Yet another Google hijack

ashmatuk · Joined: Apr 28, 2009 Posts: 6

I noticed a couple of days ago that my google searches were being redirected, often to myspace. I have tried Malwarebytes, AVG, Spybot and others to no avail. AVG keeps giving me a trojan warning everytime I open explorer. Please could you have a look at this HIJACKTHIS log and let me know what you think.

Any help is most appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:40:21, on 28/04/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Users\Ashley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\ProgramData\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Simplify Media] "C:\Program Files\Simplify Media\SimplifyMedia.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\Windows\TEMP\i98p0mqlyx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\Windows\TEMP\2969503197.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\Windows\TEMP\i98p0mqlyx.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10168 bytes

ashmatuk · Joined: Apr 28, 2009 Posts: 6

AVG is saying that its a Trojan Horse Agent2.EIZ infection, in files C:\windows\system32\ovfsthixiwjwvmkeqqdvgxpjbadkkstyemtb.dll and C:\windows\system32\ovfsthqfirueaxxxocsuqvmblekwbvqritktm.dll.

This is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2049
Windows 6.0.6000

29/04/2009 00:07:37
mbam-log-2009-04-29 (00-07-37).txt

Scan type: Quick Scan
Objects scanned: 74222
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ovfsthixiwjwvmkeqqdvgxpjxbadkktstyemtb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthqfirueaxxxocsuqvmblekwbvqritktrm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Users\Ashley\AppData\Local\Temp\ovfsthfykwoipoga.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Users\Ashley\AppData\Local\Temp\ovfsthycertxojiy.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\ovfsthucdimqnjwwiyicagxjdfwajmynxjvida.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthdvxnxntxqxxpghdeoixienkftfrkrucw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthejnhbmrjxwgndltxeluhwcvceianucot.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthesppwvytucbpuetxfttqnosxhavivuch.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthofurhvmjpwpeubtppcobdwoewgbetffn.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Ashley\AppData\Local\Temp\ovfsthsmswpyvmbo.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\Windows\TEMP\i98p0mqlyx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\Windows\TEMP\2969503197.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\Windows\TEMP\i98p0mqlyx.exe (User 'Default user')

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

ashmatuk · Joined: Apr 28, 2009 Posts: 6

Thanks - Here is the combofix log:

ComboFix 09-04-28.02 - Ashley 29/04/2009 8:11.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.1021.325 [GMT 1:00]
Running from: c:\users\Ashley\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\Ashley\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\windows\system32\drivers\ovfsthucdimqnjwwiyicagxjdfwajmynxjvida.sys
c:\windows\system32\ovfsthbafyvrcrmdileajfknawqyjphdppcjuk.dat
c:\windows\system32\ovfsthdhwxyhwluigeqjmrqoamulcnyqvxummd.dat
c:\windows\system32\ovfsthnjllqxdrhxifrtckyjrlqdoqupbxpaoh.dll
c:\windows\system32\uniq.tll
c:\windows\system32\x64
c:\windows\system32\yhs783ijfo3fe.dll
c:\windows\Temp\2969503197.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthspocmmyfdrxelmgbvyljguhxpwbbvojm

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 22:20 . 2009-04-28 22:20 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-28 22:20 . 2009-04-28 22:20 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-28 22:19 . 2009-04-28 22:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-28 22:19 . 2009-04-28 22:19 -------- d-----w c:\users\Ashley\AppData\Roaming\SUPERAntiSpyware.com
2009-04-28 22:18 . 2009-04-28 22:18 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 18:01 . 2009-04-28 21:01 -------- d--h--w C:\$AVG8.VAULT$
2009-04-28 17:47 . 2009-04-28 17:47 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-28 17:46 . 2009-04-28 17:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-28 17:46 . 2009-04-28 17:46 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-28 17:46 . 2009-04-28 17:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\program files\AVG
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\programdata\avg8
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\users\All Users\avg8
2009-04-27 21:21 . 2009-04-27 21:21 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2009-04-27 19:29 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 19:29 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Saved Games
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Links
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Downloads
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Searches
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Pictures
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Videos
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Documents
2009-04-24 18:07 . 2009-04-24 18:07 -------- d-----w C:\SWISNIFE
2009-04-24 17:44 . 2009-04-24 17:45 -------- d-----w c:\program files\Seagate
2009-04-23 19:02 . 2009-04-23 19:02 -------- d-----w c:\users\Ashley\AppData\Local\WBFSManager
2009-04-23 19:00 . 2009-04-23 19:00 -------- d-----w c:\program files\WBFS
2009-04-23 18:48 . 2008-06-20 01:17 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-04-23 18:48 . 2008-06-20 01:18 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-23 18:48 . 2008-06-20 01:17 622080 ----a-w c:\windows\system32\icardagt.exe
2009-04-23 18:48 . 2008-06-20 01:17 11264 ----a-w c:\windows\system32\icardres.dll
2009-04-23 18:48 . 2008-06-20 01:18 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-04-23 18:48 . 2008-06-20 01:18 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-04-23 18:48 . 2008-06-20 01:18 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-04-23 16:47 . 2001-07-13 12:56 14976 ----a-w c:\windows\system32\drivers\SBKUPNT.SYS
2009-04-23 16:47 . 1997-02-08 16:11 13312 ----a-w c:\windows\system32\DEVLOAD.EXE
2009-04-23 16:47 . 1998-10-29 15:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-22 18:53 . 2008-07-27 18:00 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-22 18:53 . 2008-07-27 18:00 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-22 18:53 . 2008-07-27 18:00 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-22 18:52 . 2008-07-27 18:00 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-22 18:51 . 2008-07-27 18:00 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\users\Ashley\AppData\Roaming\Malwarebytes
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\programdata\Malwarebytes
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-22 07:04 . 2009-04-27 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 07:03 . 2009-04-22 07:03 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-22 07:03 . 2009-04-22 07:03 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-22 07:03 . 2009-04-22 07:03 -------- d-----w c:\program files\Lavasoft
2009-04-22 07:03 . 2009-04-22 07:06 -------- d-----w c:\programdata\Lavasoft
2009-04-22 07:03 . 2009-04-22 07:06 -------- d-----w c:\users\All Users\Lavasoft
2009-04-21 22:48 . 2009-04-27 19:29 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-21 22:48 . 2009-04-27 19:29 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-04-21 22:48 . 2009-04-27 19:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 07:23 . 2008-12-08 04:34 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 07:23 . 2008-06-05 04:50 500736 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 07:23 . 2008-06-05 04:50 30208 ----a-w c:\windows\system32\xolehlp.dll
2009-04-13 09:40 . 2009-04-13 09:40 -------- d-----w c:\program files\Western Digital Technologies
2009-04-09 18:49 . 2009-04-09 18:49 84456 ----a-w c:\users\Elle\AppData\Roaming\GDIPFONTCACHEV1.DAT
2009-04-09 18:32 . 2009-04-10 16:29 7592 ----a-w c:\users\Elle\AppData\Local\d3d9caps.dat
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w C:\logs3
2009-04-05 18:04 . 2009-04-05 18:07 -------- d-----w c:\windows\Downloaded Installations
2009-04-05 09:56 . 2009-04-05 09:56 -------- d-----w c:\programdata\UDL
2009-04-05 09:56 . 2009-04-05 09:56 -------- d-----w c:\users\All Users\UDL
2009-04-05 09:55 . 2009-04-05 09:55 -------- d-----w c:\program files\Epson Software
2009-04-05 09:54 . 2009-04-05 09:55 -------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2009-04-05 09:47 . 2007-04-10 01:06 8192 ----a-w c:\windows\system32\E_DCINST.DLL
2009-04-05 09:47 . 2007-12-07 02:08 86528 ----a-w c:\windows\system32\E_FLBEDE.DLL
2009-04-05 09:47 . 2007-12-07 02:01 78848 ----a-w c:\windows\system32\E_FD4BEDE.DLL
2009-04-05 09:47 . 2009-04-05 09:51 -------- d-----w c:\programdata\EPSON
2009-04-05 09:47 . 2009-04-05 09:51 -------- d-----w c:\users\All Users\EPSON
2009-04-05 09:46 . 2007-07-12 23:00 71680 ----a-w c:\windows\system32\escwiad.dll
2009-04-05 09:46 . 2009-04-05 09:53 -------- d-----w c:\program files\epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 17:46 . 2007-05-30 22:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-16 15:57 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-13 20:04 . 2007-06-18 12:10 8268 ----a-w c:\users\Ashley\AppData\Local\d3d9caps.dat
2009-04-05 09:48 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-05 09:48 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-05 09:48 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-03-24 18:21 . 2009-03-24 18:21 84456 ----a-w c:\users\Elle\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-17 03:16 . 2009-04-15 07:22 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-15 07:22 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-15 07:22 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-12 18:02 . 2009-03-12 18:02 -------- d-----w c:\program files\GrabIt
2009-03-03 04:24 . 2009-04-15 07:22 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-15 07:22 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:20 . 2009-04-15 07:22 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:19 . 2009-04-15 07:22 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-15 07:22 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-15 07:22 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-15 07:22 56320 ----a-w c:\windows\system32\iesetup.dll
2009-03-03 04:16 . 2009-04-15 07:22 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-15 07:22 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-15 07:22 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-15 07:22 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:16 . 2009-04-15 07:22 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-15 07:22 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-03 02:40 . 2009-04-15 07:22 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-15 07:22 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-15 07:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-02-13 07:26 . 2009-04-15 07:22 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 07:26 . 2009-04-15 07:22 1233408 ----a-w c:\windows\system32\lsasrv.dll
2009-02-13 07:26 . 2009-04-15 07:22 7680 ----a-w c:\windows\system32\lsass.exe
2009-02-09 01:59 . 2009-03-11 08:14 2028032 ----a-w c:\windows\system32\win32k.sys
2008-12-11 03:14 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2008-12-16 13:48 . 2008-12-16 13:48 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-05-03 09:06 . 2007-08-12 12:25 163328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2007-08-12 12:25 31232 --sh--r c:\windows\System32\msfDX.dll
2007-05-31 06:24 . 2007-05-31 06:24 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot DeleteThis @2009-04-28_07.49.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-30 22:56 . 2009-04-29 07:00 55666 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-04-29 07:00 59556 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-17 11:52 . 2009-04-29 07:00 12492 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1748339114-2748222933-3243048847-1000_UserData.bin
+ 2009-04-28 17:46 . 2009-04-28 17:46 27656 c:\windows\System32\drivers\avgmfx86.sys
- 2007-06-17 11:46 . 2009-04-28 07:48 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-17 11:46 . 2009-04-28 23:21 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-17 11:46 . 2009-04-28 23:21 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-17 11:46 . 2009-04-28 07:48 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-28 22:19 . 2009-04-28 22:19 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-28 22:19 . 2009-04-28 22:19 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-04-29 06:56 . 2009-04-29 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-29 06:56 . 2009-04-29 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2007-11-15 18:00 . 2009-03-26 16:57 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2006-11-02 10:33 . 2009-04-28 07:47 622906 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-29 07:03 622906 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-29 07:03 108122 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-28 07:47 108122 c:\windows\System32\perfc009.dat
- 2007-11-15 18:00 . 2009-03-26 16:57 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-11-15 18:00 . 2009-03-26 16:57 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2007-11-15 18:00 . 2009-04-28 22:20 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"DellTransferAgent"="c:\programdata\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"Simplify Media"="c:\program files\Simplify Media\SimplifyMedia.exe" [2008-09-02 1618952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-05-30 77824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-16 29744]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Gainward"="c:\program files\Vtune\TBPanel.exe" [2007-03-23 2158592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-28 1932568]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1748339114-2748222933-3243048847-1000]
"EnableNotifications\\Ref"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2ECD9952-D673-4252-BD26-3752244579F6}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4055C550-3450-4267-BAC7-0FA85AB20FE8}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{047A9B2C-B62D-4B62-A61D-D4E7D79AB32B}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{3CF1D54F-0919-442F-B87B-F8712A39B55B}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{EA04EA0F-92A9-450A-AE21-51780CF77E78}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{84E3524F-9F99-41C9-BD56-8622051CC2E7}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{AF72D28E-9436-48EF-9607-D1D88F2A6086}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{0C2ED853-E5A7-4863-8540-3AC53D1A6989}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{AA2CA082-533D-4E91-97FE-D708C953D44B}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= UDP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"UDP Query User{ACF64130-D41D-49F1-8EE2-0950DF516332}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= TCP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"{3E98FD07-DB66-446B-997F-3C15A6DC6D67}"= UDP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{45182555-543F-42BC-ABFC-AC4172F6C6AC}"= TCP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{232AD1F8-0A70-4AAE-A597-79D8932EA162}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B7A1DBDC-4380-4AB5-8F09-4DFCE65862F5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{892D4A42-7C7C-4D84-BE40-87F501D59A7B}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{76D1C7CF-45A6-4D4C-ACEA-7451E1B754A9}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{9428289E-D04F-4AE1-BA92-46FE129069FC}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{797BD117-3A0E-4142-802A-0E8E75FA61A7}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{E299C4EF-CB54-4802-96CA-31F344F04E33}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{77499C5E-7E88-4EC9-997A-98282656EEFC}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{F59E756E-2B5B-402D-BFF6-A57E2D13F875}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{571A3CBF-627A-42B6-8288-0C9D22A5209A}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{DB3BEB01-477D-4A32-8CCB-3BB8682AEF69}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= UDP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"UDP Query User{0A844F3A-319F-4EBA-8272-9481E9407B98}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= TCP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"{269ECBEB-2C77-4667-974A-7182382DE662}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C63B6D16-4752-4576-941A-47E9E7D47B1C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4A017F5F-B669-4F85-A15D-621921E63C86}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{31F31884-FC14-4630-A4C5-44FC56B706B1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{0895BA48-2EA8-4464-9696-C36B0E8EEE5B}c:\\program files\\simplify media\\simplifypeer.exe"= UDP:c:\program files\simplify media\simplifypeer.exe:Simplify Media Peer
"UDP Query User{8B93BA76-5A9B-4C9F-965A-E08A6F92EF99}c:\\program files\\simplify media\\simplifypeer.exe"= TCP:c:\program files\simplify media\simplifypeer.exe:Simplify Media Peer
"{F11A5A5F-3902-4A4A-AE27-D7EAF956D4F2}"= UDP:c:\windows\explorer.exe:Explorer
"{66FE33CF-8EB9-4A2D-9B41-9CB90E099AA2}"= TCP:c:\windows\explorer.exe:Explorer
"{5EBB583F-5A82-43CE-A50A-B5325DD4AD63}"= UDP:c:\windows\Temp\2969503197.exe:2969503197
"{FDCC013D-91C0-45BA-8A28-21CC8297B0E3}"= UDP:c:\windows\System32\services.exe:services
"{367FAE90-1D09-4F8F-9AA3-9B4BD36C3CE4}"= TCP:c:\windows\System32\services.exe:services
"{3921F71E-3468-45DE-8419-BF383D0C3B56}"= UDP:c:\windows\System32\wininit.exe:wininit
"{D52B691F-474F-461F-B457-6E967EEFC3CA}"= TCP:c:\windows\System32\wininit.exe:wininit
"{0124E9C8-6745-4487-A40E-A4A5F3752CF9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{90B9542A-3554-457F-B4A4-43A050CA238B}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-16 29744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-28 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-28 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-28 298264]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\Nvsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{014f57ec-0efd-11dc-aa39-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1426d864-a123-11dd-95b0-0016b6937111}]
\shell\AutoRun\command - G:\SLCDMENU.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19753a43-6250-11dd-b964-0016b6937111}]
\shell\AutoRun\command - h:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - h:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e423427c-2805-11de-940a-0019d172f9a0}]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{98755F21-0389-42B4-A076-581B01114147}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
mStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fgmmhk18.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 08:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SYSTEM\ControlSet002\Services\ovfsthspocmmyfdrxelmgbvyljguhxpwbbvojm]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthucdimqnjwwiyicagxjdfwajmynxjvida.sys"
.
Completion time: 2009-04-29 8:17
ComboFix-quarantined-files.txt 2009-04-29 07:16

Pre-Run: 96,262,602,752 bytes free
Post-Run: 96,241,242,112 bytes free

354 --- E O F --- 2009-04-28 16:55

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

ashmatuk · Joined: Apr 28, 2009 Posts: 6

Here is the combofix log:

ComboFix 09-04-27.03 - Ashley 30/04/2009 19:36.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.1021.306 [GMT 1:00]
Running from: c:\users\Ashley\Desktop\Combofix\ComboFix.exe
Command switches used :: c:\users\Ashley\Desktop\Combofix\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ovfsthucdimqnjwwiyicagxjdfwajmynxjvida.sys
c:\windows\Temp\2969503197.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-28 22:20 . 2009-04-28 22:20 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-28 22:20 . 2009-04-28 22:20 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-28 22:19 . 2009-04-28 22:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-28 22:19 . 2009-04-28 22:19 -------- d-----w c:\users\Ashley\AppData\Roaming\SUPERAntiSpyware.com
2009-04-28 22:18 . 2009-04-28 22:18 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 18:01 . 2009-04-28 21:01 -------- d--h--w C:\$AVG8.VAULT$
2009-04-28 17:47 . 2009-04-28 17:47 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-28 17:46 . 2009-04-28 17:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-28 17:46 . 2009-04-28 17:46 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-28 17:46 . 2009-04-28 17:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\program files\AVG
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\programdata\avg8
2009-04-28 17:46 . 2009-04-28 17:46 -------- d-----w c:\users\All Users\avg8
2009-04-27 21:21 . 2009-04-27 21:21 -------- d-----w c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2009-04-27 19:29 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 19:29 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Saved Games
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Links
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Downloads
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Searches
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Pictures
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Videos
2009-04-27 17:22 . 2009-04-27 17:22 -------- d-----r c:\windows\system32\config\systemprofile\Documents
2009-04-24 18:07 . 2009-04-24 18:07 -------- d-----w C:\SWISNIFE
2009-04-24 17:44 . 2009-04-24 17:45 -------- d-----w c:\program files\Seagate
2009-04-23 19:02 . 2009-04-23 19:02 -------- d-----w c:\users\Ashley\AppData\Local\WBFSManager
2009-04-23 19:00 . 2009-04-23 19:00 -------- d-----w c:\program files\WBFS
2009-04-23 18:48 . 2008-06-20 01:17 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-04-23 18:48 . 2008-06-20 01:18 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-23 18:48 . 2008-06-20 01:17 622080 ----a-w c:\windows\system32\icardagt.exe
2009-04-23 18:48 . 2008-06-20 01:17 11264 ----a-w c:\windows\system32\icardres.dll
2009-04-23 18:48 . 2008-06-20 01:18 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-04-23 18:48 . 2008-06-20 01:18 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-04-23 18:48 . 2008-06-20 01:18 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-04-23 16:47 . 2001-07-13 12:56 14976 ----a-w c:\windows\system32\drivers\SBKUPNT.SYS
2009-04-23 16:47 . 1997-02-08 16:11 13312 ----a-w c:\windows\system32\DEVLOAD.EXE
2009-04-23 16:47 . 1998-10-29 15:45 306688 ----a-w c:\windows\IsUninst.exe
2009-04-22 18:53 . 2008-07-27 18:00 96760 ----a-w c:\windows\system32\dfshim.dll
2009-04-22 18:53 . 2008-07-27 18:00 282112 ----a-w c:\windows\system32\mscoree.dll
2009-04-22 18:53 . 2008-07-27 18:00 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-04-22 18:52 . 2008-07-27 18:00 158720 ----a-w c:\windows\system32\mscorier.dll
2009-04-22 18:51 . 2008-07-27 18:00 83968 ----a-w c:\windows\system32\mscories.dll
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\users\Ashley\AppData\Roaming\Malwarebytes
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\programdata\Malwarebytes
2009-04-22 07:04 . 2009-04-22 07:04 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-22 07:04 . 2009-04-27 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 07:03 . 2009-04-22 07:03 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-22 07:03 . 2009-04-22 07:03 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-22 07:03 . 2009-04-22 07:03 -------- d-----w c:\program files\Lavasoft
2009-04-22 07:03 . 2009-04-22 07:06 -------- d-----w c:\programdata\Lavasoft
2009-04-22 07:03 . 2009-04-22 07:06 -------- d-----w c:\users\All Users\Lavasoft
2009-04-21 22:48 . 2009-04-27 19:29 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-21 22:48 . 2009-04-27 19:29 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-04-21 22:48 . 2009-04-27 19:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 07:23 . 2008-12-08 04:34 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 07:23 . 2008-06-05 04:50 500736 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 07:23 . 2008-06-05 04:50 30208 ----a-w c:\windows\system32\xolehlp.dll
2009-04-13 09:40 . 2009-04-13 09:40 -------- d-----w c:\program files\Western Digital Technologies
2009-04-09 18:49 . 2009-04-09 18:49 84456 ----a-w c:\users\Elle\AppData\Roaming\GDIPFONTCACHEV1.DAT
2009-04-09 18:32 . 2009-04-10 16:29 7592 ----a-w c:\users\Elle\AppData\Local\d3d9caps.dat
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w C:\logs3
2009-04-05 18:04 . 2009-04-05 18:07 -------- d-----w c:\windows\Downloaded Installations
2009-04-05 09:56 . 2009-04-05 09:56 -------- d-----w c:\programdata\UDL
2009-04-05 09:56 . 2009-04-05 09:56 -------- d-----w c:\users\All Users\UDL
2009-04-05 09:55 . 2009-04-05 09:55 -------- d-----w c:\program files\Epson Software
2009-04-05 09:54 . 2009-04-05 09:55 -------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2009-04-05 09:47 . 2007-04-10 01:06 8192 ----a-w c:\windows\system32\E_DCINST.DLL
2009-04-05 09:47 . 2007-12-07 02:08 86528 ----a-w c:\windows\system32\E_FLBEDE.DLL
2009-04-05 09:47 . 2007-12-07 02:01 78848 ----a-w c:\windows\system32\E_FD4BEDE.DLL
2009-04-05 09:47 . 2009-04-05 09:51 -------- d-----w c:\programdata\EPSON
2009-04-05 09:47 . 2009-04-05 09:51 -------- d-----w c:\users\All Users\EPSON
2009-04-05 09:46 . 2007-07-12 23:00 71680 ----a-w c:\windows\system32\escwiad.dll
2009-04-05 09:46 . 2009-04-05 09:53 -------- d-----w c:\program files\epson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 17:46 . 2007-05-30 22:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-16 15:57 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-13 20:04 . 2007-06-18 12:10 8268 ----a-w c:\users\Ashley\AppData\Local\d3d9caps.dat
2009-04-05 09:48 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-05 09:48 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-05 09:48 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-03-24 18:21 . 2009-03-24 18:21 84456 ----a-w c:\users\Elle\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-17 03:16 . 2009-04-15 07:22 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-15 07:22 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-15 07:22 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-12 18:02 . 2009-03-12 18:02 -------- d-----w c:\program files\GrabIt
2009-03-03 04:24 . 2009-04-15 07:22 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-15 07:22 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:20 . 2009-04-15 07:22 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:19 . 2009-04-15 07:22 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-15 07:22 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-15 07:22 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-15 07:22 56320 ----a-w c:\windows\system32\iesetup.dll
2009-03-03 04:16 . 2009-04-15 07:22 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-15 07:22 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-15 07:22 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-15 07:22 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:16 . 2009-04-15 07:22 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-15 07:22 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-03 02:40 . 2009-04-15 07:22 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-15 07:22 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-15 07:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-02-13 07:26 . 2009-04-15 07:22 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 07:26 . 2009-04-15 07:22 1233408 ----a-w c:\windows\system32\lsasrv.dll
2009-02-13 07:26 . 2009-04-15 07:22 7680 ----a-w c:\windows\system32\lsass.exe
2009-02-09 01:59 . 2009-03-11 08:14 2028032 ----a-w c:\windows\system32\win32k.sys
2008-12-11 03:14 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2008-12-16 13:48 . 2008-12-16 13:48 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-05-03 09:06 . 2007-08-12 12:25 163328 --sh--r c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2007-08-12 12:25 31232 --sh--r c:\windows\System32\msfDX.dll
2007-05-31 06:24 . 2007-05-31 06:24 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-04-29_07.14.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-30 22:56 . 2009-04-30 17:19 56048 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-04-30 17:19 59836 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-06-17 11:52 . 2009-04-30 17:19 12754 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1748339114-2748222933-3243048847-1000_UserData.bin
- 2007-06-17 11:46 . 2009-04-28 23:21 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-17 11:46 . 2009-04-29 19:24 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-17 11:46 . 2009-04-29 19:24 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-17 11:46 . 2009-04-28 23:21 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-30 17:17 . 2009-04-30 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-04-29 06:56 . 2009-04-29 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-30 17:17 . 2009-04-30 17:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-29 06:56 . 2009-04-29 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-04-30 17:24 622906 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-29 07:03 622906 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-30 17:24 108122 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-29 07:03 108122 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"DellTransferAgent"="c:\programdata\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"Simplify Media"="c:\program files\Simplify Media\SimplifyMedia.exe" [2008-09-02 1618952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-09 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-09 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-09 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2007-05-30 77824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-16 29744]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Gainward"="c:\program files\Vtune\TBPanel.exe" [2007-03-23 2158592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-28 1932568]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-18]
"EnableNotifications\\Ref"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1748339114-2748222933-3243048847-1000]
"EnableNotifications\\Ref"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2ECD9952-D673-4252-BD26-3752244579F6}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4055C550-3450-4267-BAC7-0FA85AB20FE8}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{047A9B2C-B62D-4B62-A61D-D4E7D79AB32B}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{3CF1D54F-0919-442F-B87B-F8712A39B55B}"= UDP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{EA04EA0F-92A9-450A-AE21-51780CF77E78}"= TCP:c:\program files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{84E3524F-9F99-41C9-BD56-8622051CC2E7}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{AF72D28E-9436-48EF-9607-D1D88F2A6086}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{0C2ED853-E5A7-4863-8540-3AC53D1A6989}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{AA2CA082-533D-4E91-97FE-D708C953D44B}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= UDP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"UDP Query User{ACF64130-D41D-49F1-8EE2-0950DF516332}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= TCP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"{3E98FD07-DB66-446B-997F-3C15A6DC6D67}"= UDP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{45182555-543F-42BC-ABFC-AC4172F6C6AC}"= TCP:c:\program files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:Gears of War
"{232AD1F8-0A70-4AAE-A597-79D8932EA162}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B7A1DBDC-4380-4AB5-8F09-4DFCE65862F5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{892D4A42-7C7C-4D84-BE40-87F501D59A7B}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{76D1C7CF-45A6-4D4C-ACEA-7451E1B754A9}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{9428289E-D04F-4AE1-BA92-46FE129069FC}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{797BD117-3A0E-4142-802A-0E8E75FA61A7}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{E299C4EF-CB54-4802-96CA-31F344F04E33}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{77499C5E-7E88-4EC9-997A-98282656EEFC}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{F59E756E-2B5B-402D-BFF6-A57E2D13F875}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{571A3CBF-627A-42B6-8288-0C9D22A5209A}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{DB3BEB01-477D-4A32-8CCB-3BB8682AEF69}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= UDP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"UDP Query User{0A844F3A-319F-4EBA-8272-9481E9407B98}c:\\program files\\burst\\core-new1.1.3\\btdownloadheadless.exe"= TCP:c:\program files\burst\core-new1.1.3\btdownloadheadless.exe:burst! download engine
"{269ECBEB-2C77-4667-974A-7182382DE662}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C63B6D16-4752-4576-941A-47E9E7D47B1C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4A017F5F-B669-4F85-A15D-621921E63C86}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{31F31884-FC14-4630-A4C5-44FC56B706B1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{0895BA48-2EA8-4464-9696-C36B0E8EEE5B}c:\\program files\\simplify media\\simplifypeer.exe"= UDP:c:\program files\simplify media\simplifypeer.exe:Simplify Media Peer
"UDP Query User{8B93BA76-5A9B-4C9F-965A-E08A6F92EF99}c:\\program files\\simplify media\\simplifypeer.exe"= TCP:c:\program files\simplify media\simplifypeer.exe:Simplify Media Peer
"{F11A5A5F-3902-4A4A-AE27-D7EAF956D4F2}"= UDP:c:\windows\explorer.exe:Explorer
"{66FE33CF-8EB9-4A2D-9B41-9CB90E099AA2}"= TCP:c:\windows\explorer.exe:Explorer
"{FDCC013D-91C0-45BA-8A28-21CC8297B0E3}"= UDP:c:\windows\System32\services.exe:services
"{367FAE90-1D09-4F8F-9AA3-9B4BD36C3CE4}"= TCP:c:\windows\System32\services.exe:services
"{3921F71E-3468-45DE-8419-BF383D0C3B56}"= UDP:c:\windows\System32\wininit.exe:wininit
"{D52B691F-474F-461F-B457-6E967EEFC3CA}"= TCP:c:\windows\System32\wininit.exe:wininit
"{0124E9C8-6745-4487-A40E-A4A5F3752CF9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{90B9542A-3554-457F-B4A4-43A050CA238B}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-16 29744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-28 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-28 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-28 298264]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Seagate Sync Service;Seagate Sync Service;c:\program files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\Nvsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{014f57ec-0efd-11dc-aa39-806e6f6e6963}]
\shell\AutoRun\command - E:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1426d864-a123-11dd-95b0-0016b6937111}]
\shell\AutoRun\command - G:\SLCDMENU.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19753a43-6250-11dd-b964-0016b6937111}]
\shell\AutoRun\command - h:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - h:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e423427c-2805-11de-940a-0019d172f9a0}]
\shell\AutoRun\command - g:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-04-30 c:\windows\Tasks\User_Feed_Synchronization-{98755F21-0389-42B4-A076-581B01114147}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
mStart Page = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel...&ib
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\fgmmhk18.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 19:39
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-30 19:42
ComboFix-quarantined-files.txt 2009-04-30 18:41
ComboFix2.txt 2009-04-29 07:17

Pre-Run: 96,991,588,352 bytes free
Post-Run: 96,999,116,800 bytes free

305 --- E O F --- 2009-04-30 17:39

ashmatuk · Joined: Apr 28, 2009 Posts: 6

I uploaded c:\windows\System32\wininit.exe to http://virusscan.jotti.org and it came back ok.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

ashmatuk · Joined: Apr 28, 2009 Posts: 6

Thanks for your help, its most appreciated. My system is running fine now.