earlgrey

Members
  • Content count

    13
  • Joined

  • Last visited

About earlgrey

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4011 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.11 20/04/2010 2:18:57 AM mbam-log-2010-04-20 (02-18-57).txt Scan type: Quick scan Objects scanned: 109091 Time elapsed: 9 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  2. Everything seems to be working fine. But before, Spyware Doctor was kind of suppressing the effects of Antispyware Soft. It seemed to be gone and then when I uninstalled Spyware Doctor, it reappeared immediately. Should I delete Spyware Doctor to check?
  3. ComboFix 10-04-17.07 - main_user 18/04/2010 17:03:39.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.109 [GMT -4:00] Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 ))))))))))))))))))))))))))))))) . 2010-04-17 20:38 . 2010-04-17 20:38 -------- d-----w- c:\program files\ESET 2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert 2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-15 14:26 . 2010-04-18 21:06 -------- d-----w- c:\program files\Spyware Doctor 2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-18 20:59 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-18 20:59 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat 2010-04-18 20:50 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-18 20:50 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-18 20:48 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent 2010-04-18 20:02 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat 2010-04-17 17:10 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats 2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada 2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 13:20 . 2010-03-01 06:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire 2010-04-07 16:17 . 2010-04-07 16:17 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-04-01 16:12 . 2010-04-01 16:12 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2010-04-01 16:12 . 2010-04-01 16:12 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe 2010-04-01 16:12 . 2010-04-01 16:12 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll 2010-04-01 16:12 . 2010-04-01 16:12 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll 2010-04-01 16:12 . 2010-04-01 16:12 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe 2010-04-01 16:12 . 2010-04-01 16:12 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll 2010-04-01 16:12 . 2010-04-01 16:12 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll 2010-04-01 16:12 . 2010-04-01 16:12 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll 2010-04-01 16:12 . 2010-04-01 16:12 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll 2010-04-01 16:12 . 2010-04-01 16:12 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe 2010-04-01 16:12 . 2010-04-01 16:12 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll 2010-04-01 16:12 . 2010-04-01 16:12 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll 2010-04-01 16:10 . 2010-04-01 16:10 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-04-01 16:10 . 2010-04-01 16:10 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent 2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll 2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes 2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer 2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache 2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys 2010-02-02 23:20 . 2010-02-02 23:20 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll . ((((((((((((((((((((((((((((( SnapShot@2010-04-16_18.15.05 ))))))))))))))))))))))))))))))))))))))))) . + 2010-04-18 20:59 . 2010-04-18 20:59 16384 c:\windows\Temp\Perflib_Perfdata_578.dat + 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\dllcache\atapi.sys + 2004-08-04 12:00 . 2004-08-04 12:00 33280 c:\windows\Help\sstub.dll + 2004-08-04 12:00 . 2004-08-04 12:00 34816 c:\windows\Help\sniffpol.dll + 2004-08-04 12:00 . 2004-08-04 12:00 279040 c:\windows\Help\tshoot.dll + 2004-08-04 12:00 . 2004-08-04 12:00 152576 c:\windows\Help\bnts.dll + 2004-08-04 12:00 . 2004-08-04 12:00 3374640 c:\windows\Help\Tours\mmTour\tour.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624] TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696] R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952] R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728] R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840] S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872] S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 . Contents of the 'Scheduled Tasks' folder 2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . . ------- Supplementary Scan ------- . uStart Page = about:blank mSearch Bar = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\rpff.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-18 17:16 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????t???U?A~??A~\???\????????oa?L????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2010-04-18 17:25:04 ComboFix-quarantined-files.txt 2010-04-18 21:24 ComboFix2.txt 2010-04-17 16:46 ComboFix3.txt 2010-04-16 20:41 ComboFix4.txt 2010-04-16 18:22 Pre-Run: 33,488,932,864 bytes free Post-Run: 33,468,370,944 bytes free - - End Of File - - 3BF9CBD0E1327C70FB462E7E9EBB1DF1
  4. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=155ac8da214ad14a8aab9c96da4140d7 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-04-17 11:40:56 # local_time=2010-04-17 07:40:56 (-0500, Eastern Daylight Time) # country="Canada" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=1024 16777191 100 0 13089951 13089951 0 0 # compatibility_mode=2560 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=79173 # found=8 # cleaned=8 # scan_time=10391 C:\Documents and Settings\main_user\My Documents\My Music\31 flavours (rare track).wav a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\main_user\My Documents\My Music\Louis Prima - Yes, We have No Bananas.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\main_user\My Documents\My Music\other father song [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\main_user\My Documents\My Music\ten thousand paces CD quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\Program Files\PopCap Games\TipTop Deluxe\CRACK-TipTopDeluxe.exe Win32/Tool.TPE.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP584\A0730828.exe Win32/Adware.OneStep application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP584\A0730829.exe Win32/Adware.OneStep application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{E926DFA9-A30F-4C2B-8FE3-DA724F5344EB}\RP618\A0904960.exe Win32/Tool.TPE.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  5. Oh! Nevermind! I found the .txt file. 15:52:02:801 2500 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 15:52:02:801 2500 ================================================================================ 15:52:02:801 2500 SystemInfo: 15:52:02:811 2500 OS Version: 5.1.2600 ServicePack: 2.0 15:52:02:811 2500 Product type: Workstation 15:52:02:811 2500 ComputerName: TONY-A5 15:52:02:811 2500 UserName: main_user 15:52:02:811 2500 Windows directory: C:\WINDOWS 15:52:02:811 2500 Processor architecture: Intel x86 15:52:02:811 2500 Number of processors: 1 15:52:02:811 2500 Page size: 0x1000 15:52:02:831 2500 Boot type: Normal boot 15:52:02:831 2500 ================================================================================ 15:52:02:931 2500 UnloadDriverW: NtUnloadDriver error 2 15:52:02:931 2500 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 15:52:03:973 2500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 15:52:03:973 2500 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 15:52:03:973 2500 wfopen_ex: Trying to KLMD file open 15:52:03:973 2500 wfopen_ex: File opened ok (Flags 2) 15:52:03:973 2500 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 15:52:03:973 2500 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 15:52:03:973 2500 wfopen_ex: Trying to KLMD file open 15:52:03:973 2500 wfopen_ex: File opened ok (Flags 2) 15:52:03:973 2500 Initialize success 15:52:03:973 2500 15:52:03:973 2500 Scanning Services ... 15:52:04:554 2500 Raw services enum returned 347 services 15:52:04:574 2500 15:52:04:574 2500 Scanning Kernel memory ... 15:52:04:574 2500 Devices to scan: 2 15:52:04:574 2500 15:52:04:574 2500 Driver Name: Disk 15:52:04:574 2500 IRP_MJ_CREATE : F879BC30 15:52:04:574 2500 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE 15:52:04:574 2500 IRP_MJ_CLOSE : F879BC30 15:52:04:574 2500 IRP_MJ_READ : F8795D9B 15:52:04:574 2500 IRP_MJ_WRITE : F8795D9B 15:52:04:574 2500 IRP_MJ_QUERY_INFORMATION : 804FB8EE 15:52:04:574 2500 IRP_MJ_SET_INFORMATION : 804FB8EE 15:52:04:574 2500 IRP_MJ_QUERY_EA : 804FB8EE 15:52:04:574 2500 IRP_MJ_SET_EA : 804FB8EE 15:52:04:584 2500 IRP_MJ_FLUSH_BUFFERS : F8796366 15:52:04:584 2500 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE 15:52:04:584 2500 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE 15:52:04:584 2500 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE 15:52:04:584 2500 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE 15:52:04:584 2500 IRP_MJ_DEVICE_CONTROL : F879644D 15:52:04:584 2500 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8799FC3 15:52:04:584 2500 IRP_MJ_SHUTDOWN : F8796366 15:52:04:584 2500 IRP_MJ_LOCK_CONTROL : 804FB8EE 15:52:04:584 2500 IRP_MJ_CLEANUP : 804FB8EE 15:52:04:584 2500 IRP_MJ_CREATE_MAILSLOT : 804FB8EE 15:52:04:584 2500 IRP_MJ_QUERY_SECURITY : 804FB8EE 15:52:04:584 2500 IRP_MJ_SET_SECURITY : 804FB8EE 15:52:04:584 2500 IRP_MJ_POWER : F8797EF3 15:52:04:584 2500 IRP_MJ_SYSTEM_CONTROL : F879CA24 15:52:04:584 2500 IRP_MJ_DEVICE_CHANGE : 804FB8EE 15:52:04:584 2500 IRP_MJ_QUERY_QUOTA : 804FB8EE 15:52:04:584 2500 IRP_MJ_SET_QUOTA : 804FB8EE 15:52:04:624 2500 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 15:52:04:624 2500 15:52:04:624 2500 Driver Name: atapi 15:52:04:624 2500 IRP_MJ_CREATE : 82B8AD00 15:52:04:624 2500 IRP_MJ_CREATE_NAMED_PIPE : 82B8AD00 15:52:04:624 2500 IRP_MJ_CLOSE : 82B8AD00 15:52:04:624 2500 IRP_MJ_READ : 82B8AD00 15:52:04:624 2500 IRP_MJ_WRITE : 82B8AD00 15:52:04:624 2500 IRP_MJ_QUERY_INFORMATION : 82B8AD00 15:52:04:624 2500 IRP_MJ_SET_INFORMATION : 82B8AD00 15:52:04:624 2500 IRP_MJ_QUERY_EA : 82B8AD00 15:52:04:624 2500 IRP_MJ_SET_EA : 82B8AD00 15:52:04:624 2500 IRP_MJ_FLUSH_BUFFERS : 82B8AD00 15:52:04:624 2500 IRP_MJ_QUERY_VOLUME_INFORMATION : 82B8AD00 15:52:04:624 2500 IRP_MJ_SET_VOLUME_INFORMATION : 82B8AD00 15:52:04:624 2500 IRP_MJ_DIRECTORY_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_FILE_SYSTEM_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_DEVICE_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_SHUTDOWN : 82B8AD00 15:52:04:624 2500 IRP_MJ_LOCK_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_CLEANUP : 82B8AD00 15:52:04:624 2500 IRP_MJ_CREATE_MAILSLOT : 82B8AD00 15:52:04:624 2500 IRP_MJ_QUERY_SECURITY : 82B8AD00 15:52:04:624 2500 IRP_MJ_SET_SECURITY : 82B8AD00 15:52:04:624 2500 IRP_MJ_POWER : 82B8AD00 15:52:04:624 2500 IRP_MJ_SYSTEM_CONTROL : 82B8AD00 15:52:04:624 2500 IRP_MJ_DEVICE_CHANGE : 82B8AD00 15:52:04:624 2500 IRP_MJ_QUERY_QUOTA : 82B8AD00 15:52:04:624 2500 IRP_MJ_SET_QUOTA : 82B8AD00 15:52:04:644 2500 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 15:52:04:644 2500 15:52:04:644 2500 Completed 15:52:04:644 2500 15:52:04:644 2500 Results: 15:52:04:644 2500 Memory objects infected / cured / cured on reboot: 0 / 0 / 0 15:52:04:644 2500 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 15:52:04:644 2500 File objects infected / cured / cured on reboot: 0 / 0 / 0 15:52:04:644 2500 15:52:04:654 2500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 15:52:04:654 2500 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 15:52:04:664 2500 KLMD(ARK) unloaded successfully
  6. It's saying press any key, and then after that I'm not sure if it's doing anything. There's nothing open on my screen.
  7. Should I turn off my anti-virus or any other programs while running TDSSKiller?
  8. ComboFix 10-04-15.05 - main_user 17/04/2010 12:15:30.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.110 [GMT -4:00] Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\main_user\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql . --------------- FCopy --------------- c:\windows\ERDNT\cache\atapi.sys --> c:\windows\system32\drivers\atapi.sys . ((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 ))))))))))))))))))))))))))))))) . 2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert 2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-15 14:26 . 2010-04-17 16:30 -------- d-----w- c:\program files\Spyware Doctor 2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-17 16:36 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent 2010-04-17 16:30 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-17 16:30 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat 2010-04-17 16:28 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-17 16:28 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-17 16:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat 2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada 2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats 2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire 2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent 2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll 2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes 2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer 2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache 2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys 2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll . ------- Sigcheck ------- [-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys [-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624] TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640] R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696] R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952] R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728] R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872] S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 . Contents of the 'Scheduled Tasks' folder 2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\rpff.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-17 12:35 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????'2???A~??A~????????\???\???????t???U?A~??A~\???\?????????a?L????C@?\???\??????s????\??????s\????'2?A??s?'2??C@?x???`|?w\?????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x82B8AD00]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf8799fc3 \Driver\ACPI -> ACPI.sys @ 0xf86c4cb8 \Driver\atapi -> 0x82b8ad00 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6 ParseProcedure -> ntoskrnl.exe @ 0x8056f26d \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6 ParseProcedure -> ntoskrnl.exe @ 0x8056f26d NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3072) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\tabhook.dll c:\windows\system32\ctagent.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Spyware Doctor\pctsSvc.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\Tablet.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\CTHELPER.EXE c:\windows\system32\lxcgcoms.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-17 12:46:55 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-17 16:46 ComboFix2.txt 2010-04-16 20:41 ComboFix3.txt 2010-04-16 18:22 Pre-Run: 33,570,000,896 bytes free Post-Run: 33,541,095,424 bytes free - - End Of File - - 75AB9B6ABED122239F3C552F8A26C2DA
  9. ComboFix 10-04-15.05 - main_user 16/04/2010 16:11:08.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.234 [GMT -4:00] Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\main_user\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 ))))))))))))))))))))))))))))))) . 2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert 2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-15 14:26 . 2010-04-16 20:25 -------- d-----w- c:\program files\Spyware Doctor 2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-15 01:28 . 2010-04-15 23:47 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-16 20:31 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent 2010-04-16 20:25 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-16 20:24 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat 2010-04-16 20:23 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-16 20:23 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-16 19:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat 2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada 2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats 2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire 2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent 2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll 2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes 2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer 2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache 2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys 2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql ---- ------- Sigcheck ------- [-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\atapi.sys [-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [bU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-16 113664] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624] TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-4 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640] R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696] R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952] R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728] R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872] S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 . Contents of the 'Scheduled Tasks' folder 2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\rpff.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-16 16:30 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run??????????st????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???n????'2???A~??A~n???????\???\???????t???U?A~??A~\???\???????0?`?L????C@?\???\??????sn???\??????s\????'2?A??s?'2??C@?x???`|?w\?????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x82B77340]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf8799fc3 \Driver\ACPI -> ACPI.sys @ 0xf86c4cb8 \Driver\atapi -> 0x82b77340 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6 ParseProcedure -> ntoskrnl.exe @ 0x8056f26d \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6 ParseProcedure -> ntoskrnl.exe @ 0x8056f26d NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3612) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\tabhook.dll c:\windows\system32\ctagent.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\program files\Spyware Doctor\pctsSvc.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\Tablet.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\CTHELPER.EXE c:\windows\system32\wscntfy.exe c:\windows\system32\lxcgcoms.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-16 16:41:51 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-16 20:41 ComboFix2.txt 2010-04-16 18:22 Pre-Run: 33,639,919,616 bytes free Post-Run: 33,591,144,448 bytes free - - End Of File - - 327FC9BEB79F07B55A7D7348CD4830C4
  10. JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Apr 16 12:45:20 2010 Found and removed: C:\Program Files\Java\jre1.5.0_09Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_12Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_13Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_14Found and removed: C:\Documents and Settings\main_user\Application Data\Sun\Java\jre1.6.0_15Found and removed: C:\Windows\System32\jpicpl32.cplFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_09\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zipFound and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zipJavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Fri Apr 16 12:46:42 2010 ------------------------------------Finished reporting. ____ ComboFix 10-04-15.05 - main_user 16/04/2010 13:59:49.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.106 [GMT -4:00] Running from: c:\documents and settings\main_user\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\main_user\Recent\Thumbs.db c:\program files\INSTALL.LOG c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 ))))))))))))))))))))))))))))))) . 2010-04-15 23:04 . 2010-04-15 23:04 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\Threat Expert 2010-04-15 22:51 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\main_user\Application Data\PC Tools 2010-04-15 22:51 . 2010-04-15 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-15 16:17 . 2010-04-15 16:17 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-04-15 14:31 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-15 14:31 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-15 14:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-15 14:31 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-15 14:31 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-15 14:31 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-15 14:27 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-15 14:26 . 2010-03-10 15:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-15 14:26 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-15 14:26 . 2010-04-16 18:15 -------- d-----w- c:\program files\Spyware Doctor 2010-04-15 14:26 . 2010-04-15 23:00 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-15 01:41 . 2010-04-15 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-15 01:28 . 2010-04-15 23:47 -------- d-----w- c:\documents and settings\main_user\Local Settings\Application Data\jtmojytql 2010-04-07 16:17 . 2010-04-07 16:17 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-04-01 16:12 . 2010-04-01 16:12 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2010-04-01 16:12 . 2010-04-01 16:12 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe 2010-04-01 16:12 . 2010-04-01 16:12 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll 2010-04-01 16:12 . 2010-04-01 16:12 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll 2010-04-01 16:12 . 2010-04-01 16:12 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe 2010-04-01 16:12 . 2010-04-01 16:12 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll 2010-04-01 16:12 . 2010-04-01 16:12 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll 2010-04-01 16:12 . 2010-04-01 16:12 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll 2010-04-01 16:12 . 2010-04-01 16:12 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll 2010-04-01 16:12 . 2010-04-01 16:12 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe 2010-04-01 16:12 . 2010-04-01 16:12 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll 2010-04-01 16:12 . 2010-04-01 16:12 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll 2010-04-01 16:10 . 2010-04-01 16:10 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-04-01 16:10 . 2010-04-01 16:10 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-16 18:12 . 2009-04-14 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-16 17:49 . 2007-07-14 03:59 12494 ----a-w- c:\windows\system32\tablet.dat 2010-04-16 17:47 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-16 17:47 . 2008-02-18 01:26 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80651102}.dat 2010-04-16 17:46 . 2008-10-14 04:19 -------- d-----w- c:\documents and settings\main_user\Application Data\uTorrent 2010-04-16 17:20 . 2006-12-03 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-16 17:01 . 2009-11-13 04:39 0 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\prvlcl.dat 2010-04-16 16:48 . 2009-09-22 15:33 -------- d-----w- c:\program files\BellCanada 2010-04-16 16:12 . 2008-01-25 05:22 -------- d-----w- c:\program files\LimeWire 2010-04-15 13:20 . 2010-03-01 06:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-15 13:20 . 2010-03-01 06:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-15 00:36 . 2008-01-20 22:02 -------- d-----w- c:\program files\Lx_cats 2010-04-14 03:24 . 2008-01-25 05:23 -------- d-----w- c:\documents and settings\main_user\Application Data\LimeWire 2010-03-30 04:46 . 2010-03-01 06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2010-03-01 06:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-18 03:42 . 2009-03-26 05:35 -------- d-----w- c:\program files\uTorrent 2010-03-15 17:15 . 2009-10-25 20:48 62752 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-15 15:28 . 2009-03-29 19:46 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-15 15:28 . 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-15 15:28 . 2009-03-29 19:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-15 15:28 . 2009-03-29 19:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll 2010-03-11 00:17 . 2008-06-30 23:22 -------- d-----w- c:\program files\Celtx 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-01 06:31 . 2010-03-01 06:31 -------- d-----w- c:\documents and settings\main_user\Application Data\Malwarebytes 2010-03-01 06:30 . 2010-03-01 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-26 03:50 . 2008-05-04 15:57 -------- d-----w- c:\documents and settings\main_user\Application Data\Apple Computer 2010-02-25 18:27 . 2006-12-03 02:01 89664 ----a-w- c:\documents and settings\main_user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\MSECache 2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys 2010-02-02 23:20 . 2010-02-02 23:20 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll 2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll 2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll 2010-01-17 19:01 . 2010-01-17 19:01 290816 ----a-w- c:\documents and settings\main_user\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll 2009-10-05 23:34 . 2009-09-14 18:29 210944 ----a-w- c:\program files\mozilla firefox\components\rpff.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-18 319792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IW Controlcenter"="c:\progra~1\INSTAN~1\INSTAN~1\IWCTRL.EXE" [2002-09-26 751104] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-15 15:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.sys [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\lxcgcoms.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcgpswx.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:TCP Port 135 "5000:TCP"= 5000:TCP:TCP Port 5000 "5001:TCP"= 5001:TCP:TCP Port 5001 "5002:TCP"= 5002:TCP:TCP Port 5002 "5003:TCP"= 5003:TCP:TCP Port 5003 "5004:TCP"= 5004:TCP:TCP Port 5004 "5005:TCP"= 5005:TCP:TCP Port 5005 "5006:TCP"= 5006:TCP:TCP Port 5006 "5007:TCP"= 5007:TCP:TCP Port 5007 "5008:TCP"= 5008:TCP:TCP Port 5008 "5009:TCP"= 5009:TCP:TCP Port 5009 "5010:TCP"= 5010:TCP:TCP Port 5010 "5011:TCP"= 5011:TCP:TCP Port 5011 "5012:TCP"= 5012:TCP:TCP Port 5012 "5013:TCP"= 5013:TCP:TCP Port 5013 "5014:TCP"= 5014:TCP:TCP Port 5014 "5015:TCP"= 5015:TCP:TCP Port 5015 "5016:TCP"= 5016:TCP:TCP Port 5016 "5017:TCP"= 5017:TCP:TCP Port 5017 "5018:TCP"= 5018:TCP:TCP Port 5018 "5019:TCP"= 5019:TCP:TCP Port 5019 "5020:TCP"= 5020:TCP:TCP Port 5020 R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [02/12/2006 11:50 PM 5248] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/04/2010 10:26 AM 217032] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/03/2009 3:46 PM 216200] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/03/2009 3:46 PM 242696] R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [02/12/2006 11:03 PM 61952] R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [02/12/2006 11:03 PM 9728] R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [02/12/2006 11:03 PM 178688] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/03/2010 11:28 AM 308064] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/04/2010 10:31 AM 112592] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/04/2010 6:51 PM 366840] S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [02/12/2006 11:50 PM 160640] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [16/08/2008 8:50 PM 31872] S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [29/11/2001 4:10 AM 1432836] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 . Contents of the 'Scheduled Tasks' folder 2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://www.google.com uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - c:\documents and settings\main_user\Application Data\Mozilla\Firefox\Profiles\mpbq3u84.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\rpff.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe AddRemove-DealAssistant - c:\documents and settings\main_user\Application Data\DealAssistant\DAUninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-16 14:14 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\???????@xa??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1390067357-1935655697-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2010-04-16 14:22:48 ComboFix-quarantined-files.txt 2010-04-16 18:22 Pre-Run: 25,034,256,384 bytes free Post-Run: 33,597,816,832 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 6A2E47C83BFA6D95BFF4F700E088F4B5
  11. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3993 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.11 15/04/2010 7:47:00 PM mbam-log-2010-04-15 (19-47-00).txt Scan type: Quick scan Objects scanned: 122183 Time elapsed: 26 minute(s), 13 second(s) Memory Processes Infected: 2 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Unloaded process successfully. C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggqootdl (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggqootdl (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\main_user\Local Settings\Application Data\jtmojytql\djpalljtssd.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\main_user\Local Settings\Temporary Internet Files\Content.IE5\MKD8NP3I\80a5ad[1].exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. ____ DDS (Ver_09-09-29.01) - NTFSx86 Run by main_user at 20:30:50.12 on 15/04/2010 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.101 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\BellCanada\McciTrayApp.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\Wtablet\TabUserW.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\lxcgcoms.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Documents and Settings\main_user\Desktop\dds.com C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com mSearch Bar = hxxp://www.google.com uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> mSearchAssistant = hxxp://www.google.com/ie BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File EB: DA Bar: {59c40940-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" mRun: [iW Controlcenter] c:\progra~1\instan~1\instan~1\IWCTRL.EXE mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe" mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16 mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [bellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe" dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe mPolicies-explorer: <NO NAME> = IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165110948911 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\main_u~1\applic~1\mozilla\firefox\profiles\mpbq3u84.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - component: c:\program files\mozilla firefox\components\rpff.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-15 217032] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 216200] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-29 29512] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 242696] R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2006-12-2 61952] R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2006-12-2 9728] R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2006-12-2 178688] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-15 112592] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-15 366840] R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-15 1142224] S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-8-16 31872] S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836] =============== Created Last 30 ================ 2010-04-15 18:51 70,408 a------- c:\windows\system32\drivers\pctplsg.sys 2010-04-15 18:51 7,383 a------- c:\windows\system32\drivers\pctplsg.cat 2010-04-15 18:51 <DIR> --d----- c:\docume~1\main_u~1\applic~1\PC Tools 2010-04-15 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2010-04-15 12:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2010-04-15 10:31 767,952 a------- c:\windows\BDTSupport.dll 2010-04-15 10:31 149,456 a------- c:\windows\SGDetectionTool.dll 2010-04-15 10:31 882 a------- c:\windows\RegSDImport.xml 2010-04-15 10:31 879 a------- c:\windows\RegISSImport.xml 2010-04-15 10:31 131 a------- c:\windows\IDB.zip 2010-04-15 10:31 1,652,688 a------- c:\windows\PCTBDCore.dll 2010-04-15 10:31 1,152,444 a------- c:\windows\UDB.zip 2010-04-15 10:31 165,840 a------- c:\windows\PCTBDRes.dll 2010-04-15 10:27 233,136 a------- c:\windows\system32\drivers\pctgntdi.sys 2010-04-15 10:27 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat 2010-04-15 10:26 217,032 a------- c:\windows\system32\drivers\PCTCore.sys 2010-04-15 10:26 88,040 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-15 10:26 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat 2010-04-15 10:26 7,383 a------- c:\windows\system32\drivers\pctcore.cat 2010-04-15 10:26 <DIR> --d----- c:\program files\Spyware Doctor 2010-04-15 10:26 <DIR> --d----- c:\program files\common files\PC Tools 2010-03-21 20:29 3,247 a------- c:\windows\system32\wbem\Outlook_01cac956aac1d540.mof ==================== Find3M ==================== 2010-04-15 19:51 12,494 a------- c:\windows\system32\tablet.dat 2010-03-30 00:46 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 00:45 20,824 a------- c:\windows\system32\drivers\mbam.sys 2010-03-15 13:15 62,752 a---h--- c:\windows\system32\mlfcache.dat 2010-03-15 11:28 242,696 a------- c:\windows\system32\drivers\avgtdix.sys 2010-03-15 11:28 12,464 a------- c:\windows\system32\avgrsstx.dll 2010-03-15 11:28 216,200 a------- c:\windows\system32\drivers\avgldx86.sys 2010-03-11 08:38 832,512 a------- c:\windows\system32\wininet.dll 2010-03-11 08:38 78,336 a------- c:\windows\system32\ieencode.dll 2010-03-11 08:38 17,408 -------- c:\windows\system32\corpol.dll 2010-03-09 07:09 430,080 a------- c:\windows\system32\vbscript.dll 2010-02-24 08:31 454,016 a------- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 09:19 2,181,376 a------- c:\windows\system32\ntoskrnl.exe 2010-02-16 08:39 2,058,368 a------- c:\windows\system32\ntkrnlpa.exe 2010-02-12 00:47 100,864 a------- c:\windows\system32\6to4svc.dll 2009-09-22 11:35 1,083 a------- c:\program files\INSTALL.LOG 2009-08-30 11:12 16,384 a--sh--- c:\windows\temp\cookies\index.dat 2009-08-30 11:12 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat 2009-08-30 11:12 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 20:33:40.77 =============== ___ UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-29.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 02/12/2006 3:06:29 AM System Uptime: 15/04/2010 7:49:44 PM (1 hours ago) Motherboard: ECS | | P4VXASD2+ Processor: IntelĀ® PentiumĀ® 4 CPU 2.40GHz | FC-478 | 2400/133mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 76 GiB total, 22.318 GiB free. D: is CDROM () E: is CDROM () G: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: Description: Multimedia Audio Controller Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_0A831019&REV_50\3&61AAA01&0&8D Manufacturer: Name: Multimedia Audio Controller PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_0A831019&REV_50\3&61AAA01&0&8D Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: VIA Rhine II Fast Ethernet Adapter Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90 Manufacturer: VIA Technologies, Inc. Name: VIA Rhine II Fast Ethernet Adapter PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_01021106&REV_74\3&61AAA01&0&90 Service: FETND5BV ==== System Restore Points =================== RP568: 16/01/2010 3:33:01 PM - System Checkpoint RP569: 18/01/2010 2:21:20 PM - Avg8 Update RP570: 22/01/2010 1:49:44 PM - System Checkpoint RP571: 23/01/2010 3:00:43 AM - Software Distribution Service 3.0 RP572: 23/01/2010 2:12:02 PM - Software Distribution Service 3.0 RP573: 24/01/2010 2:46:04 PM - System Checkpoint RP574: 25/01/2010 8:41:54 PM - System Checkpoint RP575: 26/01/2010 11:57:23 AM - Avg8 Update RP576: 27/01/2010 9:16:02 PM - System Checkpoint RP577: 30/01/2010 4:32:37 PM - System Checkpoint RP578: 01/02/2010 10:27:57 AM - System Checkpoint RP579: 02/02/2010 10:36:33 AM - System Checkpoint RP580: 04/02/2010 6:08:17 PM - Installed Java 6 Update 17 RP581: 11/02/2010 12:12:54 PM - Software Distribution Service 3.0 RP582: 13/02/2010 1:20:26 AM - Software Distribution Service 3.0 RP583: 24/02/2010 7:24:45 PM - Installed Compatibility Pack for the 2007 Office system RP584: 25/02/2010 2:27:34 AM - Software Distribution Service 3.0 RP585: 11/03/2010 12:58:31 AM - Software Distribution Service 3.0 RP586: 12/03/2010 12:07:38 PM - System Checkpoint RP587: 13/03/2010 12:18:33 PM - System Checkpoint RP588: 14/03/2010 4:32:24 PM - System Checkpoint RP589: 15/03/2010 11:22:53 AM - Avg8 Update RP590: 15/03/2010 11:29:29 AM - Avg Update RP591: 16/03/2010 1:13:08 PM - Avg Update RP592: 17/03/2010 4:43:23 PM - System Checkpoint RP593: 18/03/2010 7:09:03 PM - System Checkpoint RP594: 19/03/2010 7:11:36 PM - System Checkpoint RP595: 20/03/2010 9:48:55 PM - System Checkpoint RP596: 25/03/2010 7:09:14 PM - System Checkpoint RP597: 27/03/2010 6:35:07 PM - System Checkpoint RP598: 28/03/2010 6:55:10 PM - System Checkpoint RP599: 01/04/2010 11:58:52 AM - Software Distribution Service 3.0 RP600: 01/04/2010 12:10:38 PM - Avg Update RP601: 01/04/2010 12:12:18 PM - Avg Update RP602: 02/04/2010 4:51:20 PM - System Checkpoint RP603: 03/04/2010 3:00:17 AM - Software Distribution Service 3.0 RP604: 04/04/2010 4:47:35 PM - System Checkpoint RP605: 05/04/2010 10:56:55 PM - System Checkpoint RP606: 07/04/2010 12:17:23 PM - Avg Update RP607: 08/04/2010 6:34:33 PM - System Checkpoint RP608: 10/04/2010 10:19:35 AM - System Checkpoint RP609: 11/04/2010 11:55:37 AM - System Checkpoint RP610: 12/04/2010 12:43:08 PM - System Checkpoint RP611: 13/04/2010 2:49:28 PM - System Checkpoint RP612: 15/04/2010 9:14:32 AM - Software Distribution Service 3.0 RP613: 15/04/2010 10:11:58 AM - Software Distribution Service 3.0 RP614: 15/04/2010 1:20:48 PM - Software Distribution Service 3.0 RP615: 15/04/2010 4:07:54 PM - Software Distribution Service 3.0 ==== Installed Programs ======================
  12. Last night I got the Antispyware Soft ....thing. (Sorry I'm not very computer literate when it comes to viruses/spyware/malware.) I've had Antivirus Soft before and I got rid of it using Malwarebytes. But this time it's not working. So far I have ran: Malwarebytes 1.45, with latest updates, 3 times. Spyware Doctor, once, but couldn't buy the full product at the end. Spybot, but my computer froze half way through. Everytime I run Malwarebytes it finds something, and removes it. But then when I run in normal mode, Antispyware Soft is still there! I just don't know what else I can do. Any help would be extremely appreciated.