23 replies to this topic

[decox]

Hi all, thanks for any help. Here is the mbam log.
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2

6/17/2009 3:15:01 PM
mbam-log-2009-06-17 (15-14-58).txt

Scan type: Quick Scan
Objects scanned: 116694
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.


Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:53 PM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Malwarebytes' Anti-Malware\29sdfjsdofijsdk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...Bu_5zusCcaJOYLg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RelevantKnowledge] C:\Program Files\RelevantKnowledge\rlvknlg.exe -boot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10512 bytes


Any help would be greatly appreciated. Thanks in Advance.

[negster22]

Hi and Welcome to the Malwarebytes' Malware Removal Forum!

Uninstall the following via the Add/Remove Programs feature of the Control Panel
Relevant Knowledge (Adware)
Viewpoint Manager (Foistware)
Malwarebytes 1.37 (a new version was released today and your scan log shows an outdated database)
You have two antiviruses - AVG and McAfee so remove the one that is either not updated or the one you are not currently using.
Close the Control Panel

Please disable Ad-Aware 2007 for the duration of the cleanup or it may reverse any fixes we make:
On the Real-time protection status screen --> Go to Settings --> Uncheck "Load Ad-Watch at startup"

Next, clean the clutter:
Download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• 
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Follow the instructions to install and scan with the Malicious Software Removal Tool:
http://www.pchell.com/virus/malicioussoftw...movaltool.shtml

Since a new Malicious Software Removal Tool was recently released, it would be better if you can download that new version to portable media (ie USB flash) from here:
http://www.microsoft.com/downloads/details...;displaylang=en

Allow the tool to extract, and then rename the extracted EXE from mrt.exe -> begone.exe
Transfer begone.exe to the infected PC and run a complete scan by double-clicking begone.exe.

The MSRT log will open automatically but should you need to reaccess it you can follow these instructions to open the MSRT log below, and post in your next reply:

1) Click on Start, Run
2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log
-----------------
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from:

BestTechie.net
http://www.besttechi.../mbam-setup.exe
or
MajorGeeks.com:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Rename the installer as you download it from mbam-setup.exe to aurina-setup.exe.

Double-click aurina-setup.exe and follow the prompts to install the program. At the end of the install, UNcheck the following two options:

• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• Close MBAM and rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\aurina.exe"
  
• Now relaunch MBAM by double-clicking aurina.exe in the MBAM folder.
  
• Select the Update tab -> Check for Updates
  
• After MBAM updates, select the Scanner tab.
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

-----------------

Download DDS and save it to your desktop from here or here



Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop
  
• Please copy and paste both logs into your next reply,

===============================================================

Please post the MSRT log, an updated MBAM v 1.38 log, the DDS scan reports, and a new HJT log.

[decox]

ok i followed step by step and here are the 4 logs you requested.

---mrt----


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.19, August 2006
Started On Mon Aug 21 08:41:56 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Aug 21 08:42:11 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.20, September 2006
Started On Fri Sep 15 03:00:26 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Sep 15 03:00:52 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.21, October 2006
Started On Fri Oct 13 03:00:27 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 13 03:00:45 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.22, November 2006
Started On Thu Nov 16 03:02:23 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Nov 16 03:02:53 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006
Started On Sun Dec 17 03:00:31 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sun Dec 17 03:00:54 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.24, January 2007
Started On Wed Jan 10 10:20:19 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 10 10:20:41 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.25, February 2007
Started On Fri Feb 16 03:01:42 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 16 03:02:16 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.27, March 2007
Started On Thu Mar 15 10:36:20 2007
->Sysclean WARNING: MemScanGetImagePathFromPid(5040) (Win32 Error Code: 0x00000057 (87):The parameter is incorrect.) [708]

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Mar 15 10:36:58 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.28, April 2007
Started On Fri Apr 13 03:00:30 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Apr 13 03:01:10 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007
Started On Thu May 10 11:49:17 2007
->Scan ERROR: resource process://pid:2908 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:3672 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 10 11:52:30 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007
Started On Thu Jun 14 07:33:24 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))
->Scan ERROR: resource process://pid:124 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 14 07:36:20 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007
Started On Thu Jul 12 08:04:38 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 12 08:06:31 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
Started On Thu Aug 16 10:55:23 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 16 11:03:20 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007
Started On Thu Sep 13 10:22:16 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 13 10:23:41 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007
Started On Fri Oct 12 10:02:38 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 12 10:04:59 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.35, November 2007
Started On Wed Nov 14 09:11:19 2007
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 14 09:12:52 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.36, December 2007
Started On Wed Dec 12 09:40:12 2007
->Scan ERROR: resource process://pid:2908 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:2908 (code 0x0000054F (1359))
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 12 09:41:25 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.37, January 2008
Started On Wed Jan 09 03:01:20 2008
->Scan ERROR: resource file://C:\Program Files\My Lockbox\flockbox.exe (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 09 03:02:26 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.38, February 2008
Started On Wed Feb 13 03:01:34 2008
->Scan ERROR: resource process://pid:4200 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:4200 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 13 03:03:05 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.39, March 2008
Started On Wed Mar 12 03:00:29 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 12 03:02:02 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008
Started On Wed Apr 09 03:01:27 2008
->Scan ERROR: resource process://pid:3888 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:3888 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 09 03:02:59 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.41, May 2008
Started On Sat May 17 03:00:35 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat May 17 03:02:00 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.42, June 2008
Started On Wed Jun 11 09:45:15 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 11 09:53:50 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.11, June 2009
Started On Wed Jun 17 20:38:10 2009

Extended Scan Results
----------------
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.


---mbam---

Malwarebytes' Anti-Malware 1.38
Database version: 2301
Windows 5.1.2600 Service Pack 2

6/17/2009 10:54:09 PM
mbam-log-2009-06-17 (22-54-01).txt

Scan type: Quick Scan
Objects scanned: 114637
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

---dss----


DDS (Ver_09-05-14.01) - NTFSx86
Run by game at 22:58:23.71 on Wed 06/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.452 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\game\Desktop\Comm\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=SrsG0xBBu_5zusCcaJOYLg
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.4.29.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RelevantKnowledge] c:\program files\relevantknowledge\rlvknlg.exe -boot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\game\applic~1\mozilla\firefox\profiles\i26r89sd.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=SrsG0xBBu_5zusCcaJOYLg&st=kwd&o=kwd&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\game\application data\mozilla\firefox\profiles\i26r89sd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2007-6-1 17264]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-6-25 58464]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-17 353680]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-6-25 106559]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2005-8-22 29184]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
RUnknown pzdpa;pzdpa; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2005-8-22 221191]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-25 114624]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007-5-28 163840]
S3 XDva064;XDva064;\??\c:\windows\system32\xdva064.sys --> c:\windows\system32\XDva064.sys [?]
S4 Algaecrtq;Algaecrtq;c:\windows\system32\drivers\null.sys [2004-8-10 2944]

=============== Created Last 30 ================

2009-06-17 22:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 22:47 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-17 22:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:14 <DIR> --d----- c:\program files\Trend Micro
2009-06-17 14:17 <DIR> --d----- c:\docume~1\game\applic~1\Malwarebytes
2009-06-17 12:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-17 11:36 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-17 11:36 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-06-17 11:36 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-17 11:36 <DIR> --d----- c:\program files\Zone Labs
2009-06-17 11:36 348,371 a------- c:\windows\system32\vsconfig.xml
2009-06-17 11:35 <DIR> --d----- c:\windows\Internet Logs
2009-06-17 09:55 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-17 09:54 <DIR> --d----- c:\documents and settings\game\.housecall6.6
2009-06-17 09:01 <DIR> --d----- c:\docume~1\game\applic~1\Nuance
2009-06-17 08:57 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-06-17 08:57 <DIR> --d----- c:\program files\common files\Nuance
2009-06-17 08:56 <DIR> --d----- c:\program files\Nuance
2009-06-17 08:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nuance
2009-06-17 08:19 <DIR> --d----- c:\program files\PowerISO
2009-06-11 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TomTom
2009-06-11 18:00 <DIR> --d----- c:\docume~1\game\applic~1\TomTom
2009-06-11 18:00 <DIR> --d----- c:\program files\TomTom International B.V
2009-06-11 17:58 <DIR> --d----- c:\program files\TomTom HOME 2
2009-06-11 17:53 <DIR> --d----- c:\program files\TomTom DesktopSuite
2009-06-02 19:07 <DIR> --d----- c:\program files\Palo Alto Software
2009-06-02 19:07 <DIR> --d----- c:\program files\common files\Palo Alto Software
2009-06-02 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Palo Alto Software
2009-06-02 12:43 <DIR> --d----- c:\docume~1\game\applic~1\Palo Alto Software
2009-06-02 12:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PAS
2009-05-22 22:49 <DIR> --ds---- c:\documents and settings\game\UserData
2009-05-22 16:18 <DIR> --d----- c:\program files\oDesk

==================== Find3M ====================

2009-05-21 19:54 5,486 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-23 01:37 249,856 -------- c:\windows\Setup1.exe
2009-03-23 01:37 73,216 a------- c:\windows\ST6UNST.EXE
2009-03-22 18:04 35,224 a------- c:\windows\DIIUnin.dat
2009-03-22 18:03 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-03-22 18:03 17,212 a------t c:\windows\system32\SIntf32.dll
2009-03-22 18:03 12,067 a------t c:\windows\system32\SIntf16.dll
2009-03-22 17:48 94,208 a------- c:\windows\DIIUnin.exe
2009-03-22 17:48 2,829 a------- c:\windows\DIIUnin.pif
2009-03-20 10:45 77,988 a------- c:\windows\War3Unin.dat
2002-07-31 19:55 212 ---sh--- c:\windows\WSYS049.SYS
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2006-05-27 18:52 88 ---shr-- c:\windows\system32\EF5610EF21.sys
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2006-04-27 10:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 22:58:58.29 ===============


---HJT---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:05 PM, on 6/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...Bu_5zusCcaJOYLg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RelevantKnowledge] C:\Program Files\RelevantKnowledge\rlvknlg.exe -boot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9526 bytes

[negster22]

Good job!

Actually, the MSRT identified your rootkit but it didn't realize it - reporting no infections found:

Quote

Extended Scan Results
----------------
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))
->Scan ERROR: resource file://globalroot\systemroot\system32\UACamtffipdwlcxsox.dll (code 0x00000021 (33))

Results Summary:
----------------
No infection found.

OK, let's zap this bugger.

Please rerun ATF Cleaner then immediately reboot.

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick scan" is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing a complete Rootkit/Malware scan with the ARK program then just copy/paste the "quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (fixit.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

[decox]

ok did those steps aswell.

----Ark Text----

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-18 08:33:27
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 869C9BC8 ZwEnumerateKey
Code 86C2D648 ZwFlushInstructionCache
Code 86D4EE56 IofCallDriver
Code 86A15B9E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F80290

AttachedDevice \FileSystem\Ntfs \Ntfs MPRIFL.SYS (My Private Folder driver/FSPro Labs)

Device \FileSystem\Fastfat \Fat 86B4B148

AttachedDevice \FileSystem\Fastfat \Fat MPRIFL.SYS (My Private Folder driver/FSPro Labs)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Modules - GMER 1.0.15 ----

Module _________ F72EA000-F7302000 (98304 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACgcbxluevotmbvpf.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


---combofix----

ComboFix 09-06-17.04 - game 06/18/2009 8:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.707 [GMT -4:00]
Running from: c:\documents and settings\game\Desktop\fexit.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Victor Voong\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\qmdispatch.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\UACgcbxluevotmbvpf.sys
c:\windows\system32\UACamtffipdwlcxsox.dll
c:\windows\system32\UACfxyysxynweodmii.dat
c:\windows\system32\UACgarrehvitittvxl.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACohoaokhuutkjvka.db
c:\windows\system32\UACpybhbwbudqodgof.dll
c:\windows\system32\UACqokxgktkjuhwwxw.log
c:\windows\system32\uactmp.db
c:\windows\system32\UACujiebscppofmegm.dll
c:\windows\system32\UACvblonghnbqhwuts.dll
c:\windows\system32\UACwchmwfybhxwbldq.dll
c:\windows\system32\UACxndcmxjvpdctswt.log
c:\windows\system32\UACytxfvqlgfgyabnd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 11:33 . 2009-06-18 11:33 -------- d-----w- C:\Ark
2009-06-18 02:47 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 02:47 . 2009-06-18 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 02:47 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-18 00:31 . 2009-06-18 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-06-17 19:14 . 2009-06-17 19:14 -------- d-----w- c:\program files\Trend Micro
2009-06-17 18:17 . 2009-06-17 18:17 -------- d-----w- c:\documents and settings\game\Application Data\Malwarebytes
2009-06-17 18:12 . 2009-06-17 18:12 -------- d-----w- c:\documents and settings\Administrator.VICTOR\Local Settings\Application Data\Mozilla
2009-06-17 17:09 . 2009-06-17 17:09 -------- d-----w- c:\documents and settings\Administrator.VICTOR\Application Data\Malwarebytes
2009-06-17 16:59 . 2009-06-17 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 16:54 . 2009-06-17 16:54 -------- d-----w- c:\documents and settings\Victor Voong\Local Settings\Application Data\Scansoft
2009-06-17 15:36 . 2009-06-17 15:36 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-17 15:36 . 2008-11-13 19:18 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-17 15:36 . 2008-11-13 19:18 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-17 15:36 . 2009-06-17 15:36 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-17 15:36 . 2009-06-17 15:36 -------- d-----w- c:\program files\Zone Labs
2009-06-17 15:36 . 2008-11-13 19:18 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-17 15:35 . 2009-06-18 12:41 -------- d-----w- c:\windows\Internet Logs
2009-06-17 13:55 . 2009-06-17 13:54 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-17 13:54 . 2009-06-17 14:03 -------- d-----w- c:\documents and settings\game\.housecall6.6
2009-06-17 13:25 . 2009-06-17 13:25 -------- d-----w- c:\documents and settings\game\Local Settings\Application Data\Scansoft
2009-06-17 13:01 . 2009-06-17 13:01 -------- d-----w- c:\documents and settings\game\Application Data\Nuance
2009-06-17 12:57 . 2009-06-17 12:57 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-06-17 12:57 . 2009-06-17 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-06-17 12:57 . 2009-06-17 12:57 -------- d-----w- c:\program files\Common Files\Nuance
2009-06-17 12:56 . 2009-06-17 12:56 -------- d-----w- c:\program files\Nuance
2009-06-17 12:56 . 2009-06-17 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2009-06-17 12:19 . 2009-06-17 12:19 -------- d-----w- c:\program files\PowerISO
2009-06-12 04:42 . 2009-06-12 04:42 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\oDesk
2009-06-11 22:01 . 2009-06-11 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-06-11 22:00 . 2009-06-11 22:00 -------- d-----w- c:\documents and settings\game\Local Settings\Application Data\TomTom
2009-06-11 22:00 . 2009-06-11 22:00 -------- d-----w- c:\documents and settings\game\Application Data\TomTom
2009-06-11 22:00 . 2009-06-11 22:00 -------- d-----w- c:\program files\TomTom International B.V
2009-06-11 21:58 . 2009-06-11 22:00 -------- d-----w- c:\program files\TomTom HOME 2
2009-06-11 21:53 . 2009-06-11 21:53 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-06-02 23:07 . 2009-06-02 23:07 -------- d-----w- c:\program files\Palo Alto Software
2009-06-02 23:07 . 2009-06-02 23:07 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2009-06-02 23:07 . 2009-06-02 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Palo Alto Software
2009-06-02 22:23 . 2009-06-02 22:23 -------- d-----w- c:\documents and settings\Victor Voong\Local Settings\Application Data\oDesk
2009-06-02 16:43 . 2009-06-02 16:43 -------- d-----w- c:\documents and settings\game\Application Data\Palo Alto Software
2009-06-02 16:41 . 2009-06-02 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PAS
2009-05-23 02:49 . 2009-05-23 02:49 -------- d-s---w- c:\documents and settings\game\UserData
2009-05-22 20:18 . 2009-05-22 20:18 -------- d-----w- c:\documents and settings\game\Local Settings\Application Data\oDesk
2009-05-22 20:18 . 2009-06-02 22:23 -------- d-----w- c:\program files\oDesk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 23:48 . 2007-11-18 04:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-17 23:22 . 2009-03-22 21:46 -------- d-----w- c:\program files\Diablo II
2009-06-17 19:21 . 2008-08-26 00:50 -------- d-----w- c:\program files\Warcraft III
2009-06-17 16:54 . 2007-10-06 18:28 -------- d-----w- c:\documents and settings\Victor Voong\Application Data\OpenOffice.org2
2009-06-17 16:29 . 2007-11-18 03:51 -------- d-----w- c:\program files\Rapid-Emailer
2009-06-17 15:28 . 2006-04-25 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-17 15:21 . 2007-04-04 20:59 -------- d-----w- c:\program files\QMacro
2009-06-17 12:49 . 2008-02-16 01:19 -------- d-----w- c:\program files\Downloads Manager
2009-06-17 12:45 . 2008-08-29 01:57 69760 ----a-w- c:\documents and settings\game\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 12:14 . 2008-10-26 05:08 -------- d-----w- c:\documents and settings\game\Application Data\OpenOffice.org2
2009-06-10 02:35 . 2008-12-06 15:50 1 ----a-w- c:\documents and settings\game\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-02 22:23 . 2008-12-28 04:47 7 ----a-w- c:\windows\sbacknt.bin
2009-05-31 15:01 . 2007-05-16 05:20 -------- d-----w- c:\program files\Dl_cats
2009-05-27 20:43 . 2009-01-18 19:17 -------- d-----w- c:\documents and settings\game\Application Data\dvdcss
2009-05-21 23:54 . 2006-09-19 00:21 56 --sh--r- c:\windows\system32\21EF1056EF.sys
2009-05-21 23:54 . 2006-05-27 22:52 5486 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-11 15:01 . 2006-06-25 06:05 -------- d-----w- c:\program files\Winamp
2009-05-11 15:01 . 2006-04-25 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-06 18:37 . 2009-05-06 18:37 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-20 18:44 . 2009-04-20 04:59 -------- d-----w- c:\program files\CoffeeCup Software
2009-04-20 05:53 . 2009-04-20 05:53 -------- d-----w- c:\program files\Common Files\Namo
2009-04-20 05:52 . 2009-04-20 05:52 -------- d-----w- c:\program files\Namo
2009-04-20 05:52 . 2009-04-20 05:52 -------- d-----w- c:\documents and settings\game\Application Data\InstallShield
2009-03-23 05:37 . 2007-02-07 19:33 249856 ------w- c:\windows\Setup1.exe
2009-03-23 05:37 . 2007-02-07 19:33 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-03-22 22:04 . 2009-03-22 21:48 35224 ----a-w- c:\windows\DIIUnin.dat
2009-03-22 22:03 . 2009-03-22 22:00 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-03-22 22:03 . 2009-03-22 22:00 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-03-22 22:03 . 2009-03-22 22:00 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-03-22 21:48 . 2009-03-22 21:48 94208 ----a-w- c:\windows\DIIUnin.exe
2009-03-22 21:48 . 2009-03-22 21:48 2829 ----a-w- c:\windows\DIIUnin.pif
2009-03-20 14:45 . 2008-08-26 00:56 77988 ----a-w- c:\windows\War3Unin.dat
2002-07-31 23:55 . 2009-04-20 05:00 212 --sh--w- c:\windows\WSYS049.SYS
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-27 22:52 . 2006-05-27 22:52 88 --sh--r- c:\windows\system32\EF5610EF21.sys
2006-05-03 09:06 . 2008-12-24 02:42 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47 . 2008-12-24 02:42 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-12-24 02:42 216064 --sh--r- c:\windows\system32\nbDX.dll
2006-04-27 14:24 . 2006-04-27 14:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 136600]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-03-26 135224]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185872]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

c:\documents and settings\Victor Voong\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2008-2-22 357712]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-1-16 575488]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 16:25 139264 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 9.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 9.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 9.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^game^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\game\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:*:Disabled:RADS Agent Wake Up
"12857:TCP"= 12857:TCP:BitComet 12857 TCP
"12857:UDP"= 12857:UDP:BitComet 12857 UDP

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [6/1/2007 7:07 PM 17264]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [6/25/2006 1:24 AM 58464]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/3/2009 8:46 AM 92008]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [5/28/2007 3:31 PM 163840]
S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys --> c:\windows\system32\XDva064.sys [?]
S4 Algaecrtq;Algaecrtq;c:\windows\system32\drivers\null.sys [8/10/2004 1:51 PM 2944]
.
Contents of the 'Scheduled Tasks' folder

2006-05-11 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 10:00]

2007-06-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 19:52]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=SrsG0xBBu_5zusCcaJOYLg
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 08:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\Common Files\Stardock\mcpstub.dll
.
Completion time: 2009-06-18 8:49
ComboFix-quarantined-files.txt 2009-06-18 12:49

Pre-Run: 3,773,718,528 bytes free
Post-Run: 3,764,002,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

273 --- E O F --- 2008-12-19 08:01


so far seems like it's fixed. I don't see that process running anymore.

[negster22]

Good job!

Make sure you can view hidden files and folders


Upload the following files[/b] to the Virus Total Scanner by browsing to each file's folder location:

c:\windows\system32\XDva064.sys <== this one may not be there
c:\windows\system32\drivers\null.sys

Virus Total Scanner will employ several scanners to test each file for its threat potential. Please post
the link to scan results back here, only if threats were detected.

Next, please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/...escan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
• Click the Scan button to begin scanning.
  
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

[decox]

a-squared 4.5.0.18 2009.06.18 -
AhnLab-V3 5.0.0.2 2009.06.18 -
AntiVir 7.9.0.191 2009.06.18 -
Antiy-AVL 2.0.3.1 2009.06.18 -
Authentium 5.1.2.4 2009.06.18 -
Avast 4.8.1335.0 2009.06.17 -
AVG 8.5.0.339 2009.06.18 -
BitDefender 7.2 2009.06.18 -
CAT-QuickHeal 10.00 2009.06.18 -
ClamAV 0.94.1 2009.06.18 -
Comodo 1340 2009.06.18 -
DrWeb 5.0.0.12182 2009.06.18 -
eSafe 7.0.17.0 2009.06.18 Win32.Banker
eTrust-Vet 31.6.6567 2009.06.18 -
F-Prot 4.4.4.56 2009.06.17 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.18 -
GData 19 2009.06.18 -
Ikarus T3.1.1.59.0 2009.06.18 -
Jiangmin 11.0.706 2009.06.18 -
K7AntiVirus 7.10.766 2009.06.17 -
Kaspersky 7.0.0.125 2009.06.18 -
McAfee 5649 2009.06.17 -
McAfee+Artemis 5649 2009.06.17 -
McAfee-GW-Edition 6.7.6 2009.06.18 -
Microsoft 1.4701 2009.06.18 -
NOD32 4167 2009.06.18 -
Norman 2009.06.17 -
nProtect 2009.1.8.0 2009.06.18 -
Panda 10.0.0.14 2009.06.17 -
PCTools 4.4.2.0 2009.06.17 -
Prevx 3.0 2009.06.18 -
Rising 21.34.34.00 2009.06.18 -
Sophos 4.42.0 2009.06.18 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.18 -
TheHacker 6.3.4.3.348 2009.06.17 -
TrendMicro 8.950.0.1094 2009.06.18 -
VBA32 3.12.10.7 2009.06.18 -
ViRobot 2009.6.18.1794 2009.06.18 -
VirusBuster 4.6.5.0 2009.06.17 -

----EST LOG----

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=884b66d0e1d53041b12ba2491e48c0bf
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-18 05:17:31
# local_time=2009-06-18 01:17:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=106409
# found=5
# cleaned=5
# scan_time=2933
C:\Documents and Settings\game\Desktop\vcs1600.exe Win32/Adware.Agent.NMA application (deleted - quarantined) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACamtffipdwlcxsox.dll.vir Win32/Olmarik.IA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACujiebscppofmegm.dll.vir a variant of Win32/Kryptik.PS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACytxfvqlgfgyabnd.dll.vir Win32/Olmarik.HZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACgcbxluevotmbvpf.sys.vir a variant of Win32/Olmarik.ID trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

[negster22]

Your ESET scan is OK.

Which file was that VT scan report for?

S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys

OR

S4 Algaecrtq;Algaecrtq;c:\windows\system32\drivers\null.sys [8/10/2004 1:51 PM 2944]

Can I see the top of the Virus Total report with the file size, MD5 and hash info please?

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy and paste the url to this topic as follows:

http://www.malwarebytes.org/forums/index.php?act=post&do=reply_post&f=7&t=17696

Next, "Browse to the file you want to submit:" using the browse feature and upload the file which produced the Virus Total scan report ( which I believe is c:\windows\system32\drivers\null.sys)

In the "Leave any comments, further information about this file, or contact information:"
just input your user name

Then click 'Send File'

Thanks!

[decox]

File 7047032880e19d2b0b4300f23a496700b79bcd14.EXE received on 2009.06.18 13:11:46 (UTC)
Current status: finished
Result: 1/41 (2.44%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.18 -
AhnLab-V3 5.0.0.2 2009.06.18 -
AntiVir 7.9.0.191 2009.06.18 -
Antiy-AVL 2.0.3.1 2009.06.18 -
Authentium 5.1.2.4 2009.06.18 -
Avast 4.8.1335.0 2009.06.17 -
AVG 8.5.0.339 2009.06.18 -
BitDefender 7.2 2009.06.18 -
CAT-QuickHeal 10.00 2009.06.18 -
ClamAV 0.94.1 2009.06.18 -
Comodo 1340 2009.06.18 -
DrWeb 5.0.0.12182 2009.06.18 -
eSafe 7.0.17.0 2009.06.18 Win32.Banker
eTrust-Vet 31.6.6567 2009.06.18 -
F-Prot 4.4.4.56 2009.06.17 -
F-Secure 8.0.14470.0 2009.06.18 -
Fortinet 3.117.0.0 2009.06.18 -
GData 19 2009.06.18 -
Ikarus T3.1.1.59.0 2009.06.18 -
Jiangmin 11.0.706 2009.06.18 -
K7AntiVirus 7.10.766 2009.06.17 -
Kaspersky 7.0.0.125 2009.06.18 -
McAfee 5649 2009.06.17 -
McAfee+Artemis 5649 2009.06.17 -
McAfee-GW-Edition 6.7.6 2009.06.18 -
Microsoft 1.4701 2009.06.18 -
NOD32 4167 2009.06.18 -
Norman 2009.06.17 -
nProtect 2009.1.8.0 2009.06.18 -
Panda 10.0.0.14 2009.06.17 -
PCTools 4.4.2.0 2009.06.17 -
Prevx 3.0 2009.06.18 -
Rising 21.34.34.00 2009.06.18 -
Sophos 4.42.0 2009.06.18 -
Sunbelt 3.2.1858.2 2009.06.18 -
Symantec 1.4.4.12 2009.06.18 -
TheHacker 6.3.4.3.348 2009.06.17 -
TrendMicro 8.950.0.1094 2009.06.18 -
VBA32 3.12.10.7 2009.06.18 -
ViRobot 2009.6.18.1794 2009.06.18 -
VirusBuster 4.6.5.0 2009.06.17 -
Additional information
File size: 2944 bytes
MD5 : 73c1e1f395918bc2c6dd67af7591a3ad
SHA1 : 80eb8a76e5579b0136281e4dd4e2d4e56b249e4c
SHA256: b21133a75253ec15e2dff66d3b480ab1a7e1a2360476c810e7aa55d0f0eb08d4
PEInfo: PE Structure information

[negster22]

Download Sigcheck and unzip it to your C:\Windows\system32 directory:
http://www.microsoft.com/technet/sysintern...k/Sigcheck.mspx

1. Open Notepad (make sure wordwrap is UNchecked under format)
2. Paste the following text in the code box below into the Notepad window:

sc config CryptSvc start= auto
sc start CryptSvc
If exist "%userprofile%\My Documents\UnsignedFiles.txt" del "%userprofile%\My Documents\UnsignedFiles.txt"
sigcheck C:\WINDOWS\SYSTEM32\DRIVERS\null.sys  > "%userprofile%\My Documents\UnsignedFiles.txt"
cd\
dir /a /s null.sys >> "%userprofile%\My Documents\UnsignedFiles.txt" 
notepad.exe "%userprofile%\My Documents\UnsignedFiles.txt"
Exit

Save the file to your desktop as UnsignedFiles.bat, by setting the "Save as Type" to "All Files".

Double-click the UnsignedFiles.bat gear icon on your desktop to execute the batch file (allow the script to run, but be sure to disable any script blocking programs that are active., first).

Note: You must grant sigcheck.exe permission to access the internet via your firewall.

A Notepad file called UnsignedFiles.txt located in your documents folder should open when the batch file has completed processing. Please copy and paste the contents of that file in your next reply.

Also do this for me please:

Open a command prompt (start -> run -> cmd)
Copy/paste the following single line command at the command prompt:

REG query HKLM\SYSTEM\CurrentControlSet\Services\Algaecrtq /s > "%userprofile%\my documents\nullsvc.txt" && notepad "%userprofile%\my documents\nullsvc.txt"

A file called nullsvc.txt located in your documents folder will open.

Please copy and paste the contents of that file in your next reply.

[decox]

thanks for your help again,

heres the log:

c:\windows\system32\drivers\null.sys:
Verified: Signed
Signing date: 4:58 AM 8/4/2004
Strong Name: Unsigned
Publisher: Microsoft Corporation
Description: NULL Driver
Product: Microsoft® Windows® Operating System
Version: 5.1.2600.0
File version: 5.1.2600.0 (XPClient.010817-1148)
Volume in drive C has no label.
Volume Serial Number is EC11-0E4B

[negster22]

That's not what I got on your file.

I just tacked on a set of instructions for you to export the svc reg key for that driver in my previous reply.

Can you perform those instructions and post back the file that opens.

[decox]

when i do the sigcheck thing it gave the same information in the text. here is the nullsvc one.


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Algaecrtq
ErrorControl REG_DWORD 0x0
Type REG_DWORD 0x2
Group REG_SZ FSFilter Copy Protection
Tag REG_DWORD 0x1
ImagePath REG_SZ C:\WINDOWS\system32\drivers\null.sys
Start REG_DWORD 0x4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Algaecrtq\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F0001010000
0000000100000000020060000400000000001400FD01020001010000000000051200000000001800
F
F010F0001020000000000052000000020020000000014008D01020001010000000000050B0000000
0
001800FD0102000102000000000005D800AF00F600740000009A000000EF00000A0A0000000000AE
0
0B300A500E800

[negster22]

Well, we will pick this up tomorrow, but I do want to let you know that your null.sys driver is authentic so there is no need to worry.

The malware service "Algaecrtq" references your null.sys driver for some reason, but that service is not running anyway.

The real null service registry key looks like this:

Quote

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Null]
"ErrorControl"=dword:00000001
"Group"="Base"
"Start"=dword:00000001
"Tag"=dword:00000001
"Type"=dword:00000001

I am sure you have that legit one also so there is no need to worry and we'll resume the cleanup (which is just about done, BTW) later.

[negster22]

Open a command prompt.
Copy/paste the following command at the command prompt, and then hit Enter
sc delete Algaecrtq
Copy/paste the following command at the command prompt, and then hit Enter
sc delete "Viewpoint Manager Service"
Copy/paste the following command at the command prompt, and then hit Enter
sc delete XDva064
Exit the command window and tell me if you encountered any error messages

Upload these two files to http://www.Virustotal.com

c:\windows\WSYS049.SYS
c:\windows\system32\EF5610EF21.sys


Post back the results or a link to the results if threats were detected by any of the scanners.

Next, post back a new DDS.txt and a new HJT log.

[decox]

The first 3 command prompt instructions went fine, no error, everything was deleted.

I can't seem to find the 2 files to scan for virus total. I have view hidden files on.

Here are the logs you requested.

-------DDS----


DDS (Ver_09-05-14.01) - NTFSx86
Run by game at 13:51:39.10 on Sat 06/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.418 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\game\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=SrsG0xBBu_5zusCcaJOYLg
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.4.29.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\game\applic~1\mozilla\firefox\profiles\i26r89sd.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=SrsG0xBBu_5zusCcaJOYLg&st=kwd&o=kwd&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\game\application data\mozilla\firefox\profiles\i26r89sd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2007-6-1 17264]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-6-25 58464]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-17 353680]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-6-25 106559]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2005-8-22 29184]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2005-8-22 221191]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-25 114624]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007-5-28 163840]

=============== Created Last 30 ================

2009-06-18 22:54 220,560 a------- c:\windows\system32\sigcheck.exe
2009-06-18 08:36 <DIR> a-dshr-- C:\cmdcons
2009-06-18 08:34 161,792 a------- c:\windows\SWREG.exe
2009-06-18 08:34 155,136 a------- c:\windows\PEV.exe
2009-06-18 08:34 98,816 a------- c:\windows\sed.exe
2009-06-18 07:33 <DIR> --d----- C:\Ark
2009-06-17 22:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 22:47 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-17 22:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:14 <DIR> --d----- c:\program files\Trend Micro
2009-06-17 14:17 <DIR> --d----- c:\docume~1\game\applic~1\Malwarebytes
2009-06-17 12:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-17 11:36 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-17 11:36 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-06-17 11:36 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-17 11:36 <DIR> --d----- c:\program files\Zone Labs
2009-06-17 11:36 348,371 a------- c:\windows\system32\vsconfig.xml
2009-06-17 11:35 <DIR> --d----- c:\windows\Internet Logs
2009-06-17 09:55 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-17 09:54 <DIR> --d----- c:\documents and settings\game\.housecall6.6
2009-06-17 09:01 <DIR> --d----- c:\docume~1\game\applic~1\Nuance
2009-06-17 08:57 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-06-17 08:57 <DIR> --d----- c:\program files\common files\Nuance
2009-06-17 08:56 <DIR> --d----- c:\program files\Nuance
2009-06-17 08:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nuance
2009-06-17 08:19 <DIR> --d----- c:\program files\PowerISO
2009-06-11 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TomTom
2009-06-11 18:00 <DIR> --d----- c:\docume~1\game\applic~1\TomTom
2009-06-11 18:00 <DIR> --d----- c:\program files\TomTom International B.V
2009-06-11 17:58 <DIR> --d----- c:\program files\TomTom HOME 2
2009-06-11 17:53 <DIR> --d----- c:\program files\TomTom DesktopSuite
2009-06-02 19:07 <DIR> --d----- c:\program files\Palo Alto Software
2009-06-02 19:07 <DIR> --d----- c:\program files\common files\Palo Alto Software
2009-06-02 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Palo Alto Software
2009-06-02 12:43 <DIR> --d----- c:\docume~1\game\applic~1\Palo Alto Software
2009-06-02 12:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PAS
2009-05-22 22:49 <DIR> --ds---- c:\documents and settings\game\UserData
2009-05-22 16:18 <DIR> --d----- c:\program files\oDesk

==================== Find3M ====================

2009-05-21 19:54 5,486 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-23 01:37 249,856 -------- c:\windows\Setup1.exe
2009-03-23 01:37 73,216 a------- c:\windows\ST6UNST.EXE
2009-03-22 18:04 35,224 a------- c:\windows\DIIUnin.dat
2009-03-22 18:03 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-03-22 18:03 17,212 a------t c:\windows\system32\SIntf32.dll
2009-03-22 18:03 12,067 a------t c:\windows\system32\SIntf16.dll
2009-03-22 17:48 94,208 a------- c:\windows\DIIUnin.exe
2009-03-22 17:48 2,829 a------- c:\windows\DIIUnin.pif
2002-07-31 19:55 212 ---sh--- c:\windows\WSYS049.SYS
2005-07-14 12:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2006-05-27 18:52 88 ---shr-- c:\windows\system32\EF5610EF21.sys
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2006-04-27 10:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 13:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll

============= FINISH: 13:52:37.82 ===============


----HJT------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:40 PM, on 6/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...Bu_5zusCcaJOYLg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9593 bytes

[negster22]

Your current DDS.txt is still listing those drivers so let's check their presence with the antirootkit program.

Open the antirootkit program again by double-clicking the randomly named EXE file within the C:\ARK folder
1)Click the ">>>" tab, and then click the with Files tab which opens a file system browser
2) Click the + sign next to C:\Windows in the left pane, and the right pane will update to display files in that folder arranged alphabetically
3)Navigate to c:\windows\WSYS049.SYS and see if that file is there. If found - is it listed in red?
4)Next, navigate to c:\windows\system32\EF5610EF21.sys, and see if the file is there. If found - is it listed in red?
5)Now click the "Services" tab, and tell me whether either of the above are listed under the file name collumn
6)Exit the ARK
7)Report back to me

I would reset your Firefox search preferences as it is showing MyWebSearch redirects:

"DDS.txt" said:

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=SrsG0xBBu_5zusCcaJOYLg

Also in HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebs...Bu_5zusCcaJOYLg

[decox]

The 2 files didn't show up as red, and under the name list they didnt show up at all.

I did reset my firefox preferences too.

[negster22]

Copy the suspect files to desktop and scan at virustotal:

Open the antirootkit program again by double-clicking the randomly named EXE file within the C:\ARK folder
1)Click the ">>>" tab, and then click the with Files tab which opens a file system browser
2) Click the + sign next to C:\Windows in the left pane, and the right pane will update to display files in that folder arranged alphabetically
3)Navigate to c:\windows\WSYS049.SYS and double-click that file.

• Click the "Copy " button that appears on the right hand side of the page
  
• Save the file to your desktop as WSYS049.SYS

4)Next, navigate to c:\windows\system32\EF5610EF21.sys

• Click the "Copy " button that appears on the right hand side of the page
  
• Save the file to your desktop as EF5610EF21.sys

6)Exit the ARK
7)Scan both files at http://www.virustotal.com/ by browsing to the files you just copied to your desktop, and post back the link to the scan reports, if threats were detected by any of the scanners.

[decox]

http://www.virustotal.com/analisis/b95ac7c...5f78-1245550085

http://www.virustotal.com/analisis/6421fea...b3bc-1245550056