Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

Help to Remove Virus Patched.CJ [Solved]


  • This topic is locked This topic is locked

#1
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
I'm using AVG V9.0 and have somehow caught a virus - Patched.CJ that AVG tells me is white listed & cannot be removed as it's a critical system file. I've searched your removal guides and have run TFC.exe successfully.

However when I go to the next step & run ERUNT I get a blue screen & must reboot.

I'm running Windows XP Pro, SP3.

Any help is appreciated.
  • 0

Similar Topics: Help to Remove Virus Patched.CJ [Solved]     x


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you update avg run a full scan post that log here
  • 0

#3
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
The log showed one virus as of today (3/8/2010):

"C:\WINDOWS\system32\drivers\atapi.sys";"Virus identified Win32/Patched.CJ";"Object is white-listed (critical/system file that should not be removed)"


FYI: My first virus notification came on 2/22/2010:
"C:\WINDOWS\system32\drivers\atapi.sys";"Trojan horse Rootkit-Agent.EF";"Object is white-listed (critical/system file that should not be removed)"

While searching for a cure, this message stopped and was replaced by the Patched.CJ message on 3/2/2010, which remains until today.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#5
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
See attached.

Attached Files

  • Attached File  log.txt   24.31KB   59 downloads

  • 0

#6
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
My AVG did not restart when the machine rebooted. I feel exposed. Can I restart it now?
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
yes

can you post that log not attach it
  • 0

#8
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
ComboFix 10-03-08.02 - Administrator 03/09/2010 8:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2380 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{B167E254-846A-4EF7-9091-74217F8314A9}
c:\documents and settings\Administrator\Local Settings\Application Data\{B167E254-846A-4EF7-9091-74217F8314A9}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{B167E254-846A-4EF7-9091-74217F8314A9}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{B167E254-846A-4EF7-9091-74217F8314A9}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{B167E254-846A-4EF7-9091-74217F8314A9}\install.rdf
C:\Thumbs.db
c:\windows\system32\Thumbs.db
c:\windows\system32\twain_32.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-05 13:47 . 2010-03-05 13:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-28 23:43 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-28 23:43 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-28 23:43 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-28 23:42 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-26 19:01 . 2010-02-26 19:01 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 22:51 . 2010-02-25 22:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-22 02:09 . 2010-03-03 12:45 -------- d-----w- C:\DigitalPhotoFrame
2010-02-19 13:58 . 2010-02-19 13:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-18 05:29 . 2010-02-18 05:29 -------- d-----w- c:\program files\SyncToy 2.1
2010-02-18 05:28 . 2010-02-18 05:28 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\program files\Common Files\Apple
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\program files\Apple Software Update
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 13:33 . 2007-02-13 04:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2010-03-09 13:32 . 2009-11-04 14:37 256 ----a-w- c:\windows\system32\pool.bin
2010-03-09 13:28 . 2008-04-03 01:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-09 13:28 . 2008-05-30 20:14 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-09 10:01 . 2009-12-15 02:50 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-03-09 05:34 . 2009-04-26 05:02 -------- d-----w- c:\program files\LogMeIn
2010-03-08 12:05 . 2007-12-03 00:44 -------- d-----w- c:\program files\Common Files\Skyscape
2010-03-05 13:47 . 2008-04-24 00:26 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-05 13:47 . 2007-12-27 20:20 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-05 13:47 . 2008-04-24 00:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 13:47 . 2008-04-24 00:26 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-28 06:55 . 2009-08-13 19:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-02-28 05:03 . 2009-08-13 20:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-02-25 22:51 . 2007-02-13 04:13 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 22:50 . 2007-02-13 04:14 -------- d-----w- c:\program files\Java
2010-02-22 00:13 . 2009-11-17 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:06 . 2007-02-12 16:35 -------- d-----w- c:\program files\QuickTime
2010-02-14 15:05 . 2007-02-12 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-04 00:48 . 2009-08-13 19:50 -------- d-----r- c:\program files\Skype
2010-02-04 00:42 . 2008-04-03 00:59 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-04 00:38 . 2008-10-20 01:51 -------- d-----w- c:\program files\Logitech
2010-02-03 13:52 . 2010-01-15 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks
2010-02-02 23:22 . 2010-02-02 23:23 81920 ----a-w- c:\windows\system32\emfxp.dll
2010-02-02 23:22 . 2010-02-02 23:23 49152 ----a-w- c:\windows\system32\unpdf.exe
2010-01-24 04:49 . 2008-02-13 03:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-15 11:07 . 2010-01-15 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2010-01-14 05:43 . 2009-12-16 22:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-14 05:34 . 2007-02-12 16:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 05:05 . 2010-01-14 05:05 -------- d-----w- c:\program files\ERUNT
2010-01-13 14:11 . 2010-01-13 14:11 -------- d-----w- c:\program files\TrendMicro
2010-01-13 13:22 . 2010-01-13 03:46 120 ----a-w- c:\windows\Mnemukimupewuku.dat
2010-01-13 05:50 . 2010-01-13 03:46 0 ----a-w- c:\windows\Xyileregucoru.bin
2010-01-07 21:07 . 2010-01-14 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-14 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2007-08-09 17:08 . 2007-05-25 03:27 8784 ------w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 . 2007-05-25 03:27 245408 ------w- c:\program files\mozilla firefox\plugins\unicows.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 28277538AE850468806449D9E678E1F5 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-13 65536]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-02-13 500561]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2009-12-18 624056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Azureus.lnk - c:\program files\Azureus\Azureus.exe [2007-1-13 199616]
Eudora.lnk - c:\program files\Qualcomm\Eudora\Eudora.exe [2008-1-8 2658304]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2007-2-11 910296]
Palm Desktop.lnk - c:\program files\palmOne\Palm.exe [2005-1-5 614400]
Windows Explorer.lnk - c:\windows\explorer.exe [2004-8-4 1033728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-7-25 629248]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 13:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 00:29 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/23/2008 7:26 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2008 7:26 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2008 7:26 PM 242696]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [9/8/2009 11:32 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/8/2009 11:32 PM 234888]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 8:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 8:47 AM 308064]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/23/2007 11:21 PM 47640]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [6/23/2007 11:21 PM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-01 c:\windows\Tasks\Defrag C.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]

2010-03-09 c:\windows\Tasks\Defrag D.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: {95C06D76-7F4E-4E6C-9037-01CE3572888B} = 208.67.222.222,208.67.220.220
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\genipublisher@geni.com\platform\WINNT_x86-msvc\plugins\npgenipublisher.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
inifile="c:\program files\Notpad\Notpad.exe" "%1"
txtfile="c:\program files\Notpad\Notpad.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 08:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1788223648-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(9632)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\stsystra.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-03-09 08:42:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 13:42

Pre-Run: 13,070,880,768 bytes free
Post-Run: 13,111,115,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6FC902D25AAB04621DF75FDABFFC2A39
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Mnemukimupewuku.dat
c:\windows\Xyileregucoru.bin

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
KillAll::


Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\unpdf.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#10
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
First Scan:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 21:31 on 09/03/2010 (Administrator)
Firefox version 3.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:58 12/02/2007]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [19:01 26/02/2010]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [22:51 25/02/2010]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\
genipublisher@geni.com [14:49 02/11/2008]
moveplayer@movenetworks.com [04:16 25/05/2007]
{20a82645-c095-46ed-80e3-08825760534b} [11:40 14/08/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [04:37 31/12/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [22:51 25/02/2010]
{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [23:38 02/01/2010]
{AE93811A-5C9A-4d34-8462-F7B864FC4696} [04:30 24/01/2010]
{E9A1DEE0-C623-4439-8932-001E7D17607D} [04:32 09/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [04:44 17/11/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [05:23 11/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:50 25/02/2010]

---------- Old Logs ----------
GooredFix[00.49.28_10-03-2010].txt
GooredFix[02.29.57_10-03-2010].txt

-=E.O.F=-

Second Scan:

ComboFix 10-03-08.02 - Administrator 03/09/2010 20:03:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.3130 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Mnemukimupewuku.dat"
"c:\windows\Xyileregucoru.bin"
.
The following files were disabled during the run:
c:\windows\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Mnemukimupewuku.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Xyileregucoru.bin
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.

2010-03-05 13:47 . 2010-03-05 13:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-28 23:43 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-02-28 23:43 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-28 23:43 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-28 23:42 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-26 19:01 . 2010-02-26 19:01 -------- d-----w- c:\program files\Common Files\Skype
2010-02-25 22:51 . 2010-02-25 22:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-22 02:09 . 2010-03-03 12:45 -------- d-----w- C:\DigitalPhotoFrame
2010-02-19 13:58 . 2010-02-19 13:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-18 05:29 . 2010-02-18 05:29 -------- d-----w- c:\program files\SyncToy 2.1
2010-02-18 05:28 . 2010-02-18 05:28 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\program files\Common Files\Apple
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\program files\Apple Software Update
2010-02-14 15:04 . 2010-02-14 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 01:31 . 2009-11-04 14:37 256 ----a-w- c:\windows\system32\pool.bin
2010-03-10 01:14 . 2008-04-03 01:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-10 01:14 . 2008-05-30 20:14 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-10 01:05 . 2007-02-13 04:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2010-03-09 22:01 . 2009-12-15 02:50 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-03-09 14:24 . 2007-12-03 00:44 -------- d-----w- c:\program files\Common Files\Skyscape
2010-03-09 05:34 . 2009-04-26 05:02 -------- d-----w- c:\program files\LogMeIn
2010-03-09 01:10 . 2010-03-09 01:10 4250392 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-03-05 13:47 . 2010-03-05 13:47 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-05 13:47 . 2010-03-05 13:47 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-05 13:47 . 2010-03-05 13:47 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-05 13:47 . 2010-03-05 13:47 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-03-05 13:47 . 2008-04-24 00:26 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-05 13:47 . 2007-12-27 20:20 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-05 13:47 . 2008-04-24 00:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-05 13:47 . 2008-04-24 00:26 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-28 06:55 . 2009-08-13 19:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-02-28 05:03 . 2009-08-13 20:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-02-25 22:51 . 2007-02-13 04:13 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 22:51 . 2010-02-25 22:51 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b243189-n\msvcp71.dll
2010-02-25 22:51 . 2010-02-25 22:51 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b243189-n\jmc.dll
2010-02-25 22:51 . 2010-02-25 22:51 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3b243189-n\msvcr71.dll
2010-02-25 22:51 . 2010-02-25 22:51 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-617dddf9-n\decora-sse.dll
2010-02-25 22:51 . 2010-02-25 22:51 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-617dddf9-n\decora-d3d.dll
2010-02-25 22:50 . 2007-02-13 04:14 -------- d-----w- c:\program files\Java
2010-02-22 00:18 . 2010-02-22 00:37 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-22 00:18 . 2010-02-22 00:37 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-22 00:13 . 2009-11-17 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 15:06 . 2007-02-12 16:35 -------- d-----w- c:\program files\QuickTime
2010-02-14 15:05 . 2007-02-12 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-04 00:48 . 2009-08-13 19:50 -------- d-----r- c:\program files\Skype
2010-02-04 00:42 . 2010-02-04 00:42 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{BEF726DD-4037-4214-8C6A-E625C02D2870}\ARPPRODUCTICON.exe
2010-02-04 00:42 . 2008-04-03 00:59 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-04 00:42 . 2010-02-04 00:42 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-02-04 00:42 . 2010-02-04 00:42 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{EA516024-D84D-41F1-814F-83175A6188F2}\ARPPRODUCTICON.exe
2010-02-04 00:38 . 2008-10-20 01:51 -------- d-----w- c:\program files\Logitech
2010-02-03 13:52 . 2010-01-15 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks
2010-02-01 05:37 . 2010-02-01 05:37 162656 ----a-w- c:\documents and settings\Administrator\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-02-01 05:37 . 2010-02-01 05:37 292704 ----a-w- c:\documents and settings\Administrator\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-02-01 05:37 . 2010-01-15 11:07 37464 ----a-w- c:\documents and settings\Administrator\Application Data\Juniper Networks\setup\uninstall.exe
2010-01-24 04:49 . 2008-02-13 03:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-15 11:07 . 2010-01-15 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks
2010-01-14 05:43 . 2009-12-16 22:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-14 05:34 . 2007-02-12 16:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 05:07 . 2010-01-14 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 05:05 . 2010-01-14 05:05 -------- d-----w- c:\program files\ERUNT
2010-01-13 14:11 . 2010-01-13 14:11 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-13 14:11 . 2010-01-13 14:11 -------- d-----w- c:\program files\TrendMicro
2010-01-07 21:07 . 2010-01-14 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-14 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-16 19:42 . 2009-12-31 04:37 872960 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2009-12-31 04:37 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2009-12-31 04:37 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2009-12-31 04:37 346624 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2007-08-09 17:08 . 2007-05-25 03:27 8784 ------w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 . 2007-05-25 03:27 245408 ------w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-13 65536]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-02-13 500561]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2009-12-18 624056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-7-25 629248]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 13:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 00:29 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/23/2008 7:26 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2008 7:26 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2008 7:26 PM 242696]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [9/8/2009 11:32 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [9/8/2009 11:32 PM 234888]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 8:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 8:47 AM 308064]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/23/2007 11:21 PM 47640]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [6/23/2007 11:21 PM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-01 c:\windows\Tasks\Defrag C.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]

2010-03-09 c:\windows\Tasks\Defrag D.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
TCP: {95C06D76-7F4E-4E6C-9037-01CE3572888B} = 208.67.222.222,208.67.220.220
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\genipublisher@geni.com\platform\WINNT_x86-msvc\plugins\npgenipublisher.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\amtvz2w4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1788223648-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(8816)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\stsystra.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2010-03-09 20:39:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-10 01:39
ComboFix2.txt 2010-03-09 13:42

Pre-Run: 13,106,917,376 bytes free
Post-Run: 13,071,695,872 bytes free

- - End Of File - - 52CAA2DFEFF5298A90F548EB722C0C7F

Third Scan:

I connected VirSCAN.org in IE and ran as instructed. It hung on the 24th of 36. I'll re-run and post when it completes. In the interim, here are the first two.

Thanks
Saul
  • 0

#11
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
Third Scan:

VirSCAN.org Scanned Report :
Scanned time : 2010/03/09 21:49:19 (EST)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : unpdf.exe
File Size : 49152 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3ca4bf2bcb9a2f1b2bb2fc1967e882fa
SHA1 : 9cc5efc37ab58094bea5212e98ee9567d255ddda
Online report : http://virscan.org/r...51e1654fcb.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100310033127 2010-03-10 4.43 -
AhnLab V3 2010.03.09.00 2010.03.09 2010-03-09 1.03 -
AntiVir 8.2.1.180 7.10.5.11 2010-03-09 0.37 -
Antiy 2.0.18 20100308.3980438 2010-03-08 0.02 -
Arcavir 2009 201003091543 2010-03-09 0.04 -
Authentium 5.1.1 201003092309 2010-03-09 1.29 -
AVAST! 4.7.4 100309-1 2010-03-09 0.01 -
AVG 8.5.720 271.1.1/2733 2010-03-10 0.24 -
BitDefender 7.81008.5407893 7.30702 2010-03-10 5.42 -
ClamAV 0.95.3 10541 2010-03-10 0.02 -
Comodo 3.13.579 4206 2010-03-09 0.91 -
CP Secure 1.3.0.5 2010.03.10 2010-03-10 0.06 Troj.Downloader.W32.Small.ivo
Dr.Web 5.0.1.12222 2010.03.10 2010-03-10 5.81 -
F-Prot 4.4.4.56 20100309 2010-03-09 1.28 -
F-Secure 7.02.73807 2010.03.10.01 2010-03-10 10.36 -
Fortinet 11.564- 11.564 2010-03-09 0.44 -
GData 19.10771/19.808 20100310 2010-03-10 6.54 -
ViRobot 20100309 2010.03.09 2010-03-09 0.41 -
Ikarus T3.1.01.80 2010.03.10.75364 2010-03-10 4.99 -
JiangMin 13.0.900 2010.03.09 2010-03-09 6.79 -
Kaspersky 5.5.10 2010.03.09 2010-03-09 0.13 -
KingSoft 2009.2.5.15 2010.3.9.20 2010-03-09 0.59 -
McAfee 5.3.00 5915 2010-03-09 3.69 -
Microsoft 1.5502 2010.03.10 2010-03-10 6.50 -
Norman 6.01.09 6.01.00 2010-02-10 2.01 -
Panda 9.05.01 ..9.05.01 --9.05.01 1.90 -
Trend Micro 9.120-1004 6.906.11 2010-03-09 0.04 -
Quick Heal 10.00 2010.03.09 2010-03-09 1.41 -
Rising 20.0 22.38.02.00 2010-03-10 1.07 -
Sophos 3.04.1 4.50 2010-03-10 3.74 -
Sunbelt 3.9.2408.2 5808 2010-03-09 3.56 -
Symantec 1.3.0.24 20100309.009 2010-03-09 0.05 -
nProtect 20100309.01 7671527 2010-03-09 4.54 -
The Hacker 6.5.2.0 v00228 2010-03-09 0.37 -
VBA32 3.12.12.2 20100308.2152 2010-03-08 2.72 -
VirusBuster 4.5.11.10 10.121.12/2028856 2010-03-10 2.35 -

Thanks
Saul
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#13
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
Malwarebytes' Anti-Malware 1.44
Database version: 3851
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/11/2010 7:36:37 AM
mbam-log-2010-03-11 (07-36-37).txt

Scan type: Quick Scan
Objects scanned: 120304
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, March 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, March 11, 2010 07:39:57
Records in database: 3765136
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
Scan statistics
Objects scanned 293987
Threats found 33
Infected objects found 98
Suspicious objects found 24
Scan duration 08:27:03

File name Threat Threats count
C:\Backup\Eudora\Data\Financial.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Backup\Eudora\Data\Inbox-Save.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Backup\Eudora\Data\Inbox-Save.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Backup\Eudora\Data\Irenes Mail.fol\Irene Misc.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Backup\Eudora\Data\Mazal Tov.mbx Suspicious: not-a-virus:URL.IDFrame 1
C:\Backup\Eudora\Data\Torah.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Backup\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Backup\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.p 1
C:\Backup\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05814840.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\067161DE.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\072B00A7.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\077A5A29.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07A47BFA.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07F93E25.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08E5567B.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09122249.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\092D722C.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\093D441A.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A7A79DF.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0EAB246E.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\109147B2.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11AD117E.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14B94BDB.tmp Infected: Email-Worm.Win32.Bagle.z 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\172616E8.tmp Infected: Email-Worm.Win32.Bagle.z 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19CD4463.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19F86634.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1BD75CA8.tmp Infected: Email-Worm.Win32.NetSky.d 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C1A2AAE.tmp Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1CC03A30.tmp Infected: Email-Worm.Win32.Bagle.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DB1056D.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\201E729F.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2054507D.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2076603E.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20E731DC.tmp Infected: Email-Worm.Win32.Tanatos.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20F645B2.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2144355B.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\24CC1CAA.tmp Infected: Email-Worm.Win32.NetSky.d 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25C044B2.tmp Infected: Email-Worm.Win32.Swen 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\276904BA.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\297150F2.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29C65FE8.tmp Infected: Email-Worm.Win32.Bagle.e 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29D97126.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2AD015E0.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CAB01C7.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2CC227AE.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2EA01F9C.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3139357D.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33966471.hta Infected: Email-Worm.Win32.Bagle.z 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\343C35A8.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\345668FE.tmp Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36A508DF.tmp Infected: Email-Worm.Win32.Bagle.i 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\383764CE.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3CD84BD3.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D0473C9.tmp Infected: Email-Worm.Win32.Tanatos.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F502C4D.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3FB74E11.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\402A2B53 Infected: Email-Worm.Win32.Klez.k 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41C02544.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42FA4EA9.tmp Infected: Email-Worm.Win32.Tanatos.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42FF44F5.tmp Infected: Email-Worm.Win32.Bagle.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\44A90F2C.tmp Infected: Net-Worm.Win32.Mytob.bi 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46DB2A65.tmp Infected: Email-Worm.Win32.Tanatos.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47AC1902.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48AE5816.tmp Infected: Email-Worm.Win32.Bagle.n 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48C827F9.tmp Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4919419F.tmp Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\49CB2D05.tmp Infected: Email-Worm.Win32.NetSky.b 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4AC647C9.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B00014A.tmp Infected: Email-Worm.Win32.Bagle.at 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4B2B5D5A.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4BFF3158.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FB047B2.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FEB3B71.tmp Infected: Email-Worm.Win32.Dumaru.o 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\508846BC.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\514311BC.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\532205E6.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\534329C2.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\55C44BF3.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\566C6E7A.tmp Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56B63624.tmp Infected: Email-Worm.Win32.Mydoom.m 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58414761.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5FFE7C95.doc Infected: Virus.MSWord.VMPC-based 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\613A4109.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\626A69F3.exe Infected: Trojan-Downloader.Win32.Agent.am 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6338759F.tmp Infected: Email-Worm.Win32.Mydoom.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\637E6A85.tmp Infected: Email-Worm.Win32.NetSky.d 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6395106B.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64343450.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64976882.tmp Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\652C32B9.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\683F0732.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69DD039F.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A3E6BD8.tmp Infected: Email-Worm.Win32.Tanatos.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6BFD0FD3.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\70095AFD.tmp Infected: Net-Worm.Win32.Nimda.e 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7038308E.tmp Infected: Email-Worm.Win32.NetSky.d 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\70C367A2.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\719A2B39.exe Infected: Trojan.Win32.Qhost.x 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71E44873.tmp Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\725B0B42.tmp Infected: Email-Worm.Win32.NetSky.r 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72C53E29.tmp Infected: Email-Worm.Win32.Dumaru.a 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\758F4FBD.tmp Infected: Email-Worm.Win32.NetSky.d 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\764F4EF5.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\787A00BF.tmp Infected: Email-Worm.Win32.NetSky.t 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78EF3EFA.tmp Infected: Email-Worm.Win32.Bagle.y 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\790C3D5A.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7CFD3200.zip Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D005BFD.zip Suspicious: Password-protected-EXE 1
C:\Backup\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DAD187C.tmp Suspicious: Password-protected-EXE 1
C:\EudoraData\Financial.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\EudoraData\Inbox-Saved.fol\2002-4.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\EudoraData\Inbox-Saved.fol\2002-4.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\EudoraData\Irenes Mail.fol\Irene Misc.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\EudoraData\Mazal Tov.mbx Suspicious: not-a-virus:URL.IDFrame 1
C:\EudoraData\Torah.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\EudoraData\YIHillcrestorg WebSite.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
Selected area has been scanned.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

  • 0

#15
SGrysman

SGrysman

    Member

  • Member
  • PipPip
  • 18 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:57 PM, on 3/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Notpad\Notpad.exe
C:\Program Files\palmOne\Palm.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://remote.mside.com/XTSAC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171242685985
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171251187593
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C06D76-7F4E-4E6C-9037-01CE3572888B}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 13558 bytes
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured