files\Readme.doc
2001-03-21 21:51 . 2006-01-29 19:39 44702 ----a-w- c:\program files\History.doc
2001-03-21 21:50 . 2006-01-29 19:39 2375680 ----a-w- c:\program files\EasyBridge.exe
2001-03-11 22:07 . 2006-01-29 19:39 811977 ----a-w- c:\program files\EasyBridge.hlp
2001-03-11 21:59 . 2006-01-29 19:39 819200 ----a-w- c:\program files\EasyBWizards.dll
2001-03-11 21:59 . 2006-01-29 19:39 761856 ----a-w- c:\program files\EasyBUtils.dll
1999-03-22 19:05 . 2006-01-29 19:39 241664 ----a-w- c:\program files\CJ60Lib.dll
1998-12-31 11:51 . 2006-01-29 19:39 600 ----a-w- c:\program files\EasyBridge.cnt
2009-05-17 22:38 . 2006-03-29 23:51 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 14:03 2835256 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 14:03 2835256 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2006-07-03 617472]
"V Stuff Backup"="c:\program files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" [2009-08-14 9102608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-05-17 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]
"ExaleadDesktop"="c:\program files\Exalead\Exalead Desktop\ExaleadDesktop.exe" [2009-04-29 2899968]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Sam\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2007-1-8 1538]
c:\documents and settings\Amy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-9-24 1538]
c:\documents and settings\Caitlin\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-12-31 1538]
c:\documents and settings\Chloe\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-9-26 1538]
c:\documents and settings\Main User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Launch K9.lnk - c:\program files\KeirNet\K9\K9.exe [2004-4-18 82944]
Yahoo! Desktop Search System Tray.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe [2006-4-13 331264]
Yahoo! Desktop Search.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe [2006-4-13 10684144]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-6-24 2876216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 08:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mozy Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozy Status.lnk
backup=c:\windows\pss\Mozy Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Media Manager.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Media Manager.lnk
backup=c:\windows\pss\Media Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Mozy Status.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Mozy Status.lnk
backup=c:\windows\pss\Mozy Status.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Yahoo! Desktop Search System Tray.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk
backup=c:\windows\pss\Yahoo! Desktop Search System Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Yahoo! Desktop Search.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk
backup=c:\windows\pss\Yahoo! Desktop Search.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EasyClip"="c:\program files\EasyClip\easyclip.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
"SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPMate\\ppmate.exe"=
"c:\\Program Files\\DigiGuide TV Guide\\digiguide.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5414:TCP"= 5414:TCP:ppLive
"8911:UDP"= 8911:UDP:ppLive
"7499:TCP"= 7499:TCP:ppLive
"5233:UDP"= 5233:UDP:ppLive
"6660:TCP"= 6660:TCP:ppLive
"5392:UDP"= 5392:UDP:ppLive
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/05/2008 11:23 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/05/2008 11:23 108552]
R1 MozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [08/04/2007 14:20 54776]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [29/08/2008 11:04 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/08/2008 11:04 297752]
R2 Redirector;ExaleadDesktop Redirector;c:\program files\Exalead\Exalead Desktop\ExaleadRedirector.exe [29/04/2009 15:49 98304]
R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [22/11/2004 11:33 1121536]
S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [29/04/2006 12:06 371349]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [11/06/2009 19:19 20160]
S3 cpuz131;cpuz131;\??\c:\docume~1\LIAMHU~1\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\LIAMHU~1\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/03/2006 00:50 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [03/07/2008 20:30 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [03/07/2008 20:30 8320]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [26/04/2006 00:20 6400]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: MP: Save and Describe Image - c:\program files\MediaPurveyor\ImageDownloadDescribeScript.js
IE: MP: Save and Describe Target - c:\program files\MediaPurveyor\LinkDownloadDescribeScript.js
IE: MP: Save Image - c:\program files\MediaPurveyor\ImageDownloadScript.js
IE: MP: Save Target - c:\program files\MediaPurveyor\LinkDownloadScript.js
Handler: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - c:\program files\Exalead\Exalead Desktop\ExaScheme.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Main User\Application Data\Mozilla\Firefox\Profiles\dog0wwig.default\
FF - prefs.js: browser.search.selectedEngine - Hyperwords
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{30f8d2d0-cbea-11da-a94d-0800200c9a66} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-hex(2):7b,38,41,34,32,44,46,42,46,2d,37,38,36,38,2d,34,30,32,39,2d,39,35,38,\ - (no file)
AddRemove-Agfa ScanWise 1.50 - c:\windows\IsUninst.exe -fc:\program files\Agfa\ScanWise 1_50\uninst.isu
AddRemove-AlbumPro 8.1 - c:\windows\unin0407.exe -fc:\program files\Kirchhoff\AlbumPro 8.1\DeIsL1.isu
AddRemove-BigFix - c:\windows\ISUNINST.EXE -fc:\program files\BigFix\Uninst.isu
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-Readiris - c:\windows\ISUNINST.EXE -fc:\program files\Readiris\Uninst.isu
AddRemove-Test Your IQ - c:\progra~1\THETIM~1\TESTYO~1\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 22:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\program files\Mozy\mozyshell.dll
c:\documents and settings\Main User\application data\ppstream\bin\1.0.0.2\vodrc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Mozy\mozybackup.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\VirginMedia\V Stuff Backup\AGMailAgent.exe
.
**************************************************************************
.
Completion time: 2009-09-15 22:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 21:56
Pre-Run: 52,857,057,280 bytes free
Post-Run: 55,608,635,392 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
360 --- E O F --- 2009-09-10 00:15
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:56, on 15/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\VirginMedia\V Stuff Backup\AGMailAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\freeCommander2006\FreeCommander.exe
C:\Program Files\Trend Micro\HijackThis\Hcheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MXC Software ProBHO - {9E3FB5AA-F0A3-497A-8FFF-476A1A315A29} - C:\Program Files\MXC Software\iSafeguard Freeware\ProBHO.dll
O2 - BHO: Schmap Local - {AC89BF9C-4296-476C-86BC-6CAA3B398AB5} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ExaleadDesktop] "C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [V Stuff Backup] "C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" /delayed
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MP: Save and Describe Image - C:\Program Files\MediaPurveyor\ImageDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save and Describe Target - C:\Program Files\MediaPurveyor\LinkDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save Image - C:\Program Files\MediaPurveyor\ImageDownloadScript.js
O8 - Extra context menu item: MP: Save Target - C:\Program Files\MediaPurveyor\LinkDownloadScript.js
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Schmap Local - {f53a1294-34c5-4e48-afbd-5f5d5f081d2a} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138356300984
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/...rg/ESTPTest.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - C:\Program Files\Exalead\Exalead Desktop\ExaScheme.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: ExaleadDesktop Redirector (Redirector) - Exalead - C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11349 bytes
Regards,
Olavatar
ComboFix 09-09-14.02 - Main User 15/09/2009 21:34.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.999 [GMT 1:00]
Running from: c:\documents and settings\Main User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-151410248-527893949-2894407518-1003
c:\recycler\S-1-5-21-1982119604-2169939202-907907668-1003
c:\recycler\S-1-5-21-2593487118-3338580547-3721235257-1003
c:\recycler\S-1-5-21-2769272960-1222442457-172917305-1003
c:\recycler\S-1-5-21-3517405786-1589643353-556683598-1003
c:\recycler\S-1-5-21-3730212439-2308373432-2410770087-1003
c:\recycler\S-1-5-21-4252247103-2332851692-2144515827-1003
c:\recycler\S-1-5-21-67331621-58016854-3798957841-1003
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\34a7600d.msi
c:\windows\Installer\b973f.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\FTPx.dll
c:\windows\system32\Packet.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\winhelp.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 16:53 . 2009-09-15 16:53 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Exalead
2009-09-15 16:53 . 2009-09-15 16:53 -------- d-----w- c:\documents and settings\Amy\Application Data\Malwarebytes
2009-09-15 16:52 . 2009-09-15 16:52 -------- d-sh--w- c:\documents and settings\Amy\IETldCache
2009-09-15 15:36 . 2009-09-15 15:36 -------- d-----w- C:\zee_store
2009-09-15 15:03 . 2009-09-15 15:03 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2009-09-15 14:17 . 2009-09-15 14:17 -------- d-----w- c:\documents and settings\Chloe\Local Settings\Application Data\Exalead
2009-09-15 14:16 . 2009-09-15 14:16 -------- d-----w- c:\documents and settings\Chloe\Application Data\Malwarebytes
2009-09-14 10:58 . 2009-09-14 14:27 -------- d-----w- c:\windows\BDOSCAN8
2009-09-13 23:32 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 23:32 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 22:23 . 2009-09-13 22:23 -------- d-----w- c:\program files\Alwil Software
2009-09-13 21:37 . 2009-09-13 21:40 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-13 10:57 . 2009-09-13 10:57 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Exalead
2009-09-11 18:43 . 2009-09-11 18:43 -------- d-----w- c:\documents and settings\Main User\Local Settings\Application Data\Exalead
2009-09-11 18:42 . 2009-09-11 18:42 -------- d-----w- c:\program files\Exalead
2009-09-11 18:40 . 2009-09-11 18:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-09 23:36 . 2009-09-09 23:46 -------- d-----w- c:\program files\ABC Amber Lotus 1-2-3 Converter
2009-09-09 09:01 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 11:27 . 2009-09-08 11:27 -------- d-----w- c:\documents and settings\Main User\Application Data\OpenOffice.org
2009-09-08 11:11 . 2009-09-08 11:11 -------- d-----w- c:\program files\JRE
2009-09-08 11:11 . 2009-09-08 11:11 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-08 11:09 . 2009-09-08 11:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-08 09:14 . 2009-09-08 09:14 -------- d-----w- c:\documents and settings\Main User\IBM
2009-09-08 09:14 . 2009-09-08 09:14 -------- d-----w- c:\program files\IBM
2009-08-31 19:04 . 2009-08-31 19:04 287256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-31 00:55 . 2009-09-13 21:22 -------- d-----w- c:\documents and settings\Main User\Local Settings\Application Data\CutePDF Writer
2009-08-31 00:52 . 2009-08-31 00:52 -------- d-----w- c:\program files\GPLGS
2009-08-31 00:47 . 2007-07-12 21:33 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-08-31 00:47 . 2009-08-31 00:47 -------- d-----w- c:\program files\Acro Software
2009-08-25 16:57 . 2009-08-25 16:57 -------- d-----w- c:\documents and settings\Sam\.jagex_cache_32
2009-08-18 14:18 . 2009-08-18 14:18 -------- d-sh--w- c:\documents and settings\Chloe\PrivacIE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 19:44 . 2008-01-31 17:35 -------- d-----w- c:\documents and settings\Main User\Application Data\HPAppData
2009-09-15 19:25 . 2008-05-12 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 16:59 . 2008-06-10 16:57 -------- d-----w- c:\documents and settings\Amy\Application Data\HPAppData
2009-09-15 15:20 . 2008-02-05 15:47 -------- d-----w- c:\documents and settings\Sam\Application Data\HPAppData
2009-09-14 17:07 . 2002-01-01 05:54 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-09-14 14:52 . 2006-01-27 09:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-14 14:34 . 2006-01-27 09:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 14:34 . 2008-04-30 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 21:56 . 2006-01-23 00:25 115168 ----a-w- c:\documents and settings\Main User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 11:32 . 2006-10-22 23:21 -------- d-----w- c:\program files\a-squared Free
2009-09-13 08:47 . 2008-04-26 08:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-10 10:51 . 2008-09-16 01:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 14:50 . 2006-10-01 12:50 115168 ----a-w- c:\documents and settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 11:09 . 2006-02-09 01:29 -------- d-----w- c:\program files\Java
2009-09-04 18:07 . 2006-06-17 19:23 -------- d-----w- c:\program files\ChrisTV Lite
2009-08-31 18:47 . 2006-03-16 00:39 -------- d-----w- c:\documents and settings\Main User\Application Data\Skype
2009-08-25 00:09 . 2006-04-29 11:06 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
2009-08-23 23:37 . 2006-10-28 19:28 -------- d-----w- c:\documents and settings\Main User\Application Data\TrueCrypt
2009-08-23 08:18 . 2008-12-08 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-08-20 08:04 . 2008-05-12 10:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 08:04 . 2008-05-12 10:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 08:04 . 2008-05-12 10:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 08:31 . 2009-08-16 08:31 -------- d-----w- c:\program files\MSBuild
2009-08-16 08:31 . 2009-08-16 08:31 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 15:02 . 2007-04-08 13:20 -------- d-----w- c:\program files\Mozy
2009-08-13 15:05 . 2006-01-27 09:20 -------- d-----w- c:\program files\SpywareBlaster
2009-08-11 14:20 . 2009-08-11 14:20 -------- d-----w- c:\program files\Near Reality
2009-08-05 09:01 . 2006-02-20 15:34 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 14:52 . 2006-11-01 22:36 -------- d-----w- c:\program files\freeCommander2006
2009-08-02 00:36 . 2007-02-09 15:46 -------- d-----w- c:\program files\Dan Elwell's Broadband Speed Test
2009-07-24 10:22 . 2009-07-24 10:22 -------- d-----w- c:\program files\WinDjView
2009-07-23 12:29 . 2008-12-09 16:24 -------- d-----w- c:\documents and settings\Daniel.WJHNEWPC\Application Data\HPAppData
2009-07-22 15:47 . 2008-05-12 10:23 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-22 15:42 . 2009-07-22 15:42 -------- d-----w- c:\documents and settings\Main User\Application Data\AVG8
2009-07-17 19:01 . 2004-07-16 21:42 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-09-22 18:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 10:58 . 2006-11-13 16:37 110992 ----a-w- c:\documents and settings\Chloe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 17:09 . 2005-10-21 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 19:28 . 2009-07-01 19:28 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-07-16 21:42 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-07-16 21:42 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-07-16 21:42 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-07-16 21:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-07-16 21:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 14:03 . 2007-04-08 13:20 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-06-24 11:18 . 2004-07-16 21:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2007-01-25 02:52 . 2007-01-25 02:52 65536 ----a-w- c:\program files\Common Files\NMSAccessU.exe
2006-02-28 20:30 . 2006-01-29 19:43 1733 ----a-w- c:\program files\AutoSave.brd
2006-02-27 22:27 . 2006-01-29 19:58 19033 ---ha-w- c:\program files\EasyBridge.GID
2006-01-29 19:39 . 2006-01-29 19:39 3707 ----a-w- c:\program files\DeIsL1.isu
2001-03-21 21:52 . 2006-01-29 19:39 14886 ----a-w- c:\program files\Readme.doc
2001-03-21 21:51 . 2006-01-29 19:39 44702 ----a-w- c:\program files\History.doc
2001-03-21 21:50 . 2006-01-29 19:39 2375680 ----a-w- c:\program files\EasyBridge.exe
2001-03-11 22:07 . 2006-01-29 19:39 811977 ----a-w- c:\program files\EasyBridge.hlp
2001-03-11 21:59 . 2006-01-29 19:39 819200 ----a-w- c:\program files\EasyBWizards.dll
2001-03-11 21:59 . 2006-01-29 19:39 761856 ----a-w- c:\program files\EasyBUtils.dll
1999-03-22 19:05 . 2006-01-29 19:39 241664 ----a-w- c:\program files\CJ60Lib.dll
1998-12-31 11:51 . 2006-01-29 19:39 600 ----a-w- c:\program files\EasyBridge.cnt
2009-05-17 22:38 . 2006-03-29 23:51 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 14:03 2835256 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 14:03 2835256 ----a-w- c:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2006-07-03 617472]
"V Stuff Backup"="c:\program files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" [2009-08-14 9102608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-05-17 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]
"ExaleadDesktop"="c:\program files\Exalead\Exalead Desktop\ExaleadDesktop.exe" [2009-04-29 2899968]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Sam\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2007-1-8 1538]
c:\documents and settings\Amy\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-9-24 1538]
c:\documents and settings\Caitlin\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-12-31 1538]
c:\documents and settings\Chloe\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2006-9-26 1538]
c:\documents and settings\Main User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Launch K9.lnk - c:\program files\KeirNet\K9\K9.exe [2004-4-18 82944]
Yahoo! Desktop Search System Tray.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe [2006-4-13 331264]
Yahoo! Desktop Search.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe [2006-4-13 10684144]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-6-24 2876216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 08:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mozy Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozy Status.lnk
backup=c:\windows\pss\Mozy Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Media Manager.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Media Manager.lnk
backup=c:\windows\pss\Media Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Mozy Status.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Mozy Status.lnk
backup=c:\windows\pss\Mozy Status.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Yahoo! Desktop Search System Tray.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk
backup=c:\windows\pss\Yahoo! Desktop Search System Tray.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Main User^Start Menu^Programs^Startup^Yahoo! Desktop Search.lnk]
path=c:\documents and settings\Main User\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk
backup=c:\windows\pss\Yahoo! Desktop Search.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EasyClip"="c:\program files\EasyClip\easyclip.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
"SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPMate\\PPMate\\ppmate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PPMate\\ppmate.exe"=
"c:\\Program Files\\DigiGuide TV Guide\\digiguide.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5414:TCP"= 5414:TCP:ppLive
"8911:UDP"= 8911:UDP:ppLive
"7499:TCP"= 7499:TCP:ppLive
"5233:UDP"= 5233:UDP:ppLive
"6660:TCP"= 6660:TCP:ppLive
"5392:UDP"= 5392:UDP:ppLive
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/05/2008 11:23 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/05/2008 11:23 108552]
R1 MozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [08/04/2007 14:20 54776]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [29/08/2008 11:04 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/08/2008 11:04 297752]
R2 Redirector;ExaleadDesktop Redirector;c:\program files\Exalead\Exalead Desktop\ExaleadRedirector.exe [29/04/2009 15:49 98304]
R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [22/11/2004 11:33 1121536]
S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [29/04/2006 12:06 371349]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [11/06/2009 19:19 20160]
S3 cpuz131;cpuz131;\??\c:\docume~1\LIAMHU~1\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\LIAMHU~1\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/03/2006 00:50 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [03/07/2008 20:30 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [03/07/2008 20:30 8320]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [26/04/2006 00:20 6400]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: MP: Save and Describe Image - c:\program files\MediaPurveyor\ImageDownloadDescribeScript.js
IE: MP: Save and Describe Target - c:\program files\MediaPurveyor\LinkDownloadDescribeScript.js
IE: MP: Save Image - c:\program files\MediaPurveyor\ImageDownloadScript.js
IE: MP: Save Target - c:\program files\MediaPurveyor\LinkDownloadScript.js
Handler: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - c:\program files\Exalead\Exalead Desktop\ExaScheme.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Main User\Application Data\Mozilla\Firefox\Profiles\dog0wwig.default\
FF - prefs.js: browser.search.selectedEngine - Hyperwords
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{30f8d2d0-cbea-11da-a94d-0800200c9a66} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-hex(2):7b,38,41,34,32,44,46,42,46,2d,37,38,36,38,2d,34,30,32,39,2d,39,35,38,\ - (no file)
AddRemove-Agfa ScanWise 1.50 - c:\windows\IsUninst.exe -fc:\program files\Agfa\ScanWise 1_50\uninst.isu
AddRemove-AlbumPro 8.1 - c:\windows\unin0407.exe -fc:\program files\Kirchhoff\AlbumPro 8.1\DeIsL1.isu
AddRemove-BigFix - c:\windows\ISUNINST.EXE -fc:\program files\BigFix\Uninst.isu
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-Readiris - c:\windows\ISUNINST.EXE -fc:\program files\Readiris\Uninst.isu
AddRemove-Test Your IQ - c:\progra~1\THETIM~1\TESTYO~1\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 22:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\program files\Mozy\mozyshell.dll
c:\documents and settings\Main User\application data\ppstream\bin\1.0.0.2\vodrc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Mozy\mozybackup.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\VirginMedia\V Stuff Backup\AGMailAgent.exe
.
**************************************************************************
.
Completion time: 2009-09-15 22:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 21:56
Pre-Run: 52,857,057,280 bytes free
Post-Run: 55,608,635,392 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
360 --- E O F --- 2009-09-10 00:15
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:56, on 15/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\VirginMedia\V Stuff Backup\AGMailAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\freeCommander2006\FreeCommander.exe
C:\Program Files\Trend Micro\HijackThis\Hcheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MXC Software ProBHO - {9E3FB5AA-F0A3-497A-8FFF-476A1A315A29} - C:\Program Files\MXC Software\iSafeguard Freeware\ProBHO.dll
O2 - BHO: Schmap Local - {AC89BF9C-4296-476C-86BC-6CAA3B398AB5} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ExaleadDesktop] "C:\Program Files\Exalead\Exalead Desktop\ExaleadDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [V Stuff Backup] "C:\Program Files\VirginMedia\V Stuff Backup\v_stuff_backup.exe" /delayed
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Yahoo! Desktop Search System Tray.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MP: Save and Describe Image - C:\Program Files\MediaPurveyor\ImageDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save and Describe Target - C:\Program Files\MediaPurveyor\LinkDownloadDescribeScript.js
O8 - Extra context menu item: MP: Save Image - C:\Program Files\MediaPurveyor\ImageDownloadScript.js
O8 - Extra context menu item: MP: Save Target - C:\Program Files\MediaPurveyor\LinkDownloadScript.js
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Schmap Local - {f53a1294-34c5-4e48-afbd-5f5d5f081d2a} - C:\Program Files\Schmap\SchmapLocal\SchmapLocalIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138356300984
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/...rg/ESTPTest.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - C:\Program Files\Exalead\Exalead Desktop\ExaScheme.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: ExaleadDesktop Redirector (Redirector) - Exalead - C:\Program Files\Exalead\Exalead Desktop\ExaleadRedirector.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11349 bytes
Regards,
Olavatar
Did you intentionally install PPLive/PPMate ? It has left a bunch of open ports...
Apart of this, the logs looks now clean to me. Are you still experiencing troubles with this system ?
Chris
Apart of this, the logs looks now clean to me. Are you still experiencing troubles with this system ?
Chris
QUOTE(Ironbender @ Sep 15 2009, 04:32 PM)
Did you intentionally install PPLive/PPMate ? It has left a bunch of open ports...
Apart of this, the logs looks now clean to me. Are you still experiencing troubles with this system ?
Chris
Hi Chris -
Yes I did install this intentionally a long time ago and no longer use it. I must admit, I've never really understood the "ports" concept. I take it uninstalling PPLive/PPMate isn't going to close the ports? If not, how should I do so?
No, I am not experiencing trouble - hopefully that is all the horrid little critters gone.
More generally than just the case of the current infection, I tend to be paranoid about the possibility of keyloggers running unobserved. I don't suppose you know of anything which gives more of a guarantee that this isn't occurring than the common, resident antivirus and firewall programs? (AVG Free and ZoneAlarm Free in my case). Or should they really be enough to let me sleep easy?
Regards,
Olavatar
Uninstalling it will remove the registry keys which keeps the ports open. 
This is what I use, along with my antivirus and ZA Firewall (all freebies):
SpywareBlaster: http://www.javacoolsoftware.com/sbdownload.html (update the definition files on install and once a week after install)
RegProt (warns every time a registry key is changed and allow to deny if suspicious): http://www.diamondcs.com.au/freeutilities/regprot.php
SnoopFree anti-keylogger from http://www.snoopfree.com/ (warns you if any program tries to read your screen or your keyboard). You must allow legit programs to run and will be able to block and even kill any suspicious one.
Crazy Browser from http://www.crazybrowser.com/ instead of IE (although it needs the IE engine to run, it has built-in popup blocker and content filter). You may also consider FireFox.
With safe surfing and mailing habits (never let the mail preview pane enabled, as new baddies now comes embedded in the text or hidden scripts - delete any suspicious mail without viewing them), this will keep most baddies away.
You can now uninstall ComboFix.
<Start/Run> type in combofix /u (Enter)
This will remove quarantined files and folders, thus avoiding future antivirus alerts about them.
update java: Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 16' or higher and press the 'Download' button.
Reboot when installed.
Uninstall any previous JRE versions from Control Panel, add-remove programs afterward.
Disable/re-enable system restore to avoid future reinfections from restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html
Don't forget to create a new restore point just after.
Chris.
This topic has been closed as the problem has been resolved. If there is a need to reopen this topic, please send a PM to a Moderator.
This is what I use, along with my antivirus and ZA Firewall (all freebies):
SpywareBlaster: http://www.javacoolsoftware.com/sbdownload.html (update the definition files on install and once a week after install)
RegProt (warns every time a registry key is changed and allow to deny if suspicious): http://www.diamondcs.com.au/freeutilities/regprot.php
SnoopFree anti-keylogger from http://www.snoopfree.com/ (warns you if any program tries to read your screen or your keyboard). You must allow legit programs to run and will be able to block and even kill any suspicious one.
Crazy Browser from http://www.crazybrowser.com/ instead of IE (although it needs the IE engine to run, it has built-in popup blocker and content filter). You may also consider FireFox.
With safe surfing and mailing habits (never let the mail preview pane enabled, as new baddies now comes embedded in the text or hidden scripts - delete any suspicious mail without viewing them), this will keep most baddies away.
You can now uninstall ComboFix.
<Start/Run> type in combofix /u (Enter)
This will remove quarantined files and folders, thus avoiding future antivirus alerts about them.
update java: Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 16' or higher and press the 'Download' button.
Reboot when installed.
Uninstall any previous JRE versions from Control Panel, add-remove programs afterward.
Disable/re-enable system restore to avoid future reinfections from restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html
Don't forget to create a new restore point just after.
Chris.
This topic has been closed as the problem has been resolved. If there is a need to reopen this topic, please send a PM to a Moderator.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.