Pop-Up Virus

Teimoshi · 08-15-2009, 07:12 PM

I was in a green site, perfectly safe right, when suddenly a pop-up appears. It was hosted for an application called Personal Antivirus. It obvious did a scan and stuff, saying that I had some a lot of critical viruses. The pop-up kept coming back. So I figured that if it was coming up via a safe site, (I put a lot of trust in McAfee SiteAdvisor,) then what the hell... it must be legit. So, I go through with it and allow the Personal Antivirus to download.

Now the problems begin. My computer is detecting a lot of critical viruses via Personal Antivirus and now I'm freaking out. I'm under the impression that only this application can get rid of the viruses because my other virus scanner is not detecting it. Either that, or I'm being very gullible. Please help and reply as soon as possible. My mother is giving me hell about this, so the sooner the better.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Tim at 18:32:15.29 on Sat 08/15/2009
Internet Explorer: 8.0.6001.18372
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.828 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Tim\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trillian\trillian.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\PersonalAV\pav.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
c:\program files\avira\antivir desktop\avgnt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tim\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: : {a77d3539-581d-450c-9e44-a84c415a6172} - c:\windows\system32\msxmlm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [BitTorrent DNA] "c:\users\tim\program files\dna\btdna.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [SpeedBitVideoAccelerator] c:\program files\speedbit video accelerator\VideoAccelerator.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [MSDRV] NetFilter.exe
StartupFolder: c:\users\tim\appdata\roaming\micros~1\windows\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\itunes\mozilla plugins\npitunes (2).dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\tim\program files\dna\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-16 28544]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-16 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-18 210216]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2009-8-15 22016]
S2 0005451248886729mcinstcleanup;McAfee Application Installer Cleanup (0005451248886729);c:\windows\temp\000545~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\000545~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\google\update\GoogleUpdate.exe [2009-2-27 133104]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2009-8-15 22016]

=============== Created Last 30 ================

2009-08-15 18:05 114,688 a------- c:\windows\system32\NetFilter.exe
2009-08-15 18:05 61,440 a------- c:\windows\system32\ndisapi.dll
2009-08-15 18:05 13,312 a------- c:\windows\system32\drivers\snetcfg.exe
2009-08-15 18:04 22,016 a------- c:\windows\system32\drivers\Ndisrd.sys
2009-08-15 17:01 377,344 a------- c:\windows\system32\msxmlm.dll
2009-08-15 17:00 <DIR> --d----- c:\program files\common files\Uninstall
2009-08-15 16:59 <DIR> --d----- c:\program files\PersonalAV
2009-07-29 12:03 143,360 a------- c:\windows\system32\dunzip32.dll
2009-07-17 10:10 <DIR> --d----- c:\program files\iPod

==================== Find3M ====================

2009-08-15 18:06 51,200 a------- c:\windows\inf\infpub.dat
2009-08-15 18:06 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-15 18:06 86,016 a------- c:\windows\inf\infstor.dat
2009-08-05 22:08 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-04-28 13:35 61,224 a------- c:\users\tim\GoToAssistDownloadHelper.exe
2009-03-20 11:06 34 a------- c:\users\tim\jagex_runescape_preferences.dat
2009-02-07 04:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-11 03:08 2 a--shrot c:\windows\winstart.bat
2009-05-16 13:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-16 13:46 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-16 13:46 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:33:50.17 ===============

Teimoshi · 08-17-2009, 07:18 PM

bump i seriously need help. i keep getting bubble popups saying that my PC is in critical condition. i have a myriad of very dangerous viruses on a scale of 9/10

**TheBruce1** · 08-18-2009, 08:11 AM

Hello

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

=========

Quote:

It was hosted for an application called Personal Antivirus. It obvious did a scan and stuff, saying that I had some a lot of critical viruses. The pop-up kept coming back. So I figured that if it was coming up via a safe site, (I put a lot of trust in McAfee SiteAdvisor,) then what the hell... it must be legit. So, I go through with it and allow the Personal Antivirus to download.

Personal Antivirus is a rogue and i am surprised Mcafee did not flag it as such, it has been round long enough for it to be in their database.

Quote:

My computer is detecting a lot of critical viruses via Personal Antivirus and now I'm freaking out. I'm under the impression that only this application can get rid of the viruses because my other virus scanner is not detecting it.

Personal Antivirus is throwing these bogus warnings at you as a way to entice you to buy their product, which you must not do. Ignore them, they are just rubbish.

=========

From you attach.txt it would appear as though you have two antivirus applications installed, namely Avira and Mcafee. Please uninstall one of them, having two such applications on the same machine can cause a multitude of problems including, but not limited to a system crash.

==========

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Teimoshi · 08-19-2009, 02:19 PM

I did the ComboFix. And just like usual I have to reinstall the software that can allow me internet access. But now the CD Rom drive won't work. It says that it is marked for deletion. I wouldn't be able to pull it from another computer either due to network problems, of which I don't know the details.

**TheBruce1** · 08-19-2009, 03:59 PM

Hello again

Quote:

I did the ComboFix.

Did it produce a log, if so, it can be found at C:\Combofix.txt, post that log in your reply.

Quote:

And just like usual I have to reinstall the software that can allow me internet access.

What software, is this a CD from your ISP?

Quote:

It says that it is marked for deletion.

Is this a message from the operation system or some other?

Teimoshi · 08-19-2009, 05:19 PM

A log was indeed produced. My Netgear software was deleted in the process, which was to be expected. I can reinstall it with a CD though. And the message is from the OS. This particular message appears whenever I try to use the CDRom Drive, Control Panel, IObit Advanced SystemCare, Avast.... There's probably many more, but those were the ones I clicked.

These programs and such, I suspect that they contained viruses and that the fact I recieve a message is because it was cleaned out.

Quote:

Illegal operation attempted on a registry key that has been marked for deletion.

Other than that, the only differences in the messages is the destination folders.

**TheBruce1** · 08-20-2009, 04:41 AM

Quote:

A log was indeed produced.

Can you post the Combofix.txt.

Quote:

This particular message appears whenever I try to use the CDRom Drive, Control Panel, IObit Advanced SystemCare, Avast

Most likely the infection present is throwing up these false messages. How many antivirus programs do you have installed, you log indicates two(Mcafee and Avira), are you saying you also have Avast installed as well?

Teimoshi · 08-20-2009, 10:07 AM

McAfee and Avira have already been taken are of and yes I have Avast. As for the infection, I think its gone now. Only problem is that where those viruses were, Windows is showing those messages because the changes made by ComboFix are pending. At least that's what I think. This being said, Netgear was uninstalled in the process. But the CD ROM Drive gives me that message. So until that is fixed, I can't reinstall the Netgear. And I need that so that I can go online and post the ComboFix.log

**TheBruce1** · 08-20-2009, 10:49 AM

Do you have a USB stick, flash drive or any other removable media device? If so, you can transfer the Combofix.txt from the machine without internet access to the connected machine.

Teimoshi · 08-21-2009, 11:00 PM

I did the USB way. I don't know why I didn't think of it earlier.

ComboFix 09-08-18.04 - Tim 08/19/2009 14:53.5.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1090 [GMT -5:00]
Running from: c:\users\Tim\Pictures\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Public\Desktop\avast! Antivirus.lnk
c:\windows\Cursors\aero_link.cur
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ndisapi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd
-------\Service_NdisrdMP

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 20:01 . 2009-08-19 20:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-19 20:01 . 2009-08-19 20:01 -------- d-----w- c:\users\boinc_master\AppData\Local\temp
2009-08-16 23:58 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 23:58 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 23:58 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 23:58 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 23:58 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 23:58 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 23:58 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-15 22:00 . 2009-08-15 22:00 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-15 21:59 . 2009-08-19 19:47 -------- d-----w- c:\program files\PersonalAV
2009-08-06 07:06 . 2009-05-06 19:23 372736 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-07-22 18:49 . 2009-07-07 03:44 103424 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-22 18:49 . 2009-07-07 03:44 937984 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-22 18:49 . 2009-07-07 03:44 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-22 18:49 . 2009-07-07 03:44 4722688 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-22 18:49 . 2009-07-07 03:44 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-22 18:49 . 2009-07-07 03:44 344064 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 20:05 . 2009-02-18 02:28 -------- d-----w- c:\users\Tim\AppData\Roaming\BitTorrent
2009-08-19 20:03 . 2009-02-18 02:24 -------- d-----w- c:\users\Tim\AppData\Roaming\DNA
2009-08-19 19:42 . 2009-08-19 19:39 60 ----a-w- c:\windows\system32\file.exe.tmp
2009-08-19 19:40 . 2009-02-28 04:51 -------- d-----w- c:\progra~2\Google Updater
2009-08-17 01:10 . 2009-04-09 00:33 -------- d-----w- c:\program files\DAP
2009-08-16 01:58 . 2009-05-17 00:30 -------- d-----w- c:\program files\Panda Security
2009-08-16 01:50 . 2009-04-24 16:41 -------- d-----w- c:\program files\Trillian
2009-08-14 16:12 . 2009-02-17 18:00 1356 ----a-w- c:\users\Tim\AppData\Local\d3d9caps.dat
2009-08-06 03:08 . 2009-05-17 00:22 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 17:19 . 2009-05-18 21:55 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-29 16:58 . 2009-05-18 21:54 -------- d-----w- c:\program files\McAfee
2009-07-19 17:23 . 2008-07-21 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 02:18 . 2009-02-17 18:11 -------- d-----w- c:\progra~2\SiteAdvisor
2009-07-17 15:11 . 2009-02-17 18:51 -------- d-----w- c:\program files\iTunes
2009-07-17 15:10 . 2009-07-17 15:10 -------- d-----w- c:\program files\iPod
2009-07-17 15:10 . 2009-02-17 18:49 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 03:22 . 2009-07-17 03:22 390664 ----a-w- c:\users\Tim\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-07-17 03:22 . 2009-07-17 03:22 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe
2009-07-01 00:19 . 2009-07-03 03:31 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-01 00:19 . 2009-07-03 03:31 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll
2009-07-01 00:19 . 2009-07-03 03:31 4734976 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll
2009-06-28 22:14 . 2009-06-28 22:14 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
2009-06-16 01:59 . 2009-06-16 01:59 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg0\realplayer11gold.exe
2009-05-29 18:36 . 2009-05-29 18:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 18:36 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-02-18 04:59 . 2009-02-18 04:59 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-11 08:08 . 2009-04-27 21:30 2 --shatr- c:\windows\winstart.bat
2008-07-21 19:08 . 2008-07-21 19:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"BitTorrent DNA"="c:\users\Tim\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-08-15 653104]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-04-09 2823784]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-03 2754048]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-09 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2009-8-12 1884512]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F82728F-9000-4933-A7A2-9629612274F7}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{3096D17C-2252-44D2-B1CD-103AE3031544}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{9AB5B2A6-54C4-43EA-9B47-8F6D5FEF3CAD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE578781-C085-466E-B236-DD509BFA43E5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE8B5AB7-5E26-46C5-9A99-A1E5741D620A}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{FF51C3C7-03A2-4087-915B-DBB054BD6A2A}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{B93F684C-EC2D-46D5-BA01-0EAEECA00B9B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{417C7842-2D64-44B2-AD69-04AEF70F6900}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{261CCB95-7527-41CF-82A5-C5A47414FA2B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DB02D97A-A617-4AAB-BB90-CB46EA546F0F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5884AF8-F4CF-49D2-9B8E-0517EAD0FE96}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{A2F69965-0704-4896-9E8E-B50F32293F89}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{948D60C3-F506-431B-905A-834B3127CC7C}c:\\users\\tim\\program files\\dna\\btdna.exe"= UDP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"UDP Query User{64E8424F-7EDE-4094-8371-DBE9401282A0}c:\\users\\tim\\program files\\dna\\btdna.exe"= TCP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"TCP Query User{1B33BE8C-460D-4C27-9D70-2CEC126D8D7D}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{E620A015-4419-47A6-9CA0-CB18A82DD2AC}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{11BCEC9D-3868-4013-A604-B0C68F8DC95A}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{60D3E21F-485C-42FE-B5D4-F1A998384E93}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{14BF07D4-A9D6-47E5-AE59-1C6A484DDA77}"= UDP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"{3E7CA0B6-D932-477A-901E-4369E96C915A}"= TCP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"TCP Query User{70CD9286-FF1C-4E93-9C7B-214FEB56C3D1}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{F3C77BFB-F84A-4321-AB48-34E1611F19F5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{CCF8DD3B-DB94-4F3F-8295-C93144DD5EE1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{8A63F1EF-8EBF-46DE-A2C9-3FAD86E82344}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{2857E464-C8E7-4622-A1C3-8235BD88573E}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= UDP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"UDP Query User{72E69072-D35B-4203-9063-8E8B7AF752A3}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= TCP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"{9D62A822-7C21-4051-B7F6-369851F4B6F0}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{EDDACD23-B0B2-4EA7-8A67-CCD58AB6F7C9}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"TCP Query User{2EA655D6-A35A-4214-ADFB-CAABC76F614C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{6D38BBC3-7645-496B-98ED-7FE72926CD7A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{9F3822EC-70F1-48F8-A027-093D7BAC9BBF}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6D43BBA2-744F-4841-B738-CEB8B6B1D97F}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{7F52C8BB-EA9C-4575-A8A1-B6F0FC00EBE7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4AEA88D1-7B3A-4F3F-BDB2-73B09EA96D0F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/16/2009 6:58 PM 114768]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/16/2009 6:58 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/16/2009 6:58 PM 51792]
S2 0208051250388053mcinstcleanup;McAfee Application Installer Cleanup (0208051250388053);c:\users\Tim\AppData\Local\Temp\020805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\users\Tim\AppData\Local\Temp\020805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2009 11:53 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 00:37]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes (2).dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 20:09
ComboFix2.txt 2009-05-18 19:20

Pre-Run: 155,930,066,944 bytes free
Post-Run: 155,877,023,744 bytes free

308 --- E O F --- 2009-05-06 08:01

**TheBruce1** · 08-23-2009, 03:25 AM

Hello again

If you still do not have internet access on the infected machine, you`ll need to transfer the CFScript.txt to the infected machine.

=========

P2P

P2P - I see you have P2P software (BitTorrent and DNA)) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

============

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\program files\PersonalAV
c:\program files\Common Files\Uninstall

File::
c:\windows\winstart.bat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{11BCEC9D-3868-4013-A604-B0C68F8DC95A}"=-
"{60D3E21F-485C-42FE-B5D4-F1A998384E93}"=-

Driver::
0208051250388053mcinstcleanup

DDS::
uInternet Settings,ProxyOverride = *.local

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========

Let me know in your reply whether you have removed BitTorrent and DNA, and do you have internet access on the infected machine.

Teimoshi · 08-29-2009, 07:35 PM

Sorry it took so long.

You should note that the ComboFix program had also became marked for deletion after its initial scan. I was still able to get it to work by switching the computer to Safe Mode. There was something about it having administrative denial too during the scan, in which I had noticed that the administrative rights logo was not on the logo, the little shield with the colors. I think being in Safe Mode was the cause of that.

Regardless, I was able to procure a log.

As to your request, no I still don't have access, and no I haven't removed BiTorrent and DNA... I don't see them as hazardous programs, besides, I always make a note to remove whatever downloads off the list to avoid seeding or leeching, if that amounts to anything.

---------------------------------------------------------------
ComboFix 09-08-22.06 - Tim 08/29/2009 19:56.6.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1639 [GMT -5:00]
Running from: c:\users\Tim\Documents\ComboFix.exe
Command switches used :: c:\users\Tim\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\winstart.bat"
.
/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_0208051250388053mcinstcleanup

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-19 20:09 . 2009-08-30 01:03 -------- d-----w- c:\users\Tim\AppData\Local\temp
2009-08-19 20:09 . 2009-08-19 20:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-19 20:09 . 2009-08-19 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-19 20:09 . 2009-08-19 20:09 -------- d-----w- c:\users\boinc_master\AppData\Local\temp
2009-08-16 23:58 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 23:58 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 23:58 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 23:58 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 23:58 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 23:58 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 23:58 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-15 22:00 . 2009-08-15 22:00 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-15 21:59 . 2009-08-19 20:02 -------- d-----w- c:\program files\PersonalAV
2009-08-06 07:06 . 2009-05-06 19:23 372736 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 01:04 . 2009-02-18 02:28 -------- d-----w- c:\users\Tim\AppData\Roaming\BitTorrent
2009-08-30 01:03 . 2009-02-18 02:24 -------- d-----w- c:\users\Tim\AppData\Roaming\DNA
2009-08-29 04:49 . 2009-02-28 04:51 -------- d-----w- c:\progra~2\Google Updater
2009-08-19 19:42 . 2009-08-19 19:39 60 ----a-w- c:\windows\system32\file.exe.tmp
2009-08-17 01:10 . 2009-04-09 00:33 -------- d-----w- c:\program files\DAP
2009-08-16 01:58 . 2009-05-17 00:30 -------- d-----w- c:\program files\Panda Security
2009-08-16 01:50 . 2009-04-24 16:41 -------- d-----w- c:\program files\Trillian
2009-08-14 16:12 . 2009-02-17 18:00 1356 ----a-w- c:\users\Tim\AppData\Local\d3d9caps.dat
2009-08-06 03:08 . 2009-05-17 00:22 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 17:19 . 2009-05-18 21:55 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-29 16:58 . 2009-05-18 21:54 -------- d-----w- c:\program files\McAfee
2009-07-19 17:23 . 2008-07-21 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 02:18 . 2009-02-17 18:11 -------- d-----w- c:\progra~2\SiteAdvisor
2009-07-17 15:11 . 2009-02-17 18:51 -------- d-----w- c:\program files\iTunes
2009-07-17 15:10 . 2009-07-17 15:10 -------- d-----w- c:\program files\iPod
2009-07-17 15:10 . 2009-02-17 18:49 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 03:22 . 2009-07-17 03:22 390664 ----a-w- c:\users\Tim\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-07-17 03:22 . 2009-07-17 03:22 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe
2009-07-07 03:44 . 2009-07-22 18:49 103424 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 03:44 . 2009-07-22 18:49 937984 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 03:44 . 2009-07-22 18:49 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 03:44 . 2009-07-22 18:49 4722688 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 03:44 . 2009-07-22 18:49 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 03:44 . 2009-07-22 18:49 344064 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-01 00:19 . 2009-07-03 03:31 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-01 00:19 . 2009-07-03 03:31 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll
2009-07-01 00:19 . 2009-07-03 03:31 4734976 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll
2009-06-28 22:14 . 2009-06-28 22:14 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
2009-06-16 01:59 . 2009-06-16 01:59 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg0\realplayer11gold.exe
2009-02-18 04:59 . 2009-02-18 04:59 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-11 08:08 . 2009-04-27 21:30 2 --shatr- c:\windows\winstart.bat
2008-07-21 19:08 . 2008-07-21 19:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_20.04.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-08-30 01:04 61682 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-08-30 01:04 69390 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-05 20:45 . 2009-08-30 01:02 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-05 20:45 . 2009-08-30 01:02 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 20:45 . 2009-08-30 01:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-05 20:50 . 2009-08-30 01:04 7798 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3954750732-2167841546-1595093690-1000_UserData.bin
+ 2006-11-02 10:33 . 2009-08-30 00:39 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-19 19:45 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-08-30 00:39 101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-08-19 19:45 101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"BitTorrent DNA"="c:\users\Tim\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-08-15 653104]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-04-09 2823784]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-03 2754048]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-09 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2009-8-12 1884512]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688]

c:\users\Tim\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2009-8-12 1884512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F82728F-9000-4933-A7A2-9629612274F7}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{3096D17C-2252-44D2-B1CD-103AE3031544}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{9AB5B2A6-54C4-43EA-9B47-8F6D5FEF3CAD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE578781-C085-466E-B236-DD509BFA43E5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE8B5AB7-5E26-46C5-9A99-A1E5741D620A}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{FF51C3C7-03A2-4087-915B-DBB054BD6A2A}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{B93F684C-EC2D-46D5-BA01-0EAEECA00B9B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{417C7842-2D64-44B2-AD69-04AEF70F6900}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{261CCB95-7527-41CF-82A5-C5A47414FA2B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DB02D97A-A617-4AAB-BB90-CB46EA546F0F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5884AF8-F4CF-49D2-9B8E-0517EAD0FE96}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{A2F69965-0704-4896-9E8E-B50F32293F89}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{948D60C3-F506-431B-905A-834B3127CC7C}c:\\users\\tim\\program files\\dna\\btdna.exe"= UDP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"UDP Query User{64E8424F-7EDE-4094-8371-DBE9401282A0}c:\\users\\tim\\program files\\dna\\btdna.exe"= TCP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"TCP Query User{1B33BE8C-460D-4C27-9D70-2CEC126D8D7D}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{E620A015-4419-47A6-9CA0-CB18A82DD2AC}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{14BF07D4-A9D6-47E5-AE59-1C6A484DDA77}"= UDP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"{3E7CA0B6-D932-477A-901E-4369E96C915A}"= TCP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"TCP Query User{70CD9286-FF1C-4E93-9C7B-214FEB56C3D1}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{F3C77BFB-F84A-4321-AB48-34E1611F19F5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{CCF8DD3B-DB94-4F3F-8295-C93144DD5EE1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{8A63F1EF-8EBF-46DE-A2C9-3FAD86E82344}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{2857E464-C8E7-4622-A1C3-8235BD88573E}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= UDP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"UDP Query User{72E69072-D35B-4203-9063-8E8B7AF752A3}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= TCP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"{9D62A822-7C21-4051-B7F6-369851F4B6F0}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{EDDACD23-B0B2-4EA7-8A67-CCD58AB6F7C9}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"TCP Query User{2EA655D6-A35A-4214-ADFB-CAABC76F614C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{6D38BBC3-7645-496B-98ED-7FE72926CD7A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{9F3822EC-70F1-48F8-A027-093D7BAC9BBF}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6D43BBA2-744F-4841-B738-CEB8B6B1D97F}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{7F52C8BB-EA9C-4575-A8A1-B6F0FC00EBE7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4AEA88D1-7B3A-4F3F-BDB2-73B09EA96D0F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/16/2009 6:58 PM 114768]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/16/2009 6:58 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/16/2009 6:58 PM 51792]
S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2009 11:53 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes (2).dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 20:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-30 20:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 01:08
ComboFix2.txt 2009-08-19 20:11
ComboFix3.txt 2009-05-18 19:20

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 155,482,824,704 bytes free

312 --- E O F --- 2009-05-06 08:01

**TheBruce1** · 08-30-2009, 03:40 AM

Hello again

I was about to close this thread today as you had not responded within seven days, you`ll need to respond in a more timely manner if we are to remove the infections present.

If you can run the tool below in normal mode that would be best, if however, you receive the fake deletion message run it in safe mode.

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Teimoshi · 08-30-2009, 04:21 PM

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\Windows\System32\smss.exe
PID: 424
Hidden: No
Window Visible: No

Name: C:\Windows\System32\csrss.exe
PID: 492
Hidden: No
Window Visible: No

Name: C:\Windows\System32\wininit.exe
PID: 536
Hidden: No
Window Visible: No

Name: C:\Windows\System32\csrss.exe
PID: 544
Hidden: No
Window Visible: No

Name: C:\Windows\System32\winlogon.exe
PID: 592
Hidden: No
Window Visible: No

Name: C:\Windows\System32\services.exe
PID: 616
Hidden: No
Window Visible: No

Name: C:\Windows\System32\lsass.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\Windows\System32\lsm.exe
PID: 640
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 804
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 864
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 900
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1016
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1056
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1072
Hidden: No
Window Visible: No

Name: C:\Windows\System32\audiodg.exe
PID: 1144
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1164
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SLsvc.exe
PID: 1184
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1360
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 1528
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\Windows\System32\dwm.exe
PID: 1660
Hidden: No
Window Visible: No

Name: C:\Windows\explorer.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\Windows\RtHDVCpl.exe
PID: 1808
Hidden: No
Window Visible: No

Name: C:\Windows\System32\igfxtray.exe
PID: 1816
Hidden: No
Window Visible: No

Name: C:\Windows\System32\hkcmd.exe
PID: 1824
Hidden: No
Window Visible: No

Name: C:\Windows\System32\igfxpers.exe
PID: 1832
Hidden: No
Window Visible: No

Name: C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PID: 1852
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 1920
Hidden: No
Window Visible: No

Name: C:\Windows\System32\spoolsv.exe
PID: 404
Hidden: No
Window Visible: No

Name: C:\Windows\System32\taskeng.exe
PID: 432
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 452
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 500
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PID: 548
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Sidebar\sidebar.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PID: 416
Hidden: No
Window Visible: No

Name: C:\Users\Tim\Program Files\DNA\btdna.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 748
Hidden: No
Window Visible: No

Name: C:\Program Files\BitTorrent\bittorrent.exe
PID: 852
Hidden: No
Window Visible: No

Name: C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
PID: 912
Hidden: No
Window Visible: No

Name: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PID: 1084
Hidden: No
Window Visible: No

Name: C:\Program Files\Eraser\Eraser.exe
PID: 1268
Hidden: No
Window Visible: No

Name: C:\Program Files\DAP\DAP.exe
PID: 1308
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\Windows\System32\AERTSrv.exe
PID: 940
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 2052
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 2072
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 2196
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PID: 2284
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 2372
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 2480
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SearchIndexer.exe
PID: 2536
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PID: 2596
Hidden: No
Window Visible: No

Name: C:\Windows\System32\drivers\XAudio.exe
PID: 2608
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PID: 2904
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PID: 2928
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 3548
Hidden: No
Window Visible: No

Name: C:\Windows\System32\igfxsrvc.exe
PID: 3824
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnetwk.exe
PID: 4012
Hidden: No
Window Visible: No

Name: C:\Windows\System32\wuauclt.exe
PID: 3740
Hidden: No
Window Visible: No

Name: C:\Users\Tim\Desktop\SysProt\SysProt\SysProt.exe
PID: 3284
Hidden: No
Window Visible: Yes

Name: C:\Windows\System32\SearchProtocolHost.exe
PID: 2320
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SearchFilterHost.exe
PID: 1392
Hidden: No
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Users\Tim\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A8B96000
Module End: A8BA1000
Hidden: No

Module Name: C:\Windows\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 81C07000
Module End: 81FC0000
Hidden: No

Module Name: C:\Windows\system32\hal.dll
Service Name: ---
Module Base: 81FC0000
Module End: 81FF3000
Hidden: No

Module Name: C:\Windows\system32\kdcom.dll
Service Name: ---
Module Base: 8040F000
Module End: 80417000
Hidden: No

Module Name: C:\Windows\system32\mcupdate_GenuineIntel.dll
Service Name: ---
Module Base: 80417000
Module End: 80477000
Hidden: No

Module Name: C:\Windows\system32\PSHED.dll
Service Name: ---
Module Base: 80477000
Module End: 80488000
Hidden: No

Module Name: C:\Windows\system32\BOOTVID.dll
Service Name: ---
Module Base: 80488000
Module End: 80490000
Hidden: No

Module Name: C:\Windows\system32\CLFS.SYS
Service Name: CLFS
Module Base: 80490000
Module End: 804D1000
Hidden: No

Module Name: C:\Windows\system32\CI.dll
Service Name: ---
Module Base: 804D1000
Module End: 805B1000
Hidden: No

Module Name: C:\Windows\system32\drivers\Wdf01000.sys
Service Name: Wdf01000
Module Base: 80601000
Module End: 8067D000
Hidden: No

Module Name: C:\Windows\system32\drivers\WDFLDR.SYS
Service Name: ---
Module Base: 8067D000
Module End: 8068A000
Hidden: No

Module Name: C:\Windows\system32\drivers\acpi.sys
Service Name: ACPI
Module Base: 8068A000
Module End: 806D0000
Hidden: No

Module Name: C:\Windows\system32\drivers\WMILIB.SYS
Service Name: ---
Module Base: 806D0000
Module End: 806D9000
Hidden: No

Module Name: C:\Windows\system32\drivers\msisadrv.sys
Service Name: msisadrv
Module Base: 806D9000
Module End: 806E1000
Hidden: No

Module Name: C:\Windows\system32\drivers\pci.sys
Service Name: pci
Module Base: 806E1000
Module End: 80708000
Hidden: No

Module Name: C:\Windows\System32\drivers\partmgr.sys
Service Name: partmgr
Module Base: 80708000
Module End: 80717000
Hidden: No

Module Name: C:\Windows\system32\drivers\volmgr.sys
Service Name: volmgr
Module Base: 80717000
Module End: 80726000
Hidden: No

Module Name: C:\Windows\System32\drivers\volmgrx.sys
Service Name: volmgrx
Module Base: 80726000
Module End: 80770000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\intelide.sys
Service Name: intelide
Module Base: 80770000
Module End: 80777000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: 80777000
Module End: 80785000
Hidden: No

Module Name: C:\Windows\system32\drivers\pciide.sys
Service Name: pciide
Module Base: 80785000
Module End: 8078C000
Hidden: No

Module Name: C:\Windows\System32\drivers\mountmgr.sys
Service Name: MountMgr
Module Base: 8078C000
Module End: 8079C000
Hidden: No

Module Name: C:\Windows\system32\drivers\atapi.sys
Service Name: atapi
Module Base: 8079C000
Module End: 807A4000
Hidden: No

Module Name: C:\Windows\system32\drivers\ataport.SYS
Service Name: ---
Module Base: 807A4000
Module End: 807C2000
Hidden: No

Module Name: C:\Windows\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: 807C2000
Module End: 807F4000
Hidden: No

Module Name: C:\Windows\system32\drivers\fileinfo.sys
Service Name: FileInfo
Module Base: 805B1000
Module End: 805C1000
Hidden: No

Module Name: C:\Windows\System32\Drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: 807F4000
Module End: 807FD000
Hidden: No

Module Name: C:\Windows\System32\Drivers\ksecdd.sys
Service Name: KSecDD
Module Base: 8220A000
Module End: 8227B000
Hidden: No

Module Name: C:\Windows\system32\drivers\ndis.sys
Service Name: NDIS
Module Base: 8227B000
Module End: 82386000
Hidden: No

Module Name: C:\Windows\system32\drivers\NETIO.SYS
Service Name: ---
Module Base: 823B1000
Module End: 823EB000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Ntfs.sys
Service Name: Ntfs
Module Base: 8780F000
Module End: 8791E000
Hidden: No

Module Name: C:\Windows\system32\drivers\volsnap.sys
Service Name: volsnap
Module Base: 8791E000
Module End: 87957000
Hidden: No

Module Name: C:\Windows\System32\Drivers\spldr.sys
Service Name: spldr
Module Base: 87957000
Module End: 8795F000
Hidden: No

Module Name: C:\Windows\System32\Drivers\mup.sys
Service Name: Mup
Module Base: 8795F000
Module End: 8796E000
Hidden: No

Module Name: C:\Windows\System32\drivers\ecache.sys
Service Name: Ecache
Module Base: 8796E000
Module End: 87995000
Hidden: No

Module Name: C:\Windows\system32\drivers\disk.sys
Service Name: disk
Module Base: 87995000
Module End: 879A6000
Hidden: No

Module Name: C:\Windows\system32\drivers\CLASSPNP.SYS
Service Name: ---
Module Base: 879A6000
Module End: 879C7000
Hidden: No

Module Name: C:\Windows\system32\drivers\crcdisk.sys
Service Name: crcdisk
Module Base: 879C7000
Module End: 879D0000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tunmp.sys
Service Name: tunmp
Module Base: 879DD000
Module End: 879E6000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: 879E6000
Module End: 879F5000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\igdkmd32.sys
Service Name: igfx
Module Base: 8AE09000
Module End: 8B456000
Hidden: No

Module Name: C:\Windows\System32\drivers\dxgkrnl.sys
Service Name: DXGKrnl
Module Base: 8B456000
Module End: 8B4F5000
Hidden: No

Module Name: C:\Windows\System32\drivers\watchdog.sys
Service Name: ---
Module Base: 8B4F5000
Module End: 8B502000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\e1e6032.sys
Service Name: e1express
Module Base: 8B502000
Module End: 8B53D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: 8B53D000
Module End: 8B548000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: 8B548000
Module End: 8B586000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: 8B586000
Module End: 8B595000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: 8B595000
Module End: 8B5A7000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\MRVW13B.sys
Service Name: MRV6X32P
Module Base: 8B5A7000
Module End: 8B5EA000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdrom.sys
Service Name: cdrom
Module Base: 805C1000
Module End: 805D9000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: 8B5F5000
Module End: 8B5FF000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\msiscsi.sys
Service Name: iScsiPrt
Module Base: 8B602000
Module End: 8B630000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\storport.sys
Service Name: ---
Module Base: 8B630000
Module End: 8B671000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: 8B671000
Module End: 8B67C000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: 8B67C000
Module End: 8B693000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: 8B693000
Module End: 8B69E000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: 8B69E000
Module End: 8B6C1000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: 8B6C1000
Module End: 8B6D0000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: 8B6D0000
Module End: 8B6E4000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rassstp.sys
Service Name: RasSstp
Module Base: 8B6E4000
Module End: 8B6F9000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: 8B6F9000
Module End: 8B709000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\kbdclass.sys
Service Name: kbdclass
Module Base: 8B709000
Module End: 8B714000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mouclass.sys
Service Name: mouclass
Module Base: 8B714000
Module End: 8B71F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: 8B71F000
Module End: 8B721000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: 8B721000
Module End: 8B74B000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: 8B74B000
Module End: 8B755000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\umbus.sys
Service Name: umbus
Module Base: 8B755000
Module End: 8B762000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: 8B762000
Module End: 8B796000
Hidden: No

Module Name: C:\Windows\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: 8B796000
Module End: 8B7A7000
Hidden: No

Module Name: C:\Windows\system32\drivers\RTKVHDA.sys
Service Name: IntcAzAudAddService
Module Base: 8B800000
Module End: 8B9F5000
Hidden: No

Module Name: C:\Windows\system32\drivers\portcls.sys
Service Name: ---
Module Base: 8B7A7000
Module End: 8B7D4000
Hidden: No

Module Name: C:\Windows\system32\drivers\drmk.sys
Service Name: ---
Module Base: 8B7D4000
Module End: 8B7F9000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: 8AE00000
Module End: 8AE07000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: 87800000
Module End: 87807000
Hidden: No

Module Name: C:\Windows\System32\drivers\vga.sys
Service Name: vga
Module Base: 879D0000
Module End: 879DC000
Hidden: No

Module Name: C:\Windows\System32\drivers\VIDEOPRT.SYS
Service Name: ---
Module Base: 805D9000
Module End: 805FA000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: 879F5000
Module End: 879FD000
Hidden: No

Module Name: C:\Windows\system32\drivers\rdpencdd.sys
Service Name: RDPENCDD
Module Base: 87807000
Module End: 8780F000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: 80400000
Module End: 8040E000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: 823F6000
Module End: 823FF000
Hidden: No

Module Name: C:\Windows\System32\drivers\tcpip.sys
Service Name: Tcpip
Module Base: 8BA0D000
Module End: 8BAF4000
Hidden: No

Module Name: C:\Windows\System32\drivers\fwpkclnt.sys
Service Name: ---
Module Base: 8BAF4000
Module End: 8BB0F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tdx.sys
Service Name: tdx
Module Base: 8BB0F000
Module End: 8BB25000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\smb.sys
Service Name: Smb
Module Base: 8BB25000
Module End: 8BB39000
Hidden: No

Module Name: C:\Windows\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: 8BB39000
Module End: 8BB44000
Hidden: No

Module Name: C:\Windows\system32\drivers\afd.sys
Service Name: AFD
Module Base: 8BB44000
Module End: 8BB8C000
Hidden: No

Module Name: C:\Windows\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: 8BB8C000
Module End: 8BB90000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\netbt.sys
Service Name: netbt
Module Base: 8BB90000
Module End: 8BBC2000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\pacer.sys
Service Name: PSched
Module Base: 8BBC2000
Module End: 8BBD8000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: 8BBD8000
Module End: 8BBE6000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: 8BBE6000
Module End: 8BBF9000
Hidden: No

Module Name: C:\Windows\System32\drivers\truecrypt.sys
Service Name: truecrypt
Module Base: 8BC0C000
Module End: 8BC3F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rdbss.sys
Service Name: rdbss
Module Base: 8BC3F000
Module End: 8BC7B000
Hidden: No

Module Name: C:\Windows\system32\drivers\nsiproxy.sys
Service Name: nsiproxy
Module Base: 8BC7B000
Module End: 8BC85000
Hidden: No

Module Name: C:\Windows\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: 8BC85000
Module End: 8BCB8000
Hidden: No

Module Name: C:\Windows\System32\Drivers\dfsc.sys
Service Name: DfsC
Module Base: 8BCB8000
Module End: 8BCCF000
Hidden: No

Module Name: C:\Windows\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: 8BCCF000
Module End: 8BCF0000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: 8BCFD000
Module End: 8BD06000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: 8BD06000
Module End: 8BD16000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: 8BD16000
Module End: 8BD18000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: 8BD18000
Module End: 8BD20000
Hidden: No

Module Name: C:\Windows\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 8BD20000
Module End: 8BD2A000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: 8BD2A000
Module End: 8BD33000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\monitor.sys
Service Name: monitor
Module Base: 8BD33000
Module End: 8BD42000
Hidden: No

Module Name: C:\Windows\system32\drivers\luafv.sys
Service Name: luafv
Module Base: 8BD42000
Module End: 8BD5D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\aswMonFlt.sys
Service Name: aswMonFlt
Module Base: 8BD5D000
Module End: 8BD74000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\aswFsBlk.sys
Service Name: aswFsBlk
Module Base: 8BD74000
Module End: 8BD7C000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\lltdio.sys
Service Name: lltdio
Module Base: 8BD7C000
Module End: 8BD8C000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\nwifi.sys
Service Name: NativeWifiP
Module Base: 8BD8C000
Module End: 8BDB6000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: 8BDB6000
Module End: 8BDC0000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rspndr.sys
Service Name: rspndr
Module Base: 8BDC0000
Module End: 8BDD3000
Hidden: No

Module Name: C:\Windows\system32\drivers\spsys.sys
Service Name: ---
Module Base: 81805000
Module End: 818B4000
Hidden: No

Module Name: C:\Windows\system32\drivers\HTTP.sys
Service Name: HTTP
Module Base: 818B4000
Module End: 8191F000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srvnet.sys
Service Name: srvnet
Module Base: 8191F000
Module End: 8193C000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\bowser.sys
Service Name: bowser
Module Base: 8193C000
Module End: 81955000
Hidden: No

Module Name: C:\Windows\System32\drivers\mpsdrv.sys
Service Name: mpsdrv
Module Base: 81955000
Module End: 8196A000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb.sys
Service Name: mrxsmb
Module Base: 8196A000
Module End: 81989000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Service Name: mrxsmb10
Module Base: 81989000
Module End: 819C2000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Service Name: mrxsmb20
Module Base: 819C2000
Module End: 819DA000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv2.sys
Service Name: srv2
Module Base: 8BDD3000
Module End: 8BDFA000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv.sys
Service Name: srv
Module Base: A8A01000
Module End: A8A4D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: A8A4D000
Module End: A8A51000
Hidden: No

Module Name: C:\Windows\system32\drivers\peauth.sys
Service Name: PEAUTH
Module Base: A8A51000
Module End: A8B2F000
Hidden: No

Module Name: C:\Windows\System32\Drivers\fastfat.SYS
Service Name: fastfat
Module Base: A8B2F000
Module End: A8B57000
Hidden: No

Module Name: C:\Windows\System32\Drivers\secdrv.SYS
Service Name: secdrv
Module Base: A8B57000
Module End: A8B61000
Hidden: No

Module Name: C:\Windows\System32\drivers\tcpipreg.sys
Service Name: tcpipreg
Module Base: A8B61000
Module End: A8B6D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\xaudio.sys
Service Name: XAudio
Module Base: A8B6D000
Module End: A8B75000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdfs.sys
Service Name: cdfs
Module Base: A8B75000
Module End: A8B8B000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\fdc.sys
Service Name: fdc
Module Base: 8B5EA000
Module End: 8B5F5000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Null.SYS
Service Name: Null
Module Base: 8B7F9000
Module End: 8B800000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: 823EB000
Module End: 823F6000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: TIM-PC:49168
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: LISTENING

Local Address: TIM-PC:49158
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: TIM-PC:27015
Remote Address: LOCALHOST:49158
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: TIM-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: TIM-PC:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: TIM-PC:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: TIM-PC:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: TIM-PC:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: TIM-PC:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: TIM-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: TIM-PC:62455
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Users\Tim\Program Files\DNA\btdna.exe
State: LISTENING

Local Address: TIM-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: TIM-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\spoolsv.exe
State: LISTENING

Local Address: TIM-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: TIM-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: TIM-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: TIM-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: TIM-PC:30075
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\BitTorrent\bittorrent.exe
State: LISTENING

Local Address: TIM-PC:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: TIM-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: TIM-PC:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: TIM-PC:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: LISTENING

Local Address: TIM-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: TIM-PC:49162
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: TIM-PC:49158
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Sidebar\sidebar.exe
State: NA

Local Address: TIM-PC:49155
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: TIM-PC:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: TIM-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: TIM-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Users\Tim\Program Files\DNA\btdna.exe
State: NA

Local Address: TIM-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Program Files\BitTorrent\bittorrent.exe
State: NA

Local Address: TIM-PC:62455
Remote Address: NA
Type: UDP
Process: C:\Users\Tim\Program Files\DNA\btdna.exe
State: NA

Local Address: TIM-PC:49161
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: TIM-PC:49159
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: TIM-PC:49152
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: TIM-PC:30075
Remote Address: NA
Type: UDP
Process: C:\Program Files\BitTorrent\bittorrent.exe
State: NA

Local Address: TIM-PC:19332
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: TIM-PC:19331
Remote Address: NA
Type: UDP
Process: C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
State: NA

Local Address: TIM-PC:6771
Remote Address: NA
Type: UDP
Process: C:\Program Files\BitTorrent\bittorrent.exe
State: NA

Local Address: TIM-PC:5005
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: TIM-PC:5004
Remote Address: NA
Type: UDP
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
State: NA

Local Address: TIM-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: TIM-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: TIM-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Users\Tim\Pictures\Jyujiro.part2\Jyujiro\umasusotovins\data\v
Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

**TheBruce1** · 08-31-2009, 03:30 AM

Hello again

Delete your current copy of Combofix and download the updated version, then transfer to via USB stick to this machine. If you can get onto the internet in safe mode with networking, you can download Combofix from there.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

===========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Folder::
c:\program files\Common Files\Uninstall
c:\program files\PersonalAV

File::
c:\windows\system32\file.exe.tmp
c:\windows\winstart.bat

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Give me an update on how your system is running and any problems you may have encountered.

Teimoshi · 09-01-2009, 03:21 PM

No change except for the gadgets from the gadget bar is appearing outside of the bar... practically on the otherside of the screen and on top of each other. Of course this has been happening for a while sometime after we started working on the issue. I didn't say anything because it seemed irrelevant, that it'd go back to normal once the computer was taken care of.

Here's the log:

Folder::
c:\program files\Common Files\Uninstall
c:\program files\PersonalAV

File::
c:\windows\system32\file.exe.tmp
c:\windows\winstart.bat ComboFix 09-09-01.04 - Tim 09/01/2009 15:55.6.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1018 [GMT -5:00]
Running from: c:\users\Tim\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Tim\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\file.exe.tmp"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
c:\program files\PersonalAV
c:\windows\system32\file.exe.tmp
c:\windows\winstart.bat

.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 21:02 . 2009-09-01 21:03 -------- d-----w- c:\users\Tim\AppData\Local\temp
2009-09-01 21:02 . 2009-09-01 21:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-01 21:02 . 2009-09-01 21:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-01 21:02 . 2009-09-01 21:02 -------- d-----w- c:\users\boinc_master\AppData\Local\temp
2009-08-16 23:58 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-16 23:58 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-16 23:58 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-16 23:58 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-16 23:58 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-16 23:58 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-16 23:58 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-06 07:06 . 2009-05-06 19:23 372736 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 21:02 . 2009-02-18 02:28 -------- d-----w- c:\users\Tim\AppData\Roaming\BitTorrent
2009-09-01 20:46 . 2009-02-18 02:24 -------- d-----w- c:\users\Tim\AppData\Roaming\DNA
2009-09-01 07:52 . 2009-02-28 04:51 -------- d-----w- c:\progra~2\Google Updater
2009-08-17 01:10 . 2009-04-09 00:33 -------- d-----w- c:\program files\DAP
2009-08-16 01:58 . 2009-05-17 00:30 -------- d-----w- c:\program files\Panda Security
2009-08-16 01:50 . 2009-04-24 16:41 -------- d-----w- c:\program files\Trillian
2009-08-14 16:12 . 2009-02-17 18:00 1356 ----a-w- c:\users\Tim\AppData\Local\d3d9caps.dat
2009-08-06 03:08 . 2009-05-17 00:22 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 17:19 . 2009-05-18 21:55 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-29 16:58 . 2009-05-18 21:54 -------- d-----w- c:\program files\McAfee
2009-07-19 17:23 . 2008-07-21 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 02:18 . 2009-02-17 18:11 -------- d-----w- c:\progra~2\SiteAdvisor
2009-07-17 15:11 . 2009-02-17 18:51 -------- d-----w- c:\program files\iTunes
2009-07-17 15:10 . 2009-07-17 15:10 -------- d-----w- c:\program files\iPod
2009-07-17 15:10 . 2009-02-17 18:49 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 03:22 . 2009-07-17 03:22 390664 ----a-w- c:\users\Tim\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe
2009-07-17 03:22 . 2009-07-17 03:22 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe
2009-07-07 03:44 . 2009-07-22 18:49 103424 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 03:44 . 2009-07-22 18:49 937984 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 03:44 . 2009-07-22 18:49 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 03:44 . 2009-07-22 18:49 4722688 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 03:44 . 2009-07-22 18:49 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 03:44 . 2009-07-22 18:49 344064 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-01 00:19 . 2009-07-03 03:31 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-01 00:19 . 2009-07-03 03:31 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll
2009-07-01 00:19 . 2009-07-03 03:31 4734976 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll
2009-06-28 22:14 . 2009-06-28 22:14 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe
2009-06-16 01:59 . 2009-06-16 01:59 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg0\realplayer11gold.exe
2009-02-18 04:59 . 2009-02-18 04:59 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-07-21 19:08 . 2008-07-21 19:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_20.04.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-08-30 22:03 61682 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-08-30 22:03 69510 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-05 20:45 . 2009-09-01 07:52 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 20:45 . 2009-09-01 07:52 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 20:45 . 2009-09-01 07:52 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-05 20:45 . 2009-08-19 20:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-05 20:50 . 2009-08-30 22:03 7890 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3954750732-2167841546-1595093690-1000_UserData.bin
+ 2009-08-30 22:00 . 2009-08-30 22:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-30 22:00 . 2009-08-30 22:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-09-01 20:55 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-19 19:45 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-19 19:45 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-01 20:55 101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"BitTorrent DNA"="c:\users\Tim\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-08-15 653104]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-04-09 2823784]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-03 2754048]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-09 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2009-8-12 1884512]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7F82728F-9000-4933-A7A2-9629612274F7}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{3096D17C-2252-44D2-B1CD-103AE3031544}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{9AB5B2A6-54C4-43EA-9B47-8F6D5FEF3CAD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE578781-C085-466E-B236-DD509BFA43E5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE8B5AB7-5E26-46C5-9A99-A1E5741D620A}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{FF51C3C7-03A2-4087-915B-DBB054BD6A2A}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{B93F684C-EC2D-46D5-BA01-0EAEECA00B9B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{417C7842-2D64-44B2-AD69-04AEF70F6900}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{261CCB95-7527-41CF-82A5-C5A47414FA2B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DB02D97A-A617-4AAB-BB90-CB46EA546F0F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B5884AF8-F4CF-49D2-9B8E-0517EAD0FE96}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{A2F69965-0704-4896-9E8E-B50F32293F89}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{948D60C3-F506-431B-905A-834B3127CC7C}c:\\users\\tim\\program files\\dna\\btdna.exe"= UDP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"UDP Query User{64E8424F-7EDE-4094-8371-DBE9401282A0}c:\\users\\tim\\program files\\dna\\btdna.exe"= TCP:c:\users\tim\program files\dna\btdna.exe:btdna.exe
"TCP Query User{1B33BE8C-460D-4C27-9D70-2CEC126D8D7D}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{E620A015-4419-47A6-9CA0-CB18A82DD2AC}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{14BF07D4-A9D6-47E5-AE59-1C6A484DDA77}"= UDP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"{3E7CA0B6-D932-477A-901E-4369E96C915A}"= TCP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config
"TCP Query User{70CD9286-FF1C-4E93-9C7B-214FEB56C3D1}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{F3C77BFB-F84A-4321-AB48-34E1611F19F5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{CCF8DD3B-DB94-4F3F-8295-C93144DD5EE1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{8A63F1EF-8EBF-46DE-A2C9-3FAD86E82344}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{2857E464-C8E7-4622-A1C3-8235BD88573E}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= UDP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"UDP Query User{72E69072-D35B-4203-9063-8E8B7AF752A3}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= TCP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe
"{9D62A822-7C21-4051-B7F6-369851F4B6F0}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"{EDDACD23-B0B2-4EA7-8A67-CCD58AB6F7C9}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player
"TCP Query User{2EA655D6-A35A-4214-ADFB-CAABC76F614C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{6D38BBC3-7645-496B-98ED-7FE72926CD7A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{9F3822EC-70F1-48F8-A027-093D7BAC9BBF}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6D43BBA2-744F-4841-B738-CEB8B6B1D97F}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{7F52C8BB-EA9C-4575-A8A1-B6F0FC00EBE7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4AEA88D1-7B3A-4F3F-BDB2-73B09EA96D0F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/16/2009 6:58 PM 114768]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/16/2009 6:58 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/16/2009 6:58 PM 51792]
S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2009 11:53 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 00:37]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes (2).dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Tim\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 16:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-01 16:05
ComboFix-quarantined-files.txt 2009-09-01 21:05
ComboFix2.txt 2009-08-30 01:08
ComboFix3.txt 2009-08-19 20:11
ComboFix4.txt 2009-05-18 19:20

Pre-Run: 153,719,091,200 bytes free
Post-Run: 153,672,499,200 bytes free

252 --- E O F --- 2009-05-06 08:01

**TheBruce1** · 09-01-2009, 04:29 PM

Hello again

I take it you still have no internet connection on this machine. Not really seeing anything else in the Combofix log that would cause these problems to still be present, if related to previously removed infections.

==========

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, we need to change the default settings.
In the Menu Bar, Go to Options>Change Settings.
Click on the Actions tab
Using the drop down menus, change each item under Objects and Malware to Report
Next, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'No to All' if it asks if you want to cure/move the file.
After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Post the contents of the log from Dr.Web you saved previously in your next reply.

============

Download GMER Rootkit Scanner from here.

Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

============
Logs Required
DrWeb.csv
GMER.txt

Any change in the system behaviour?

Teimoshi · 09-03-2009, 11:07 AM

drweb-cureit is not a valid WIN32 application.

**TheBruce1** · 09-03-2009, 01:54 PM

Where you running Dr.Web CureIt in safe mode or normal mode?

Teimoshi · 09-03-2009, 04:12 PM

normal mode

08-17-2009, 07:18 PM	#2 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus bump i seriously need help. i keep getting bubble popups saying that my PC is in critical condition. i have a myriad of very dangerous viruses on a scale of 9/10

08-19-2009, 02:19 PM	#4 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus I did the ComboFix. And just like usual I have to reinstall the software that can allow me internet access. But now the CD Rom drive won't work. It says that it is marked for deletion. I wouldn't be able to pull it from another computer either due to network problems, of which I don't know the details. Last edited by Teimoshi; 08-19-2009 at 02:22 PM.

08-20-2009, 10:07 AM	#8 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus McAfee and Avira have already been taken are of and yes I have Avast. As for the infection, I think its gone now. Only problem is that where those viruses were, Windows is showing those messages because the changes made by ComboFix are pending. At least that's what I think. This being said, Netgear was uninstalled in the process. But the CD ROM Drive gives me that message. So until that is fixed, I can't reinstall the Netgear. And I need that so that I can go online and post the ComboFix.log

08-20-2009, 10:49 AM	#9 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Pop-Up Virus Do you have a USB stick, flash drive or any other removable media device? If so, you can transfer the Combofix.txt from the machine without internet access to the connected machine. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

08-21-2009, 11:00 PM	#10 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus I did the USB way. I don't know why I didn't think of it earlier. ComboFix 09-08-18.04 - Tim 08/19/2009 14:53.5.1 - NTFSx86 Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1090 [GMT -5:00] Running from: c:\users\Tim\Pictures\ComboFix.exe SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Public\Desktop\avast! Antivirus.lnk c:\windows\Cursors\aero_link.cur c:\windows\system32\drivers\ndisrd.sys c:\windows\system32\drivers\snetcfg.exe c:\windows\system32\ndisapi.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Ndisrd -------\Service_NdisrdMP ((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 ))))))))))))))))))))))))))))))) . 2009-08-19 20:01 . 2009-08-19 20:01 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-08-19 20:01 . 2009-08-19 20:01 -------- d-----w- c:\users\boinc_master\AppData\Local\temp 2009-08-16 23:58 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-16 23:58 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-16 23:58 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-16 23:58 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-16 23:58 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-16 23:58 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-16 23:58 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2009-08-15 22:00 . 2009-08-15 22:00 -------- d-----w- c:\program files\Common Files\Uninstall 2009-08-15 21:59 . 2009-08-19 19:47 -------- d-----w- c:\program files\PersonalAV 2009-08-06 07:06 . 2009-05-06 19:23 372736 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll 2009-07-22 18:49 . 2009-07-07 03:44 103424 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\pixomatic.dll 2009-07-22 18:49 . 2009-07-07 03:44 937984 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe 2009-07-22 18:49 . 2009-07-07 03:44 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll 2009-07-22 18:49 . 2009-07-07 03:44 4722688 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\cooliris19.dll 2009-07-22 18:49 . 2009-07-07 03:44 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll 2009-07-22 18:49 . 2009-07-07 03:44 344064 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-19 20:05 . 2009-02-18 02:28 -------- d-----w- c:\users\Tim\AppData\Roaming\BitTorrent 2009-08-19 20:03 . 2009-02-18 02:24 -------- d-----w- c:\users\Tim\AppData\Roaming\DNA 2009-08-19 19:42 . 2009-08-19 19:39 60 ----a-w- c:\windows\system32\file.exe.tmp 2009-08-19 19:40 . 2009-02-28 04:51 -------- d-----w- c:\progra~2\Google Updater 2009-08-17 01:10 . 2009-04-09 00:33 -------- d-----w- c:\program files\DAP 2009-08-16 01:58 . 2009-05-17 00:30 -------- d-----w- c:\program files\Panda Security 2009-08-16 01:50 . 2009-04-24 16:41 -------- d-----w- c:\program files\Trillian 2009-08-14 16:12 . 2009-02-17 18:00 1356 ----a-w- c:\users\Tim\AppData\Local\d3d9caps.dat 2009-08-06 03:08 . 2009-05-17 00:22 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-07-29 17:19 . 2009-05-18 21:55 -------- d-----w- c:\program files\Common Files\McAfee 2009-07-29 16:58 . 2009-05-18 21:54 -------- d-----w- c:\program files\McAfee 2009-07-19 17:23 . 2008-07-21 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-19 02:18 . 2009-02-17 18:11 -------- d-----w- c:\progra~2\SiteAdvisor 2009-07-17 15:11 . 2009-02-17 18:51 -------- d-----w- c:\program files\iTunes 2009-07-17 15:10 . 2009-07-17 15:10 -------- d-----w- c:\program files\iPod 2009-07-17 15:10 . 2009-02-17 18:49 -------- d-----w- c:\program files\Common Files\Apple 2009-07-17 03:22 . 2009-07-17 03:22 390664 ----a-w- c:\users\Tim\AppData\Roaming\Real\RealPlayer\Update\realplayer11gold.exe 2009-07-17 03:22 . 2009-07-17 03:22 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg2\realplayer11gold.exe 2009-07-01 00:19 . 2009-07-03 03:31 106496 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Plugins\npcoolirisplugin.dll 2009-07-01 00:19 . 2009-07-03 03:31 65536 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll 2009-07-01 00:19 . 2009-07-03 03:31 4734976 ----a-w- c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll 2009-06-28 22:14 . 2009-06-28 22:14 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg1\realplayer11gold.exe 2009-06-16 01:59 . 2009-06-16 01:59 390664 ------w- c:\users\Tim\AppData\Roaming\Real\Update\temp\~Upg0\realplayer11gold.exe 2009-05-29 18:36 . 2009-05-29 18:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-29 18:36 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-02-18 04:59 . 2009-02-18 04:59 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2009-05-11 08:08 . 2009-04-27 21:30 2 --shatr- c:\windows\winstart.bat 2008-07-21 19:08 . 2008-07-21 19:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "BitTorrent DNA"="c:\users\Tim\Program Files\DNA\btdna.exe" [2009-02-18 321344] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408] "BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-08-15 653104] "SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-04-09 2823784] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648] "Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240] "DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-03 2754048] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-09 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008] c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Trillian.lnk - c:\program files\Trillian\trillian.exe [2009-8-12 1884512] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-07-21 16:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{7F82728F-9000-4933-A7A2-9629612274F7}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX "{3096D17C-2252-44D2-B1CD-103AE3031544}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program "{9AB5B2A6-54C4-43EA-9B47-8F6D5FEF3CAD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{BE578781-C085-466E-B236-DD509BFA43E5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{BE8B5AB7-5E26-46C5-9A99-A1E5741D620A}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In) "{FF51C3C7-03A2-4087-915B-DBB054BD6A2A}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In) "{B93F684C-EC2D-46D5-BA01-0EAEECA00B9B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{417C7842-2D64-44B2-AD69-04AEF70F6900}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{261CCB95-7527-41CF-82A5-C5A47414FA2B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{DB02D97A-A617-4AAB-BB90-CB46EA546F0F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{B5884AF8-F4CF-49D2-9B8E-0517EAD0FE96}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In) "{A2F69965-0704-4896-9E8E-B50F32293F89}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In) "TCP Query User{948D60C3-F506-431B-905A-834B3127CC7C}c:\\users\\tim\\program files\\dna\\btdna.exe"= UDP:c:\users\tim\program files\dna\btdna.exe:btdna.exe "UDP Query User{64E8424F-7EDE-4094-8371-DBE9401282A0}c:\\users\\tim\\program files\\dna\\btdna.exe"= TCP:c:\users\tim\program files\dna\btdna.exe:btdna.exe "TCP Query User{1B33BE8C-460D-4C27-9D70-2CEC126D8D7D}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian "UDP Query User{E620A015-4419-47A6-9CA0-CB18A82DD2AC}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian "{11BCEC9D-3868-4013-A604-B0C68F8DC95A}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy "{60D3E21F-485C-42FE-B5D4-F1A998384E93}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy "{14BF07D4-A9D6-47E5-AE59-1C6A484DDA77}"= UDP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config "{3E7CA0B6-D932-477A-901E-4369E96C915A}"= TCP:c:\program files\AC3Filter\ac3config.exe:AC3Filter Config "TCP Query User{70CD9286-FF1C-4E93-9C7B-214FEB56C3D1}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent "UDP Query User{F3C77BFB-F84A-4321-AB48-34E1611F19F5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent "TCP Query User{CCF8DD3B-DB94-4F3F-8295-C93144DD5EE1}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes "UDP Query User{8A63F1EF-8EBF-46DE-A2C9-3FAD86E82344}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes "TCP Query User{2857E464-C8E7-4622-A1C3-8235BD88573E}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= UDP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe "UDP Query User{72E69072-D35B-4203-9063-8E8B7AF752A3}c:\\users\\tim\\desktop\\diablo 1.09 full by toby\\diablo.exe"= TCP:c:\users\tim\desktop\diablo 1.09 full by toby\diablo.exe:diablo.exe "{9D62A822-7C21-4051-B7F6-369851F4B6F0}"= UDP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player "{EDDACD23-B0B2-4EA7-8A67-CCD58AB6F7C9}"= TCP:c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:Veoh Web Player "TCP Query User{2EA655D6-A35A-4214-ADFB-CAABC76F614C}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{6D38BBC3-7645-496B-98ED-7FE72926CD7A}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox "{9F3822EC-70F1-48F8-A027-093D7BAC9BBF}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "{6D43BBA2-744F-4841-B738-CEB8B6B1D97F}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent "{7F52C8BB-EA9C-4575-A8A1-B6F0FC00EBE7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{4AEA88D1-7B3A-4F3F-BDB2-73B09EA96D0F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe::Enabled:BitTorrent R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/16/2009 6:58 PM 114768] R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 6:17 AM 77824] R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/16/2009 6:58 PM 20560] R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/16/2009 6:58 PM 51792] S2 0208051250388053mcinstcleanup;McAfee Application Installer Cleanup (0208051250388053);c:\users\Tim\AppData\Local\Temp\020805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\users\Tim\AppData\Local\Temp\020805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?] S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2009 11:53 PM 133104] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc rsmsvcs REG_MULTI_SZ ntmssvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-19 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 00:37] 2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53] 2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-28 04:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - c:\program files\DAP\dapextie.htm IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: keyword.URL - about:neterror?e=query&u= FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes (2).dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll FF - plugin: c:\users\Tim\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll FF - plugin: c:\users\Tim\Program Files\DNA\plugins\npbtdna.dll ---- FIREFOX POLICIES ---- pref(dom.disable_open_during_load, true); FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews..wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-19 15:03 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\audiodg.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\System32\drivers\XAudio.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\Alwil Software\Avast4\ashDisp.exe c:\windows\System32\igfxsrvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\iPod\bin\iPodService.exe c:\windows\System32\wbem\WMIADAP.exe c:\windows\System32\rundll32.exe . ************************************************************************ . Completion time: 2009-08-19 15:09 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-19 20:09 ComboFix2.txt 2009-05-18 19:20 Pre-Run: 155,930,066,944 bytes free Post-Run: 155,877,023,744 bytes free 308 --- E O F --- 2009-05-06 08:01

08-23-2009, 03:25 AM	#11 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Pop-Up Virus Hello again If you still do not have internet access on the infected machine, you`ll need to transfer the CFScript.txt to the infected machine. ========= P2P P2P - I see you have P2P software (BitTorrent and DNA)) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections. References for the risk of these programs are Here, Here and Here. ============ Open notepad and copy/paste the text in the quotebox below into it: Code: Folder:: c:\program files\PersonalAV c:\program files\Common Files\Uninstall File:: c:\windows\winstart.bat Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{11BCEC9D-3868-4013-A604-B0C68F8DC95A}"=- "{60D3E21F-485C-42FE-B5D4-F1A998384E93}"=- Driver:: 0208051250388053mcinstcleanup DDS:: uInternet Settings,ProxyOverride = .local Save this as CFscript* Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========== Let me know in your reply whether you have removed BitTorrent and DNA, and do you have internet access on the infected machine. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

08-30-2009, 03:40 AM	#13 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Pop-Up Virus Hello again I was about to close this thread today as you had not responded within seven days, you`ll need to respond in a more timely manner if we are to remove the infections present. If you can run the tool below in normal mode that would be best, if however, you receive the fake deletion message run it in safe mode. Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop. Double click Sysprot.exe to start the program. Click on the Log tab. In the Write to log box select all items. Click on the Create Log button on the bottom right. After a few seconds a new window should appear. Select Scan Root Drive. Click on the Start button. When it is complete a new window will appear to indicate that the scan is finished. The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

09-01-2009, 04:29 PM	#17 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Pop-Up Virus Hello again I take it you still have no internet connection on this machine. Not really seeing anything else in the Combofix log that would cause these problems to still be present, if related to previously removed infections. ========== Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to change the default settings. In the Menu Bar, Go to Options>Change Settings. Click on the Actions tab Using the drop down menus, change each item under Objects and Malware to Report Next, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'No to All' if it asks if you want to cure/move the file. After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Post the contents of the log from Dr.Web you saved previously in your next reply. ============ Download GMER Rootkit Scanner from here. Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop, and post it in reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries ============ Logs Required DrWeb.csv GMER.txt Any change in the system behaviour? __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

09-03-2009, 11:07 AM	#18 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus drweb-cureit is not a valid WIN32 application.

09-03-2009, 01:54 PM	#19 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Pop-Up Virus Where you running Dr.Web CureIt in safe mode or normal mode? __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

09-03-2009, 04:12 PM	#20 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: Pop-Up Virus normal mode