Virus doing my head in

shayser · 12-07-2010 2:21am #1

Starting happening today.

2 - 4 instances of Internet Explorer are continuously running in task manager even though the program is not open. Every few minutes I get Internet Explorer pop-ups. If I end the iexplore.exe task it reappears a few seconds later.

Scanned with Avira, Stinger, Malwarebytes and Spybot Search & Destroy. None of these found the problem.

I tried system restore to 3 differenent earlier points but the restore process did not work "Windows could not restore... please choose another restore point".

I renamed and then deleted iexplore.exe in program files\internet explorer, just to see, but each time a new exe is immediately created. Can't rename the internet explorer program folder, "folder is in use".

The virus also disabled my sound.

Help!

12-07-2010 2:23am

Check where the iexplorer.exe is based in, usually it's rooted in your System32 folder were it a virus. As they're multiple exe's open it seems as if the virus would be in several locations with only the one in the program files being the legitimate one.

shayser · 12-07-2010 2:32am

I did a windows search with "show all files" enabled and "hide system files" and "hide file extentions" disabled. Only one iexplore.exe is found, in program files\internet explorer.

In the meantime, I booted to safe mode and renamed program files\internet explorer to internet explorer1. The process isn't running now.

shayser · 12-07-2010 12:27pm

Tried AVG also, no joy finding the virus. Would any of the anti-virus programs be considered as the "best"?

ASJ112 · 12-07-2010 3:03pm

don't waste your time renaming iexplore.exe and stuff like that, it wont do any good

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.pif to run the tool.
When done, two DDS.txts will open.
Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Goat_Boy_jones · 12-07-2010 3:24pm

I have the same virus...Have it for the last week...Aswell as internet explorer running in the back round it randomly turning my volume down and also I can hear random audio advirtisments in the back round... I backed up everything so I'm at the point where I might just format my pc as I can't find a solution anywhere...

shayser · 12-07-2010 6:48pm

Goat_Boy_jones wrote: »

I have the same virus...Have it for the last week...Aswell as internet explorer running in the back round it randomly turning my volume down and also I can hear random audio advirtisments in the back round... I backed up everything so I'm at the point where I might just format my pc as I can't find a solution anywhere...

That's the one.

shayser · 12-07-2010 6:52pm

ASJ112 wrote: »

don't waste your time renaming iexplore.exe and stuff like that, it wont do any good

Please download DDS and save it to your desktop.
Disable any script blocking protection

Double click dds.pif to run the tool.

When done, two DDS.txts will open.

Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Thanks for the reply. Just did the renaming bit to stop the bloody virus annoying me while I tried to fix the thing.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 19:36:59.17 on 12/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3292.2361 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe 4
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
C:\Documents and Settings\Administrator.RGL00\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.30.239/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {9B4DF450-DCC7-4B07-935D-0CD757A64583} - No File
BHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
StartupFolder: c:\documents and settings\administrator.rgl00\start menu\programs\startup\logon.bat
IE: Download all by FlashGet3 - c:\documents and settings\administrator.rgl00\application data\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\administrator.rgl00\application data\flashgetbho\GetUrl.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: kuaiche.com\software
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257158668328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {49B9D266-AB3D-41BC-9716-D29F5CF1A65A} = 192.168.30.2,xx.xxx.254.34
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.rgl\applic~1\mozilla\firefox\profiles\qqngqnvy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/webhp?hl=all
FF - component: c:\documents and settings\administrator.rgl00\application data\mozilla\firefox\profiles\qqngqnvy.default\extensions\{db9127a2-3381-41ec-82b3-1b6ed4c6f29a}\components\FlashgetXpi.dll
FF - plugin: c:\documents and settings\administrator.rgl00\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\administrator.rgl00\application data\mozilla\firefox\profiles\qqngqnvy.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\administrator.rgl00\application data\mozilla\firefox\profiles\qqngqnvy.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-7-11 24064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-20 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-12 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-12 29584]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-6-25 18816]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-7-12 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-20 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-20 185089]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-12 308136]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-20 56816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-25 47640]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-10-26 157152]
S0 cerc6;cerc6; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3218.tmp --> c:\windows\system32\3218.tmp [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-07-12 12:42:32 0 d
w- c:\program files\WinClamAVShield
2010-07-12 12:41:56 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-07-12 12:41:55 0 d
w- c:\docume~1\admini~1.rgl\applic~1\Spyware Terminator
2010-07-12 12:41:53 0 d
w- c:\program files\Spyware Terminator
2010-07-12 12:41:53 0 d
w- c:\docume~1\alluse~1.win\applic~1\Spyware Terminator
2010-07-12 10:05:43 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-12 10:05:40 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 10:05:31 0 d
w- c:\windows\system32\drivers\Avg
2010-07-12 10:05:19 0 d
w- c:\program files\AVG
2010-07-12 10:05:17 0 d
w- c:\docume~1\alluse~1.win\applic~1\avg9
2010-07-12 02:44:26 0 d
w- c:\program files\internet explorer2
2010-07-12 02:24:01 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-12 00:26:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 00:26:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 22:44:26 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-07-11 22:43:57 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys
2010-07-07 01:36:55 0 d
w- C:\Quicktime
2010-07-06 19:15:14 0 d
w- c:\program files\Lame for Audacity
2010-07-06 12:09:47 0 d
w- c:\program files\Audacity
2010-07-06 12:08:40 0 d
w- C:\Audacity
2010-07-05 01:55:30 0 d
w- C:\zeitgeist
2010-07-04 04:32:33 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-07-04 04:32:05 176128 ----a-w- c:\windows\system32\ArcVpImg.dll
2010-07-04 04:32:04 0 d--h--w- c:\docume~1\alluse~1.win\applic~1\ArcSoft
2010-07-01 03:04:39 1769472 ----a-w- c:\windows\system32\ChilkatSsh.dll
2010-07-01 03:02:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 02:07:19 0 d
w- c:\docume~1\admini~1.rgl\applic~1\MotionDSP
2010-07-01 02:06:56 0 d
w- c:\program files\vReveal
2010-06-30 00:27:16 0 d
w- c:\docume~1\admini~1.rgl\applic~1\Facebook
2010-06-29 21:13:36 0 d
w- C:\downloads
2010-06-29 21:13:36 0 d
w- c:\docume~1\admini~1.rgl\applic~1\GrabPro
2010-06-29 17:23:11 0 d
w- C:\WS_FTP
2010-06-28 00:11:24 0 d
w- C:\Orchestra Pics
2010-06-25 17:16:33 18816
w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-25 12:26:06 0 d
w- c:\program files\Sophos
2010-06-25 12:02:09 4194373 ----a-w- c:\windows\pfirewall.log.old
2010-06-22 17:21:58 38912 ----a-w- C:\APPLICATION FORM 2010 - Printer.doc
2010-06-22 09:13:38 20576 ----a-w- C:\CELLO MEETING Ireland 2010 Timetable.pdf
2010-06-19 22:07:20 0 d
w- C:\Win7
2010-06-19 16:25:14 0 d
w- C:\Photos
2010-06-19 16:14:23 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-19 16:14:23 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-19 16:14:23 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 16:14:23 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-17 10:51:27 0 d
w- c:\docume~1\admini~1.rgl\applic~1\webex
2010-06-17 10:41:16 49 ----a-w- c:\windows\NeroDigital.ini
2010-06-16 19:55:23 0 d
w- C:\wga
2010-06-16 11:12:10 3911680 ----a-w- C:\client_email.mdb
2010-06-16 11:04:06 2164736 ----a-w- C:\rbsdatalink.mdb
2010-06-16 10:56:04 7393280 ----a-w- C:\email.mdb
2010-06-14 12:29:32 0 d
w- C:\wages
2010-06-13 21:33:48 0 d
w- C:\Windows7Office2007

==================== Find3M ====================

2010-06-24 09:22:46 77824 ----a-w- c:\windows\system32\rbsSystemInfo.dll
2010-06-24 09:22:32 135168 ----a-w- c:\windows\system32\rbsDBUpd.dll
2010-06-24 09:20:24 24576 ----a-w- c:\windows\system32\HQMCWrapper.dll
2010-06-24 09:20:18 147456 ----a-w- c:\windows\system32\rbsPostFinanceWrapper.dll
2010-06-24 09:20:12 122880 ----a-w- c:\windows\system32\rbsFiSh.dll
2010-06-24 09:20:08 90112 ----a-w- c:\windows\system32\rbsDocViewer.dll
2010-06-24 09:19:58 229376 ----a-w- c:\windows\system32\rbsDocumentMerge.dll
2010-06-24 09:19:40 655360 ----a-w- c:\windows\system32\MergeCode.dll
2010-06-24 09:19:30 36864 ----a-w- c:\windows\system32\rbsCodeGenerator.dll
2010-06-24 09:19:24 32768 ----a-w- c:\windows\system32\ChangeReportSetting.dll
2010-06-24 09:19:20 110592 ----a-w- c:\windows\system32\rbsCopyPol.dll
2010-06-24 09:19:12 704512 ----a-w- c:\windows\system32\rbsAccEnq.dll
2010-06-24 09:19:02 57344 ----a-w- c:\windows\system32\rbsPolStat.dll
2010-06-24 09:18:48 1830912 ----a-w- c:\windows\system32\LifePost.dll
2010-06-24 09:18:40 69632 ----a-w- c:\windows\system32\rbsPBrdg.dll
2010-06-24 09:17:54 4337664 ----a-w- c:\windows\system32\rbsPost.dll
2010-06-24 09:17:38 122880 ----a-w- c:\windows\system32\rbsDiary.dll
2010-06-24 09:17:18 126976 ----a-w- c:\windows\system32\UMSSecurity.dll
2010-06-24 09:16:44 2318336 ----a-w- c:\windows\system32\rbsPNR.dll
2010-06-24 09:16:32 315392 ----a-w- c:\windows\system32\rbsBizRl.dll
2010-06-24 09:16:14 139264 ----a-w- c:\windows\system32\rbsUNR.dll
2010-06-24 09:16:10 245760 ----a-w- c:\windows\system32\rbsRNR.dll
2010-06-24 09:16:06 77824 ----a-w- c:\windows\system32\rbsDataR.dll
2010-06-24 09:16:02 28672 ----a-w- c:\windows\system32\rbsGovLevy.dll
2010-06-24 09:15:56 200704 ----a-w- c:\windows\system32\rbsConfig.dll
2010-06-24 09:15:22 28672 ----a-w- c:\windows\system32\rbsSessn.dll
2010-05-06 23:41:25 12251616 ----a-w- C:\youtube_flv_downloader_install.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 12:22:50 1728943 ----a-w- C:\ProcessExplorer.zip
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 18:29:11 3382520 ----a-w- C:\ccsetup231.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 07:01:04 3879288 ----a-w- C:\procexp.exe

============= FINISH: 19:38:12.45 ===============

ASJ112 · 12-07-2010 7:51pm

don't put the logs in quotes please

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

shayser · 12-07-2010 8:34pm

ComboFix 10-07-11.07 - Administrator 12/07/2010 21:23:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3292.2369 [GMT 1:00]
Running from: c:\documents and settings\Administrator.RGL00\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.RGL00\Application Data\BITS
c:\documents and settings\Administrator.RGL00\Application Data\BITS\BITS.ini
c:\documents and settings\Administrator.RGL00\Application Data\BITS\DHTTable.dat
c:\documents and settings\Administrator.RGL00\Application Data\BITS\UPnP.ini
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\FlashGetHook.dll
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\FlashGetHook1.dll
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\GetUrl.htm
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\secushr.dat
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 12:42 . 2010-07-12 12:44

d

w- c:\program files\WinClamAVShield
2010-07-12 12:41 . 2010-07-12 12:41 6144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator\sp_rsdel.exe
2010-07-12 12:41 . 2010-07-12 12:41 5632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator\fileobjinfo.sys
2010-07-12 12:41 . 2010-07-12 12:41 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-07-12 12:41 . 2010-07-12 18:37

d

w- c:\documents and settings\Administrator.RGL00\Application Data\Spyware Terminator
2010-07-12 12:41 . 2010-07-12 17:51

d

w- c:\program files\Spyware Terminator
2010-07-12 12:41 . 2010-07-12 13:28

d

w- c:\documents and settings\All Users.WINDOWS\Application Data\Spyware Terminator
2010-07-12 10:05 . 2010-07-12 10:05 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-12 10:05 . 2010-07-12 10:05 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-12 10:05 . 2010-07-12 10:05 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 10:05 . 2010-07-12 17:04

d

w- c:\windows\system32\drivers\Avg
2010-07-12 10:05 . 2010-07-12 10:05

d

w- c:\program files\AVG
2010-07-12 10:05 . 2010-07-12 10:05

d

w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-07-12 02:44 . 2010-07-12 02:44

d

w- c:\program files\internet explorer2
2010-07-12 02:42 . 2010-07-12 02:42

d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
2010-07-12 02:24 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-12 00:26 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 00:26 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 00:24 . 2010-07-12 00:24

d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2010-07-11 22:44 . 2007-11-12 12:27 49152 ----a-w- c:\windows\system32\DSndUp.exe
2010-07-11 22:43 . 2008-03-28 09:14 24064 ----a-w- c:\windows\system32\drivers\sfaudio.sys
2010-07-08 19:24 . 2010-07-08 19:51

d

w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-08 19:24 . 2010-07-08 19:24

d

w- c:\program files\Common Files\Apple
2010-07-08 19:24 . 2010-07-08 19:24

d

w- c:\program files\Apple Software Update
2010-07-08 19:24 . 2010-07-08 19:24

d

w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-07 02:21 . 2010-07-08 19:24

d

w- c:\program files\QuickTime
2010-07-07 01:36 . 2010-07-07 02:16

d

w- C:\Quicktime
2010-07-06 19:15 . 2010-07-06 19:15

d

w- c:\program files\Lame for Audacity
2010-07-06 12:09 . 2010-07-06 12:09

d

w- c:\program files\Audacity
2010-07-06 12:08 . 2010-07-06 19:15

d

w- C:\Audacity
2010-07-05 01:55 . 2010-07-06 23:32

d

w- C:\zeitgeist
2010-07-04 22:08 . 2010-07-04 22:08

d

w- c:\documents and settings\Administrator.RGL00\Local Settings\Application Data\WMTools Downloaded Files
2010-07-04 04:33 . 2010-07-04 04:33 5311698 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-07-04 04:33 . 2010-07-04 04:33

d

w- c:\documents and settings\Administrator.RGL00\Local Settings\Application Data\ArcSoft
2010-07-04 04:32 . 2006-11-10 14:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2010-07-04 04:32 . 2008-04-22 12:41 176128 ----a-w- c:\windows\system32\ArcVpImg.dll
2010-07-04 04:32 . 2010-07-04 04:34

d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\ArcSoft
2010-07-04 04:31 . 2010-07-04 04:37

d

w- c:\program files\Common Files\ArcSoft
2010-07-04 04:31 . 2010-07-04 04:35

d

w- c:\documents and settings\Administrator.RGL00\Application Data\ArcSoft
2010-07-01 03:04 . 2010-04-05 20:26 1769472 ----a-w- c:\windows\system32\ChilkatSsh.dll
2010-07-01 03:02 . 2010-07-01 03:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 02:07 . 2010-07-01 02:07

d

w- c:\documents and settings\Administrator.RGL00\Local Settings\Application Data\MotionDSP
2010-07-01 02:07 . 2010-07-01 02:07

d

w- c:\documents and settings\Administrator.RGL00\Application Data\MotionDSP
2010-07-01 02:06 . 2010-07-01 02:07

d

w- c:\program files\vReveal
2010-06-30 00:27 . 2010-07-01 01:55 50354 ----a-w- c:\documents and settings\Administrator.RGL00\Application Data\Facebook\uninstall.exe
2010-06-30 00:27 . 2010-06-30 00:27

d

w- c:\documents and settings\Administrator.RGL00\Application Data\Facebook
2010-06-29 21:13 . 2010-07-12 12:39

d

w- C:\downloads
2010-06-29 21:13 . 2010-06-29 21:13

d

w- c:\documents and settings\Administrator.RGL00\Application Data\GrabPro
2010-06-29 21:13 . 2010-06-29 21:36

d

w- c:\documents and settings\Administrator.RGL00\Application Data\Orbit
2010-06-29 17:23 . 2010-06-29 17:23

d

w- C:\WS_FTP
2010-06-28 00:11 . 2010-06-28 00:11

d

w- C:\Orchestra Pics
2010-06-25 17:16 . 2010-05-26 09:45 18816

w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-25 12:26 . 2010-06-25 12:26

d

w- c:\program files\Sophos
2010-06-19 22:07 . 2010-06-19 22:07

d

w- C:\Win7
2010-06-19 16:25 . 2010-06-28 00:12

d

w- C:\Photos
2010-06-19 16:14 . 2008-04-14 04:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-19 16:14 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 16:14 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-19 16:14 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-17 10:51 . 2010-06-17 11:28

d

w- c:\documents and settings\Administrator.RGL00\Application Data\webex
2010-06-17 10:37 . 2010-06-17 12:15

d

w- c:\program files\Common Files\Ahead
2010-06-16 19:55 . 2010-06-16 19:55

d

w- C:\wga
2010-06-14 12:29 . 2010-06-14 12:30

d

w- C:\wages
2010-06-13 21:33 . 2010-06-13 21:37

d

w- C:\Windows7Office2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 13:30 . 2008-04-25 21:27

d

w- c:\program files\Internet Explorer1
2010-07-12 12:12 . 2009-11-04 09:25

d

w- c:\documents and settings\Administrator.RGL00\Application Data\vlc
2010-07-12 02:02 . 2010-02-18 23:37

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 22:44 . 2009-10-27 00:40

d

w- c:\program files\Analog Devices
2010-07-11 22:44 . 2009-10-26 12:56

d--h--w- c:\program files\InstallShield Installation Information
2010-07-10 21:45 . 2009-11-24 22:05

d

w- c:\program files\DownloadToolz
2010-07-07 02:03 . 2010-01-25 23:04

d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-06-25 17:19 . 2010-04-06 14:02

d

w- c:\program files\Software Dimensions Ltd
2010-06-25 14:54 . 2010-01-02 20:38

d

w- c:\program files\Common Files\Adobe
2010-06-24 09:22 . 2010-03-15 15:34 77824 ----a-w- c:\windows\system32\rbsSystemInfo.dll
2010-06-24 09:22 . 2010-03-15 15:34 135168 ----a-w- c:\windows\system32\rbsDBUpd.dll
2010-06-24 09:20 . 2010-03-15 15:34 24576 ----a-w- c:\windows\system32\HQMCWrapper.dll
2010-06-24 09:20 . 2010-03-15 15:36 147456 ----a-w- c:\windows\system32\rbsPostFinanceWrapper.dll
2010-06-24 09:20 . 2010-03-15 15:34 122880 ----a-w- c:\windows\system32\rbsFiSh.dll
2010-06-24 09:20 . 2010-03-15 15:34 90112 ----a-w- c:\windows\system32\rbsDocViewer.dll
2010-06-24 09:19 . 2010-03-15 15:34 229376 ----a-w- c:\windows\system32\rbsDocumentMerge.dll
2010-06-24 09:19 . 2010-03-15 15:34 655360 ----a-w- c:\windows\system32\MergeCode.dll
2010-06-24 09:19 . 2010-03-15 15:34 36864 ----a-w- c:\windows\system32\rbsCodeGenerator.dll
2010-06-24 09:19 . 2010-03-15 15:34 32768 ----a-w- c:\windows\system32\ChangeReportSetting.dll
2010-06-24 09:19 . 2010-03-15 15:34 110592 ----a-w- c:\windows\system32\rbsCopyPol.dll
2010-06-24 09:19 . 2010-03-15 15:34 704512 ----a-w- c:\windows\system32\rbsAccEnq.dll
2010-06-24 09:19 . 2010-03-15 15:34 57344 ----a-w- c:\windows\system32\rbsPolStat.dll
2010-06-24 09:18 . 2010-03-15 15:34 1830912 ----a-w- c:\windows\system32\LifePost.dll
2010-06-24 09:18 . 2010-03-15 15:34 69632 ----a-w- c:\windows\system32\rbsPBrdg.dll
2010-06-24 09:17 . 2010-03-15 15:34 4337664 ----a-w- c:\windows\system32\rbsPost.dll
2010-06-24 09:17 . 2010-03-15 15:34 122880 ----a-w- c:\windows\system32\rbsDiary.dll
2010-06-24 09:17 . 2010-03-15 15:47 126976 ----a-w- c:\windows\system32\UMSSecurity.dll
2010-06-24 09:16 . 2010-03-15 15:34 2318336 ----a-w- c:\windows\system32\rbsPNR.dll
2010-06-24 09:16 . 2010-03-15 15:34 315392 ----a-w- c:\windows\system32\rbsBizRl.dll
2010-06-24 09:16 . 2010-03-15 15:34 139264 ----a-w- c:\windows\system32\rbsUNR.dll
2010-06-24 09:16 . 2010-03-15 15:34 245760 ----a-w- c:\windows\system32\rbsRNR.dll
2010-06-24 09:16 . 2010-03-15 15:34 77824 ----a-w- c:\windows\system32\rbsDataR.dll
2010-06-24 09:16 . 2010-03-15 15:34 28672 ----a-w- c:\windows\system32\rbsGovLevy.dll
2010-06-24 09:15 . 2010-03-15 15:34 200704 ----a-w- c:\windows\system32\rbsConfig.dll
2010-06-24 09:15 . 2010-03-15 15:34 28672 ----a-w- c:\windows\system32\rbsSessn.dll
2010-06-17 20:33 . 2010-06-04 21:29

d

w- c:\documents and settings\Administrator.RGL00\Application Data\dvdcss
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Administrator.RGL00\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-05-29 21:46 . 2010-05-29 21:46

d

w- c:\program files\OpenXML-ODF Translator
2010-05-18 20:03 . 2010-05-06 23:44

d

w- c:\documents and settings\Administrator.RGL00\Application Data\Moyea
2010-05-06 23:41 . 2010-05-06 23:40 12251616 ----a-w- C:\youtube_flv_downloader_install.exe
2010-05-06 10:41 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 12:22 . 2010-05-05 12:22 1728943 ----a-w- C:\ProcessExplorer.zip
2010-05-02 05:22 . 2008-04-13 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 18:29 . 2010-04-30 18:29 3382520 ----a-w- C:\ccsetup231.exe
2010-04-29 10:24 . 2009-11-04 12:13 41720 ----a-w- c:\documents and settings\Administrator.RGL00\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-20 05:30 . 2008-04-13 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 07:01 . 2010-05-05 12:22 3879288 ----a-w- C:\procexp.exe
2010-06-17 10:51 . 2010-06-17 10:51 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

Sigcheck

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-07-12 3037696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-12 2065760]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2010-07-12 2176512]

c:\documents and settings\Administrator.RGL00\Start Menu\Programs\Startup\
logon.bat [2010-3-5 1083]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-12 10:05 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-28 19:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-07-28 10:18 141336 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 12:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-07-28 10:18 142872 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2010-01-08 13:13 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-19 13:40 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2002-09-20 16:46 319488 ----a-w- c:\program files\RealVNC\WinVNC\winvnc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\RealVNC\\WinVNC\\winvnc.exe"=
"c:\\Documents and Settings\\Administrator.RGL00\\Application Data\\FlashgetSetup\\fgmini.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2376:TCP"= 2376:TCP:*:Disabled:PrintTrak net services (TCP 2376)
"2377:TCP"= 2377:TCP:*:Disabled:PrintTrak net services (TCP 2377)
"2378:TCP"= 2378:TCP:*:Disabled:PrintTrak net services (TCP 2378)
"2379:TCP"= 2379:TCP:*:Disabled:PrintTrak net services (TCP 2379)
"2326:UDP"= 2326:UDP:*:Disabled:PrintTrak net services (UDP 2326)
"2327:UDP"= 2327:UDP:*:Disabled:PrintTrak net services (UDP 2327)
"2328:UDP"= 2328:UDP:*:Disabled:PrintTrak net services (UDP 2328)
"2329:UDP"= 2329:UDP:*:Disabled:PrintTrak net services (UDP 2329)
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [11/07/2010 23:43 24064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/07/2010 11:05 216400]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [25/06/2010 18:16 18816]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12/07/2010 13:41 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [20/11/2009 10:47 108289]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/07/2010 11:05 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 13:41 12856]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [26/10/2009 21:35 157152]
S0 cerc6;cerc6; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3218.tmp --> c:\windows\system32\3218.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.

Supplementary Scan

.
uStart Page = hxxp://192.168.30.239/
IE: Download all by FlashGet3 - c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Administrator.RGL00\Application Data\FlashGetBHO\GetUrl.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: kuaiche.com\software
TCP: {49B9D266-AB3D-41BC-9716-D29F5CF1A65A} = 192.168.30.2,84.203.254.34
FF - ProfilePath - c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/webhp?hl=all
FF - component: c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashgetXpi.dll
FF - plugin: c:\documents and settings\Administrator.RGL00\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
MSConfigStartUp-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe
MSConfigStartUp-FlashGetBHO - c:\program files\FlashGet Network\FlashGet 3\mxhelper.exe
MSConfigStartUp-Microsoft Windows - c:\windows\iexplore.exe
MSConfigStartUp-Standby - c:\program files\Common Files\Corel\Standby\Standby.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 21:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\pluginreg.dat.bak 18441 bytes
c:\documents and settings\Administrator.RGL00\Application Data\Mozilla\Firefox\Profiles\qqngqnvy.default\prefs.js.BAK 36286 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3218.tmp"
.

LOCKED REGISTRY KEYS

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,c4,81,ea,ca,62,bb,4c,af,0d,d8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,c4,81,ea,ca,62,bb,4c,af,0d,d8,\

[HKEY_USERS\S-1-5-21-1177238915-630328440-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,c4,47,84,f1,dd,6d,4a,82,e5,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,c1,bc,16,71,fe,1c,4f,96,88,76,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,c4,47,84,f1,dd,6d,4a,82,e5,80,\

[HKEY_LOCAL_MACHINE\software\Classes\x*b*9*d*8*b*b*5*e*6*d*f*0*3*2*a*a*.*Ý+\CLSID]
@="{48F0C07A-029A-3110-8239-CF23413A3E46}"

[HKEY_LOCAL_MACHINE\software\Classes\]/.*\/]
@="?.?"

[HKEY_LOCAL_MACHINE\software\Classes\]/.*\/\CLSID]
@="{AFFA320F-D0BF-35BD-9447-669A3211292D}"
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-07-12 21:26:59
ComboFix-quarantined-files.txt 2010-07-12 20:26

Pre-Run: 84,215,824,384 bytes free
Post-Run: 84,370,833,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FCE5C28157155CD8F4734CAC350F12CE

ASJ112 · 12-07-2010 10:13pm

Download Bootkit remover to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop
Right click Remover.exe and select Run as Administrator
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please

shayser · 12-07-2010 10:50pm

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator.RGL00>"C:\Documents and Settings\Adminis
trator.RGL00\Desktop\remover.exe"
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: b19ee33a0168d5f0bb9afbe12e2bc035
\\.\F: -> \\.\PhysicalDrive2
MD5: b19ee33a0168d5f0bb9afbe12e2bc035

Size Device Name MBR Status

232 GB \\.\PhysicalDrive0 Unknown boot code
931 GB \\.\PhysicalDrive2 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit...

ASJ112 · 12-07-2010 11:00pm

found the baddie

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

On completion

1. Run Bootkit remover again with no switches as we did at first and copy the data

shayser · 13-07-2010 12:30am

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator.RGL00>"C:\Documents and Settings\Adminis
trator.RGL00\Desktop\remover.exe"
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\F: -> \\.\PhysicalDrive1
MD5: b19ee33a0168d5f0bb9afbe12e2bc035

Size Device Name MBR Status

232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
931 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit...

=================

Will I do the same for Drive1?

shayser · 13-07-2010 2:10am

I changed the batch file to:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive1
EXIT

and got this:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

Restoring boot code at \\.\PhysicalDrive1...
SPTI_Read(): DeviceIoControl() ERROR 121
ERROR: Can't read first sector of disk by SPTI.

Press any key to quit...

ASJ112 · 13-07-2010 10:58am

hows it running now, any issues ?

shayser · 13-07-2010 11:55am

I think I might have the same boot code problem with the f: drive (usb) - PhysicalDrive1 but when I run the remover batch file I get an error:

Restoring boot code at \\.\PhysicalDrive1...
SPTI_Read(): DeviceIoControl() ERROR 121
ERROR: Can't read first sector of disk by SPTI.

This drive has all my stuff on it!

ASJ112 · 13-07-2010 12:08pm

Ignore the F:\ drive for the moment, how is the PC running ?

shayser · 13-07-2010 1:35pm

It's looking good. Internet Explorer is no longer running of it's own accord. Don't see any other issues. Fantastic help, thanks.

Nasty virus, none of the AV programs could detect it.

ASJ112 · 13-07-2010 9:30pm

yeah tis nasty, one final thing

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

shayser · 13-07-2010 9:54pm

Thanks again. Any idea why Remover can't fix the usb drive boot code?

ASJ112 · 14-07-2010 12:05pm

There is nothing wrong with your F:\ drive that's why

Virus doing my head in

Comments